The World Wide Web
The World Wide Web makes available so much information; only unfortunate is the fact that there were no tools to query such information to its fullest extent. The world needed an acceptable method for searching for and using resources over computer networks. Resources may take the form of computers, businesses, schools and users hence a Directory Access protocol.
A directory is a huge collection of well organized and indexed records or specialized databases that are optimized for a direct lookups (Barber B., et al. 2009). Some directories that can be accessed by LDAP server include the Active Directory (AD) and the Domain Name Service (DNS).
The Directory services are categorized into two distinct groups; the local service and the global service group
The local service has its service on a single machine while the Global service however has its data spread across many machines and provides its service on a bigger and broader scale that is to the World Wide Web. All these directories on the global directory services cooperate to provide the directory service. A typical example of this global service group is the Domain Name Systems.
LDAP as an acronym for Lightweight Directory Access Protocol is a series of interconnected databases located in different locations on the internet and is an open standard lightweight version of a Directory Access Protocol. It is a protocol that runs over TCP/IP protocol and its data is optimized more for reading than for updating.
The way of getting out this structured information from diverse sources in an efficient manner is what LDAP concerns itself about. LDAP is based largely on Directory Access Protocol. The Directory Access Protocol is designed for communication between directory servers and client’s complaint to the x.500 standard.
The X.500 standard defines a protocol for a client application to access the X.500 directory. The X.500 directory service is an LDAP-enabled directory service that provides the capability to look up and search for information almost like the yellow pages services (Nancy, C., 2003).
DAP is one of the X.500’s directory client access protocols that supports the search and lookup feature of the X.500 but DAP had some performance problems. Some problems of the DAP includes the size. The DAP was very large, complex and difficult to implement (Howes, T., et al, 2003). The LDAP was then introduced as it is faster and simpler without the performance problems DAP posed.
The LDAP is based on a client-server model. In this system, there are LDAP servers that host public directory service and the clients that connect to the LDAP servers to search for results. LDAP clients are inbuilt into many address book applications today including some email clients like the Microsoft outlook.
The Lightweight Directory Access Protocol employs the following operations.
1. Binding to server
2. Searching for an entry
3. Comparing entries
4. Adding an entry
5. Modifying existing entries
6. Removing an entry
Of all the operations LDAP deploys, the binding process is the one that involves authentication and it is here that LDAP security becomes of much value. An LDAP client initiates a connection with the LDAP server by sending a bind operation. This bind request may contain the user authentication information.
1. LDAP SECURITY FEATURES
This bind feature is captured under the security model of the LDAP models and it provides a mechanism for clients to authenticate themselves before they can access data from the LDAP server (Howes T., Smith, M. 1997). It is commonly done with the use of userID and password logons. The knowledge of these authentication credentials guarantees that the user is indeed genuine since LDAP is a connection-oriented, message based protocol (Carter, D. 2003). The number of times a login attempt can be made is totally configurable. The diagram shown below shows the process of binding to the server in much clearer view.
Figure i (Adopted from: http://technet.microsoft.com/en-us/library/ee690469.aspx)
The process whereby an LDAP client is authenticated by the LDAP server is known as BINDING(David, N., et al 2001). When a client is successfully authenticated, he is allowed access to the server based on his authentication privileges. T he different kinds of authentication includes
Authentication over Transport Layer Security.
Authentication via Secured Socket Layer
Simple Authentication and Security Layer
Access control List
1.1 ANONYMOUS AUTHENTICATION
It is noteworthy to say that the Lightweight Directory Access Protocol supports anonymous access. This means anyone can have access to information provided by the LDAP server for some applications without the need to provide a DN and password.
A DN is a unique name for an entry in the LDAP directory services. An LDAP server authenticates a user as anonymous if a bind operation is not sent with an initial bind operation.
So, for security reasons, the ldap anonymous authentication should be disabled. An anonymous authentication feature can be disabled with the “disallow bind_anon” parameter (Carter, G. 2003).
Figure ii. Screenshot of an openldap anonymous authentication.
