Directory Services and LDAP

LaRon Walker

Master of Information Technology and Internet Security

April, 2010

Directory services are a way of indexing all users and resources on a network, and

linking them together. It also provides an avenue in which users can easily locate users and

resources on that network, which can save time and improve productivity. Directory services

also provides the ability to centrally manage users and network resources, making it easier for

administrators to scale, manage, maintain, troubleshoot, and locate networking issues. These

services allow administrators to use email services such as Exchange or Lotus Notes to link to

network resources, which also creates and easy way for users to search and access resources.

Along with this, network designers also have the ability to create hierarchies that can be

structure via location, resource type, department, and other grouping strategies that may be

modified to fit each networking environment’s needs. Directory services are ideal in medium to

large corporate environments, where resources may be located in different locations, but

require fast, easy accessibility and manageability. Overall, directory services allow

administrators to easily control access to resources. Examples of directory services are Novell’s

E-director and, Microsoft’s Active Directory.

Directory services generally use the Lightweight Directory Access Protocol (LDAP), which

is the X.500 international standard that has been pushed since the 1980’s. Per DiSabatino

(2002), “What LDAP does well is reduce the amount of data necessary to locate a person,
application or device on a network, or even on the Internet”. LDAP is now used as the standard

in over 40 countries.

Even though LDAP has great benefits, it also has its drawbacks. Over the years, people

have found ways to exploit this protocol, leaving networks open to denial of services attacks

(DOS). LDAP accesses directories containing user authentication information, and these types

of attacks can create pinholes or paths to this critical data. LDAP also opens the door for other

exploits that pertain to email servers such as Domino and Exchange. Also per Vijayan &

DiSabatino (2001) “other products found with security problems include Sun Microsystems

Inc.'s iPlanet Directory Server, IBM's SecureWay Directory, Qualcomm Inc.'s Eudora Worldmail

and Network Associates Inc.'s PGP Keyserver”. Due to the vulnerabilities of LDAP, the best way

to protect against these types of security issues is to make sure that firewalls are checked

frequently, all updates and security patches are current, and all security and antivirus

applications are up-to-date, as I’ve stated in previous discussions.

References

directory services. (2008). In Dictionary of Computing. Retrieved April 4, 2010 from

http://www.credoreference.com/entry/acbcomp/directory_services

DiSabatino, J. (2002). LDAP. Computerworld, 36(7), 40. Retrieved April 4, 2010 from Academic
Search Premier database.

Pace, M. (2000). Active Directory barks up the right tree. InfoWorld, 22(6), 45. Retrieved April 4,
2010 from Academic Search Premier database.

Sliwa, C. (2002, July). Novell lays out road map for new directory services.Computerworld,
36(29), 7. Retrieved April 4, 2010, from ABI/INFORM Global. (Document ID: 137902031).
Vijayan, J., & DiSabatino, J. (2001). Security Vulnerabilities Found in Directory Protocol.
Computerworld, 35(30), 17. Retrieved April 4, 2010 from MasterFILE Premier database.

Abstract (Summary)

Novell Inc. plans to unveil an 18-month road map for its eDirectory server software, dubbed
Project Destiny, that outlines its strategy to extend secure identity management to every aspect of
Web services.

 »  Jump to indexing (document details)

Full Text
 (560  words)
Copyright Computerworld Inc. Jul 15, 2002

[Headnote]
But company has yet to specify dates

Novell Inc. today plans to unveil an 18-month road map for its eDirectory server software,
dubbed Project Destiny, that outlines its strategy to extend secure identity management to every
aspect of Web services.

But while the software maker is drawing analysts' praise for heading in the right direction, so far
the only product that has an expected year's end ship date is the Universal Description, Discovery
and Integration (UDDI) server that's being built on its eDirectory server.

"They have a lot of good ideas, and they've had them for a while. But when are they going to
deliver?" said Mike Neuenschwander, an analyst at Burton Group in Midvale, Utah. "They're
trying to jump the gun and be a thought leader. It's more important for them to be a product
leader."

At least with the Web services and UDDI plans, Novell may be running ahead of the demand
curve. IT departments have hardly been rushing to build Web services or use public UDDI
repositories that can help them find information about how their trading partners want to interact.

The first part of Novell's directory services road map calls for the addition of a server to its
eDirectory that will bring user authentication and access control to UDDI registries. That will
allow authorized users to add information to and query information from UDDI registries,
according to Ed Anderson, director of product management for the company's identity services
group.
Anderson said he anticipates that large companies will start to deploy internal UDDI repositories
next year. He predicted that some will experiment with the federation of their internal
repositories so they can share information with business partners. "It will become more
prominent in 2004 and forward," he said.

Neuenschwander said the UDDI server represents only "one-sixteenth" of what Novell wants
to do through its Destiny road map. "The marketing guys are getting ahead of the engineering
guys," he said.

No timetable was announced for several key pieces of the plan, other than that they will be

delivered next year, according to a Novell spokesman.

