Data Retrieval and Security Using Lightweight Directory Access Protocol

3 downloads 73002 Views 457KB Size Report
of the common services are Virtual Private Network (VPN),. Remote ... The profiles of all users ... the normal web hosting is provide by the Web Server. This.
Second International Workshop on Knowledge Discovery and Data Mining

Data Retrieval and Security using Lightweight Directory Access Protocol Mohammad Salim, M Sana Akhtar, Mohammed A Qadeer Department of Computer Engineering Zakir Hussain College of Engineering & Technology Aligarh Muslim University, Aligarh- 202002 {mohdsalim, msakhtar, maqadeer}@zhcet.ac.in performance. In addition to that, the authorization techniques used by LDAP are well managed and are certainly better. For example, in the case of the Web server “Fig. 1” of a university, in the absence of LDAP, in addition to hosting of the web sites of respective users, it has to provide authentication for which it uses .htaccess file (in LINUX based environments). With the use of LDAP along with Web server “Fig. 2”, the security overhead is passed on to LDAP server whereas the normal web hosting is provide by the Web Server. This not only improves the performance of the Web server, but also provides better security [7]. In addition to above benefits, LDAP has an added advantage that it can be simultaneously used for several other services, so redundancy in maintaining security information for other services is avoided. Therefore, we can use the same copy of data to provide authorization in several other services [8].

Abstract—In the present world of communication and information interchange where more and more users are bound to use the same services and data with different access levels, the need for providing protection against potential breach of secured data has gained profound importance. Some of the common services are Virtual Private Network (VPN), Remote Access Server (RAS), Web Server, Mail Server etc. In the following paper we present the technique of providing customized user level access and security through the use of LDAP for above mentioned services. The profiles of all users are maintained under LDAP directory Information Tree (DIT) from which information about any particular user, willing to login or retrieve data, can be used to provide successful authentication. Keywords- LDAP; Web Server; VPN; RAS; SendMail; client; server; SLAPD; schemas; database; ACLs; authentication; LDIF

I.

INTRODUCTION

LDAP is a service used to counter the problem of recent development in the area of information technology where frequent use of authentication information is needed in various services. Considering this need, it is designed to provide a digital directory which is an online equivalent of a telephone directory or address book. It is a type of database in which data can be organized into tree like structures with a file system hierarchy. It provides varying mechanisms for authentication with robust layer of services like searching with complex filters, representing complex data with attributes, allowing partial and restricted access to data and thus handling the complete access control and login information of users. Various applications like email servers, web servers, etc. use LDAP as an authoritative source of user information. Applications can authenticate users against the entries as maintained in the directory [2]. II.

PROBLEMS WITHOUT LDAP AUTHENTICATION

In using services without LDAP authentication, the biggest problem faced is that the user has to be verified by the service itself. This means that not only the service has to provide normal functionality but it also has to secure the access which implies that there would be a small period during which the performance of that service will drop. As the number of users increase, the number of requests would increase and would mean a larger drop in the 978-0-7695-3543-2/09 $25.00 © 2009 IEEE DOI 10.1109/WKDD.2009.175

Figure 1: Performance without LDAP

685

Authorized licensed use limited to: ZAKIR HUSSAIN COLLEGE OF ENG AND TECH. Downloaded on March 2, 2009 at 06:26 from IEEE Xplore. Restrictions apply.

Libraries

: Provide programming interfaces to LDAP

a.

The Server The main server in the LDAP suite is SLAPD (the Stand-Alone LDAP Daemon). This server provides access to one or more directory information trees. Clients connect to the server over the LDAP protocol using a network– based connection. A server can store directory data locally, or simply access to external sources. Typically, it provides authentication and searching services, and may also support adding, removing and modifying directory data. It provides fine- grained access control to the directory. b.

Clients Clients access LDAP servers over LDAP network protocol. They function by requesting that the server performs operations on their behalf typically, a client will first connect to the directory server, then bind (authenticate) and then perform zero or more operations before finally unbinding and disconnecting. c.

Utilities Utilities manipulate data at a lower level, and without mediation by the server. They are used primarily to help maintain the server.

Figure 2: Performance with LDAP Security

III.

TECHNICAL OVERVIEW

d.

Libraries There are several LDAP libraries that are shared between LDAP applications. The libraries provide LDAP functions to these applications. The clients, utilities and servers all share access to some of these libraries.

A. The Directory Structure:

IV.

USING LDAP

A. Various Operations performed (i) (ii) (iii) (iv) Figure 3: Database Hierarchy

The directory structure as shown, “Fig. 3”, exhibits a hierarchical tree structure showing a sample network assumed in a university with university at the top and branching down to several end users. It is these end users who are finally authenticated to several services which are available and supposed to be used by respective users [5]. B. Components: Servers : Provide LDAP services Clients : Manipulate the LDAP data Utilities : Support LDAP servers

(v) (vi)

Bind (authentication): It involves logging in to the server by a user after successfully authenticating as a recognized user. Add (add an element to the directory): Adds the user records into the desired directory. Search (search for elements in the directory): Performs search operation with or without filters. Modify (edit the contents of an element): User records can be modified as desired. New attributes can also be added. Delete (remove an element from the directory): To remove one or more user records. Unbind (close the connection): It involves logging out of the server and closing connection.