1.2 BASIC/SIMPLE AUTHENTICATION
The basic authentication is sometimes referred to as simple authentication method and it is a kind of authentication system used by web browsers like the internet explorer, Mozilla Firefox, Netscape web-browser and some client based application programs to connect to the server. This kind of authentication sends authentication credentials across to the LDAP server in clear text. These credentials usually take the form of a user authentication like the username and password. This type of authentication system is vulnerable to potential exploiters as the unencrypted authentication data is sent in the clear.
Figure iii : Screenshot of a basic simple authentication.
Obviously, an authentication method that will not permit eavesdropping is required. The developers then chose to incorporate an authentication framework called Simple Authentication and Security Layer – SASL (Howes T. et al, 2003).
1.3 SIMPLE AUTHENTICATION AND SECURITY LAYER
The SASL is a powerful means of providing secure communications using Kerberos and a variety of other methods in LDAP v.3 by encrypting the entire data stream between LDAP client and the server (Sheresh B, 2001). The SASL option is needed when a
The LDAP server provides a set of supported authentication mechanism and the client decides which of them to use. It is the mechanism that describes the flow of information that needs to occur to support a particular authentication method. (Howes T et al, 2003).
Some of the mechanisms includes the
Challenge-Response Authentication Mechanism Message Digest 5 (CRAM-MD5) – This is an algorithm which uses MD5 hash for client authentication,
GSSAPI – This supports Kerberos authentication,
SKEY – This employs a Message Digest (MD4) algorithm.
Kerberous_v4 – which involves a Kerberos encryption algorithm (Anderson R. et al. 2002). With this more secured basic authentication, the message transfer is encrypted all through the server-client data exchange.
Microsoft Windows NT LAN Manager (NTLM) – The NTLM is simply an authentication protocol like the Kerberos that improves authentication, integrity and confidentiality to users by hardening protocol against many spoofing attack. It is a challenge-response authentication protocol (Lefkovitz W., Wade W., 2001) that ensures that a user is indeed who he says he is by answering correctly the challenge that the LDAP server generates in three steps.
1.4 AUTHENTICATION OVER TRANSPORT LAYER SECURITY
This mode of encryption and authentication is closely related to the SSL, a Secure Socket Layer encrypts the data connection over which a simple password is transmitted. This protects data from packet sniffing by anyone with physical access to the network. SSL uses a certificate-based method for an SSL security to work. Like SSL, TLS also uses a certificate-based method of authenticating users. TLS provides proof of a server identity and protection of data in transit.
The Access Control list is also a security feature supported by LDAP and this prevents data from being seen and modified by unwanted people.
Figure iii showing TLS
1.5SECURED SOCKET LAYER SECURITY FEATURE
This is an LDAP Administration and security tool developed by Netscape for creating secured connection between a client and server over the internet using port 636. According to Bialaski T et al,(2001), a secured LDAP connection is accomplished from client-side SSL. This mode of authentication is based on issuance of signed digital certificates from trusted authorities. In accordance to Bialaski T.,(2002), the mechanism for identity using SSL is the digital certificate.
Figure iv LDAP client – server binding using SSL (Adopted from: http://sqltech.cl/doc/oas10gR3/core.1013/b25209/ssl_intro.htm).
The two aspects of security using SSL are the identification and the encryption
1. Identification. – It checks to make sure that the client is indeed genuine by checking the digital certificates.
2. Encryption. – Encrypts data sent from one the client computer to the server
and it is a security tool uses a secured TCP/IP port 636.
2. ACCESS CONTROL SECURITY FEATURE OF LDAP.
An Access Control List is simply a list of permissions attached to an object (Reisman, B. and Ruebush, M., 2004). As the directory gets populated with data of varying importance, controlling the kinds of access to the directory and records in the directory becomes more vital. Permission as to who has a read, write or no access at all is used to grant or refuse a user or group of users (OU) a specific action (Reisman, B. and Ruebush, M. 2004).
Each entry in a LDAP directory contains a special set of attributes which describes who is allowed access information within that entry denoted by DN. Distinguished names.
The type of access granted a user determines the operations that can be performed. Most LDAP servers provide a set of access levels operations such as:
– Add an entry
– Delete and entry
– Access an entry
– Read an attribute
– Modify an attribute
– Search an attribute.
An LDIF (Lightweight Directory Interchange Format) is a plain text data interchange format for representing LDAP directory content. It used mostly to construct a directory information tree, add an entry into the ldap directory, Delete an entry, export a directory and edit a directory (Zytrax, 2008).