Those pieces include native support for XML and the Simple Object Access Protocol (SOAP) in
the eDirectory server; a single point of management for user identities drawn from multiple
applications and services; a rules-based engine that will help directories manage user access to
network resources; and a federated system that will allow businesses to securely share identity
information with business partners.

Anderson said the initial pieces will be modular add-ons to eDirectory, which is the foundation
of Project Destiny.

John Enck, an analyst at Stamford, Conn.-based Gartner Inc., said the real value in Novell's
directory services plan will be from policy-based identity management, which will allow more
users to be administered by fewer people.

"You're not going to have to burn IT resources for a simple task like adding or maintaining user
information in multiple directories," Enck said.

[Sidebar]
Novell's Plans
A UDDI server, built on Novell's eDirectory, to add authentication and access control to UDDI
registries; due by year's end
Native XML and SOAP support in eDirectory.
One management point for user identities drawn from multiple applications and services.
A rules-based engine that will help directories manage user access to network resources based on
their roles in an organization.
A federated system to allow business to securely share identity data with their partners.

305 PQ 1270436487

Indexing (document details)

Subjects: Software packages,  Information technology
Classification 9190 United States,  5250 Telecommunications systems & Internet
Codes communications,  5240 Software & systems,  9000 Short article
Locations: United States,  US
Companies: Novell Inc(Ticker:NOVL, NAICS: 511210, Duns:03-778-7298 )
Author(s): Carol Sliwa
Document types: News
Publication title: Computerworld. Framingham: Jul 15, 2002. Vol. 36, Iss. 29;  pg. 7, 1 pgs
Source type: Periodical
ISSN: 00104841
ProQuest 137902031
document ID:
Text Word Count 560
Document URL: http://proquest.umi.com/pqdweb?
did=137902031&Fmt=3&clientId=65562&RQT=309&VName=PQD
LDAP

Section: TECHNOLOGY QUICKSTUDY

DEFINITION

Lightweight Directory Access Protocol (LDAP) was developed as a PC-based front end to
access X.500-compliant directories. It uses less code than X.500, so it's more viable for client-
side applications. LDAP works over TCP/IP and organizes people, devices and applications in a
hierarchical tree structure that reflects geographical, political and organizational boundaries.

ALL DIRECTORIES "basically serve as a way for applications to look up other applications, for
people to look up other applications or resources, or for managers to look up reservations or
resources," says Dan Blum, an analyst at The Burton Group in Midvale, Utah. On the Internet,
the most prevalent directory structure is Lightweight Directory Access Protocol (LDAP).

LDAP was originally created to be a trimmed-down, lower-overhead version of another directory

protocol -- the international X.500 standard -- and is considered to be an easy key to the "white
pages" of the network. The distinction between the two has always been that LDAP is
incomplete but can be implemented quickly and efficiently, and X.500 has a comprehensive
structure but requires a lot of coding.

"LDAP itself is general-purpose in nature. It can support many different types of applications,"
says Tim Howes, one of the co-authors of LDAP. Howes is now chief technology officer and co-
founder of Loudcloud Inc. in Sunnyvale, Calif.

"Today, [LDAP] is often used to provide the e-mail address book functionality of your e-mail
client, the phone book application inside your corporate firewall and the authentication and
access-control engine behind many of the Web sites you visit," he says. "Many other applications
are also possible and in common usage."

The much more complex X.500 directory protocol has been pushed as a standard since the late
1980s, but it has never been fully adopted, at least in part because it initially required so much
space on the client side that PCs couldn't really handle it. PC processing has grown enough that
this is no longer a problem, but LDAP is still the directory of choice for many technology
vendors, and it's at the heart of Windows 2000's Active Directory.

In the early 1990s, Howes, William Yeong and S. Kille created LDAP at the University of
Michigan in Ann Arbor. Since then, it has become a standard in 40 countries and is used by
many of the world's biggest IT vendors, including IBM, Sun Microsystems Inc. and Microsoft
Corp.
What LDAP does well is reduce the amount of data necessary to locate a person, application or
device on a network, or even on the Internet. "LDAP directory information is contained in entries
composed of attributes [such as name, address or e-mail]," Howes says. "Entries can be arranged
in treelike structures for easier administration and browsing." Entries on the network are defined
beginning at the country level, then by region, organization, department and individual or group.

LDAP has become the directory access protocol of choice, in part because it was adopted as a
standard not long after its introduction. It's also attractive to network administrators, who can
decide how to organize access for users, applications and other entities, such as servers.

Because it's a standard and so widely used for accessing directory information, LDAP is finding
its way into new types of applications. Metamerge in Oslo, for example, is using its LDAP-based
directory product for network provisioning functions that simplify administration.

But LDAP has limitations. According to Howes, it isn't a replacement for file servers, relational
databases and the Domain Name System. While it's very flexible and allows network
administrators the freedom to reflect the organization of a company in the directory, it still has
some problems with efficiency.

