Sicurezza II A.A. 2010-2011
LDAP
Speaker:
André Panisson, PhD student
Università degli Studi di Torino, Computer Science Department
Corso Svizzera, 185 – 10149, Torino, Italy
[email protected]
Sicurezza II, A.A. 2010/2011
LDAP
o LDAP Stands for Lightweight Directory Access Protocol
o It is a client-server protocol for reading and editing directories over
an IP network
• A directory in this sense is a hierarchical set of records:
• telephone directory, for example
o Part of the X.500 standards, a series of computer networking
standards covering electronic directory services
(X.509 is part of the X.500 series, and it is an ITU-T standard for a
public key infrastructure)
OpenID, OAuth are protocols available for Web users and
applications on the Internet. LDAP/SAML are protocols used in
Intranets/Enterprises
Sicurezza II, A.A. 2010/2011
LDAP – how it works?
o A client starts an LDAP session by connecting to an LDAP server,
called a Directory System Agent (DSA), by default on TCP port 389
o The client then sends an operation request to the server, and the
server sends responses in return
o Some of the available operations:
• Search: search for and/or retrieve directory entries
• Add a new entry
• Delete an entry
• Modify an entry
• …
Sicurezza II, A.A. 2010/2011
LDIF
LDIF Stands for LDAP Data Interchange Format
o It is a standard plain text data interchange format for representing LDAP
directory content
• Example:
o
dn: cn=Andre Panisson,ou=people,dc=di,dc=unito,dc=it
objectclass: inetOrgPerson
cn: Andre Panisson
cn: Panisson Andre
sn: Andre
uid: panisson
userpassword: prova
carlicense: HISCAR 124
homephone: 555-111-2223
mail: [email protected]
mail: [email protected]
ou: Docenti
Sicurezza II, A.A. 2010/2011
X509 certificates
o It opens the possibility to load certificates in the format X509
in order to authenticate users using the user certificate
Sicurezza II, A.A. 2010/2011
LDIF Fields
Main Fields:
dn: distinguished name
o dc: domain component
o ou: organizational unit
o cn: common name
o
dn: cn=The Postmaster,dc=example,dc=com
objectClass: organizationalRole
cn: The Postmaster
Sicurezza II, A.A. 2010/2011
Lab objectives
o Deploy a basic LDAP server
• Load user info
• Browse/search for user info
o Configure Apache to authenticate users using LDAP
Sicurezza II, A.A. 2010/2011
Lab Goals
o Deploy a basic LDAP server
• Load user info
• Browse/search for user info
o Configure Apache to authenticate users using LDAP
Sicurezza II, A.A. 2010/2011
Lab Preparation
• Server Apache 2.2.13 at $HOME/apache
Sicurezza II, A.A. 2010/2011
OpenLDAP
• www.openldap.org
• An open source implementation of the Lightweight Directory
Access Protocol
Sicurezza II, A.A. 2010/2011
OpenLDAP
• Download OpenLDAP version 2.4.25
• Extract it:
tar -xvzf openldap-2.4.25.tgz
• Check the files README, INSTALL
• Create the target directory and build it:
mkdir $HOME/openldap/
cd openldap-2.4.25
./configure --prefix=$HOME/openldap/
make depend
make
make install
Sicurezza II, A.A. 2010/2011
OpenLDAP
• Edit the file $HOME/openldap/etc/openldap/slapd.conf
• Include the following schemas:
include
include
include
/home/panisson/openldap/etc/openldap/schema/core.schema
/home/panisson/openldap/etc/openldap/schema/cosine.schema
/home/panisson/openldap/etc/openldap/schema/inetorgperson.schema
• Configure the database:
database
bdb
suffix
"dc=di,dc=unito,dc=it”
rootdn
"cn=Manager,dc=di,dc=unito,dc=it"
Sicurezza II, A.A. 2010/2011
OpenLDAP
• Start LDAP on port 8389:
$HOME/openldap/libexec/slapd -h "ldap://0.0.0.0:8389"
• Connect to the server using ldapsearch:
$HOME/openldap/bin/ldapsearch -h localhost -p 8389 -x -b '' -s base
'(objectclass=*)' namingContexts
Sicurezza II, A.A. 2010/2011
OpenLDAP
• Create a file user.ldif:
dn: dc=di,dc=unito,dc=it
dc: di
objectClass: top
objectClass: domain
dn: ou=people,dc=di,dc=unito,dc=it
ou: people
objectClass: top
objectClass: organizationalUnit
dn: cn=Andre Panisson,ou=people,dc=di,dc=unito,dc=it
objectclass: inetOrgPerson
cn: Andre Panisson
cn: Panisson Andre
sn: Andre
uid: panisson
userpassword: prova
carlicense: HISCAR 124