B. Working Mechanism Working of LDAP is based on Client-Server model “Fig. 4”. The client sends its Relative Distinguished Name (RDN) as an identifier to the server for querying over TCP/IP. The server looks for the RDN in the LDAP

686

Authorized licensed use limited to: ZAKIR HUSSAIN COLLEGE OF ENG AND TECH. Downloaded on March 2, 2009 at 06:26 from IEEE Xplore. Restrictions apply.

Directory Information Tree (DIT). If the RDN matches, the query is processed.

Figure 4: Working Mechanism at implementation level [1]

V. OTHER SERVICES USING LDAP AUTHENTICATION

Figure 6: Snapshot showing user information

The LDAP based authentication is also utilized for various other services mentioned below:

B. Remote Access Server (RAS) RAS provides remote access to the information on a network to several IT devices. For this it requires dialup and login authentication which is provided by LDAP. Once authenticated the DHCP sever assigns an IP address to the user and get connected to the LAN

Virtual Private Network (VPN): VPN is a computer network in which the links between nodes are carried by open connections or virtual circuit in a larger network. VPNs are used to separate the traffic of different user communities over an underlying network. LDAP authentication can be used for establishing a client to site VPN connection. The Remote LDAP Server uses SSL connection to authenticate a user. The group membership of the remote users are compared with the group list as entered in the LDAP directory, when the authentication to the Remote LDAP directory is performed.This method helps us to maintain single copy of entries in the remote directory from which various users can authenticate instead of maintaining severalcopies at different locations.It also makes it possible for the various users to access the VPN without being in the e-Directory. Users from any LDAP directory can authenticate to the VPN [6].

A.

C. Network Browsing restriction On the sample Local Area Network the browsing capabilities are restricted using Authentication of users via LDAP. So, the users who have their LDAP accounts entered in the LDAP directory have access the internet. The server uses the ip address of the local terminal to allow or restrict internet access [4].

Figure 7: LDAP authentication for apache Web server

Figure 5: Working of VPN using LDAP Authentication

687

Authorized licensed use limited to: ZAKIR HUSSAIN COLLEGE OF ENG AND TECH. Downloaded on March 2, 2009 at 06:26 from IEEE Xplore. Restrictions apply.

VI.

CONCLUSION

The LDAP server has become the most frequently used service for providing authentication for users on a network. Further, it can be used as a DNS database, an address book, and an organizational tool. With many services providing the support of LDAP, it would play a major role in authorization and authentication in the near future.

REFERENCES [1]

Edgard Jamhour., "Distributed Security Management Using LDAP Directories", PPGIA, PUCPR – Pontificia, Universidade Catolica do Parana, 2001.

[2]

Matt Butcher, Mastering OpenLDAP, first ed., Packt Publishing Ltd., 32 Lincoln Road, Olton, Birmingham, UK

[3]

Christopher Negus, BIBLE (Fedora 7), Wiley Publishing , Inc. , Indianapolis, Indiana

[4]

Sihem Amer-Yahia, Divesh Srivastava, Dan Suciu, "Distributed Evaluation of Network Directory Queries" IEEE Transactions on Knowledge and Data Engineering , Volume 16 Issue 4, 2004

[5]

John H. Terpstra, LDAP accounts manager, Linux Journal, Volume 2004 Issue 125, 2004, Specialized Systems Consultants, Inc.

[6]

Darren Hartman, "SSL VPN Strong Front-end User Authentication Client Certificates using an Open Source CA", 2005, ICSA Labs

[7]

Mick Bauer, "Paranoid penguin: authenticate with LDAP", Part III, Volume 2003 Issue 113, Specialized Systems Consultants, Inc.

[8]

Xin Wang, Henning Schulzrinne, Dilip Kandlur, and Dinesh Verma, “Measurement and Analysis Of LDAP Performance”, IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 16, NO. 1, FEBRUARY 2008, pp. 232-234

[9]

C.S. Yang, C.Y. Liu, J.H. Chen, C.Y. Sung, “Design and Implementation of Secure Web-based LDAP Management System”, IEEE, 2001

[10]

Vassiliki Koutsonikola., Athena Vakali., " LDAP: Framework, Practices, and Trends ", Aristotle University, IEEE Computer Society, October 2004.

[11]

Riri Fitri Sari, Syarif Hidayat, “ Integrating Web Server Applications With LDAP Authentication: Case Study on Human Resources Information System of Ul”, IEEE,2006

Figure 8: Successful authentication for a web page

D. Sendmail The Sendmail server is used to send and receive messages through a network. It allows standardized, centralized repository of user data which is integrated with the LDAP directory for providing authentication of users. The authentication is performed when a user sends or receive mails. E. Maintaining Address Book We can access the LDAP address book to get mail addresses from any e-mail client that supports LDAP directories. Figure 7 shows the use of Evolution Mail for accessing the address book [3].

Figure 9: LDAP Address Book

688

Authorized licensed use limited to: ZAKIR HUSSAIN COLLEGE OF ENG AND TECH. Downloaded on March 2, 2009 at 06:26 from IEEE Xplore. Restrictions apply.