Communication Barriers

Like X.500, LDAP uses geographical, political and organizational constructs from the off-line
world to construct the directory. Thus, communication can break down between users in
different organizations, even though their directories are based on LDAP.

Consider, for example, a case in which two pharmaceutical companies are working together to
develop a new drug, but each uses a different messaging technology. One is a Windows 2000
shop that uses Outlook and Exchange for messaging, while the other uses Lotus Notes and
Domino. They have different naming schemes and rules. How can one system securely
authenticate users and encrypt messages on another system if it doesn't recognize their naming
rules? The problem occurs because public-key infrastructure (PKI) certificates are stored
according to the rules of the specific application or directory protocol they serve.

The user name in Microsoft's Active Directory would be john.doe@company.com. A PKI

certificate in Active Directory would search for the published key of a Notes/Domino user but
wouldn't be able to find it under the naming rules that guide it. So if John Doe wants to send an
encrypted message to Jane Smith, his counterpart in the other company, he would have to be on
the same e-mail system.

"You can write scripts to overcome the translation, but that requires a lot of work," says Michele
Rubenstein, a security expert and president of the Electronic Messaging Association, as well as
co-chairwoman of the Global Directory Forum at the World EMA, a consortium of electronic
messaging organizations. "You can [also] create a metadirectory to publish [the PKI certificate]
in a more usable format for whatever it is that you're doing."
"LDAP also never solved the problem of distributed entry -- that is, a person being known by
different names throughout the system," Blum says. So if John Doe is part of two workgroups in
a company, his e-mail address would be found in two branches of the directory. LDAP doesn't
inherently identify this as a duplicate entry.

LDAP's simplicity and openness mean that it has some obvious holes. But even with those
problems, LDAP remains one of the most useful directory systems ever built.

DIAGRAM: LDAP's Basic Structure

~~~~~~~~

By Jennifer DiSabatino

Copyright of Computerworld is the property of Computerworld and its content may not be
copied or emailed to multiple sites or posted to a listserv without the copyright holder's express
written permission. However, users may print, download, or email articles for individual use.

*************

Fixes available for LDAP-enabled servers

A Finnish university project to test the security of communications protocols has revealed
serious vulnerabilities in several implementations of the Lightweight Directory Access Protocol
(LDAP) affecting products such as Lotus Development Corp.'s Domino and Microsoft Corp.'s
Exchange servers.

The vulnerabilities, which could result in denial-of-service attacks and unauthorized access, were
discovered in LDAP-enabled products from nine vendors, according to an advisory posted last
week by the CERT Coordination Center at Carnegie Mellon University in Pittsburgh. No such
attacks have yet been reported.

In addition to Domino and Exchange 5.5 and 2000 server, other products found with security
problems include Sun Microsystems Inc.'s iPlanet Directory Server, IBM's SecureWay
Directory, Qualcomm Inc.'s Eudora Worldmail and Network Associates Inc.'s PGP Keyserver,
according to CERT.

Information about patch availability and advice about how to block access to directory services
at the network perimeter is posted on CERT's Web site at www.cert.org/advisories/CA-2001-
18.html

LDAP is a protocol used to access directories containing critical information such as user names
and authentication information, addresses and cryptographic certificates.
The breaches were discovered when the Oulu University Secure Programming Group in Finland
applied a security test suite that sent sample packets containing unexpected values or illegally
formatted data to LDAP-enabled products.

"The test suite revealed vulnerabilities that were lying dormant" in the products, said Jeffrey
Lanza, a CERT member. "This type of testing should have been applied earlier in the
development process."

But there are no published exploits telling would-be hackers how to take advantage of these
holes, so "the likelihood of an attack coming as a result of this is relatively low," said Russ
Cooper, an analyst at Reston, Va.-based security firm TruSecure Corp. The fact that LDAP isn't
widely deployed on the Internet is another mitigating factor, he said.

"I think at this point, people need to make sure they get themselves patched, but I wouldn't
expect a wide range of attacks as a result of the vulnerabilities," Cooper said.

Still, "it is only a matter of time before a hacker tries this," said analyst Daniel Blum at The
Burton Group in Midvale, Utah. "Now that it's been published, [users] really need to pay
attention to [it]."

LDAP Loopholes

Security testing revealed that:

SUN'S IPLANET server contains vulnerabilities that could allow remote attackers to execute
arbitrary code.

CERTAIN VERSIONS of SecureWay directory are vulnerable to denial-of-service attacks

because of problems in LDAP handling code.

VULNERABILITIES in LDAP handling code on the Domino R5 server and on Oracle Corp.'s
8i Enterprise Edition could allow remote attackers to run arbitrary code.

~~~~~~~~

By Jaikumar Vijayan

contributed to this story Jennifer DiSabatino

Copyright of Computerworld is the property of Computerworld and its content may not be
copied or emailed to multiple sites or posted to a listserv without the copyright holder's express
written permission. However, users may print, download, or email articles for individual use.
Directory services a method of listing all the users and resources linked to a network in a simple and

easy-to-access way so that a user can locate another user by name rather than by a complex network

address