According to Carter G. (2003), The slapd.conf file is the central source of configuration information for the OpenLDAP standalone server (Slapd)
The slapd,conf is the configuration file for slapd which is a stand-alone LDAP daemon that handles the connection management, access control and protocol interpretation. The configuration file is found in the /etc/openldap/slapd.conf. It is screenshot and displayed below.
Figure v: Screenshot of anonymous user authentication in slapd.conf file
Figure V above allows authenticated users to change their own passwords. Allows un-authenticated users to authenticate and prevents all other access to the user Password and it permits read access to everything else.
2.1SECURITY AUDITING FEATURES FOR LDAP
As a network grows, it experiences a huge flow of user logons and even huge security problems. As an administrator, it is important to monitor the LDAP server activity
The directory server comes with three types of log files. Access logs, Error logs and audit logs. ldap logging option in slapd.conf logs to a slapd-log file when configured. The type of information we require slapd-log to store is defined in the level option in slapd.conf file and it represented by a number which is shown in table 3.1 below.
-1 Log all information
1Trace function calls
4Heavy trace debugging
16Packets sent and received
32search filter processing
64Configuration file processing
256Statistics of connections
512Print entry debugging
Table 3.1 OpenLDAP logging levels
Analysing the /var/log/slapd-log file gives a good idea on what kind of entries are being searched as well as the frequency of access on the ldap server. The downside to this is that the logfiles get very bulky with time.
2.2BRUTE-FORCING IN LDAP
According to Radhamani, G. and Radha K. (2007), a brute force attack is a method of defeating an authentication scheme by trying very many possible combinations.
The syslog is an essential tool in logging system events. When a user attempts an invalid logon attempt, the event is logged. Bruteforce attack login attempts are no different as they are conspicuous on the syslog file because multiple unsuccessful login attempts will be made..
To decrease the chances of a successful brute force login attack, the following steps should be taken.
Length of authentication characters should be increased. : The user authentication credentials should be made more complex. The higher the number of characters in
The I.P address from which the brute forcing is done be locked out after a certain period of attempts.
Delay timing is implemented in between failed authentication attempts.
A directory, being a collection of well organized and indexed records optimized for direct lookups (Barber, B. et al. 2009) are very essential to our everyday information sourcing. It therefore requires that the records in this directory be secured. The following options list methods that can be employed for these records to be secured.
Ensuring a secured communication between the LDAP client and server to checkmate sniffing.
Access control listing must be configured properly and double checked for complexities in its setup that may lead to a loophole in ldap security.
Login activities must be logged.
Once these security features are put in place, the world of a more structured information sourcing would be a better place.
Ambro D., Tittel E (2003); Solaris 9 system administrator certification.
Anderson, R. and Johnston, A. (2002); UNIX unleashed Sams publishing
Barber, B., Happel, C., Terrence, V. and Speake, G. (2009) CompTia Linux+ Certification study guide: Exam XK0-003.UK: Elsevier Inc.
Bialaski, T. and Haines, M. (2001); Solaris and LDAP naming services: Deploying LDAP in the enterprise. USA:
Carter, G. (2003) LDAP System Administration. O’Reilly Media, Inc., USA.
David N. Blank-Edelman (2009) Automating system administration with perl. USA: O’Reilly Media, Inc.,
Howes, T., Smith, M. and Gordon S.(2003) Understanding and deploying LDAP directory services Addison-Wesley
Howers, T. and Smith, M.; (1997) LDAP: Programming directory-enabled applications with lightweight directory access protocol; Sams Publishing.
Lefkovitz, W. and Wade, W. (2001) Configuring Exchange 2000 server. USA: Syngress publishing. Inc,
Nancy, C. (2003). Directory services: design, implementation, and management. USA: Butterworth-Heinemann.
Radhamani, G. and Rao. R.K.(2007); Web services security and e-business. USA: Idea Group Inc.
Reisman, B. and Ruebush, M. (2004) MCSE: windows sever 2003 network security design, USA: John Wiley and Sons,
Sheresh B, Sheresh D.(2001); Understanding directory services Sams Publishing,
Zytrax (2008); Chapter 8. LDAP LDIF and DSML, (Online)Accessed:23rd March 2011