homephone: 555-111-2223
mail: [email protected]
mail: [email protected]
ou: Docenti
Sicurezza II, A.A. 2010/2011
OpenLDAP
• Load to LDAP server using ldapadd:
$HOME/openldap/bin/ldapadd -h localhost -p 8389 \
-D "cn=Manager,dc=di,dc=unito,dc=it" -W -f user.ldif
Sicurezza II, A.A. 2010/2011
OpenLDAP Clients
• Connect to LDAP using a client:
http://jxplorer.org/
• http://phpldapadmin.sourceforge.net/
Sicurezza II, A.A. 2010/2011
LDAP and Certificates
•
Create a new key and X.509 certificate:
• Create user key:
openssl genrsa -out userkey.pem 2048
openssl req -key userkey.pem -new -out userreq.pem
• Create certificate and sign using CA
openssl x509 -days 365 -CA ca-bundle.crt -CAkey CA.key \
-CAcreateserial -CAserial ca.srl -req -in userreq.pem -out usercert.pem
• Convert to pkcs12 and import it to your browser:
openssl pkcs12 -in usercert.pem -inkey userkey.pem -export -out
usercert.pk12
• Convert certificate to DER format
openssl x509 -outform DER -in usercert.pem -out usercert.der
• Encode it in base64
openssl base64 -A < usercert.der > usercert.der.b64
Sicurezza II, A.A. 2010/2011
LDAP and Certificates
• Create a LDIF with the certificate contents:
dn: cn=Andre Panisson,ou=people,dc=di,dc=unito,dc=it
changetype: modify
replace: userCertificate;binary
userCertificate;binary::< contents of usercert.der.b64 >
• Import it to LDAP:
$HOME/openldap/bin/ldapadd -h localhost -p 8389 -D \
"cn=Manager,dc=di,dc=unito,dc=it" -W -f cert.ldif
Sicurezza II, A.A. 2010/2011
Apache and LDAP
• LDAP module for Apache:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html
• Install LDAP modules mod_ldap and mod_authnz_ldap:
cp /usr/home/docenti/panisson/mod_ldap.so \
$HOME/apache/modules
cp /usr/home/docenti/panisson/mod_authnz_ldap.so \
$HOME/apache/modules
• To build Apache with LDAP modules:
./configure --enable-module=SO --enable-ssl --prefix=$HOME/apache \
--enable-ldap=shared --enable-auth-ldap=shared --with-ldap \
--with-ldap-include=$HOME/openldap/include \
--with-ldap-lib=$HOME/openldap/lib --enable-authnz-ldap=shared
Sicurezza II, A.A. 2010/2011
Apache and LDAP
•
Edit httpd.conf, add
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LDAPTrustedGlobalCert CA_BASE64 conf/ssl.crt/ca-bundle.crt
<Directory /usr/home/…/apache/htdocs/protected>
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthUserFile /dev/null
AuthLDAPBindDN "cn=Manager,dc=di,dc=unito,dc=it"
AuthLDAPBindPassword secret
AuthLDAPUrl ldap://localhost:8389/dc=di,dc=unito,dc=it?uid
AuthName "Authorization required"
require valid-user
</Directory>
Sicurezza II, A.A. 2010/2011
Apache and LDAP (with PHP)
•
Get the PHP libraries with LDAP support:
cp /usr/home/docenti/panisson/libphp5.so.ldap_support
$HOME/apache/modules/libphp5.so
Sicurezza II, A.A. 2010/2011
Apache and LDAP (with PHP)
•
Edit form.html:
<html>
<head></head>
<body>
<form action="resource.php" method="get">
Name: <input type="text" name="name" /><br />
Password: <input type="text" name="password" /><br />
<input type="submit" value="Submit" />
</form>
</body>
</html>
Sicurezza II, A.A. 2010/2011
Apache and LDAP (with PHP)
•
Edit resource.php:
<?php
$name = $_GET['name'];
$password = $_GET['password'];
// specify the LDAP server to connect to
$conn = ldap_connect("localhost","8389") or die("Could not connect to server");
ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
// bind to the LDAP server specified above
$r = ldap_bind($conn, "cn=Manager,dc=di,dc=unito,dc=it", "secret") or die("Could not
bind to server");
// search for credentials
$result = ldap_search($conn,"dc=di,dc=unito,dc=it", "cn=".$name);
// get entry data as array
$info = ldap_get_entries($conn, $result);
ldap_close($conn);
Sicurezza II, A.A. 2010/2011
Apache and LDAP (with PHP)
•
Edit resource.php (continuation):
<html>
<head></head>
<body>
<?php
// iterate over array and print data for each entry
for ($i=0; $i<$info["count"]; $i++)
{
echo "dn is: ". $info[$i]["dn"] ."<br>";
echo "first cn is: ". $info[$i]["cn"][0] ."<br>";
echo "first email address is: ". $info[$i]["mail"][0] ."<br>";
echo "password is: ". $info[$i]["userpassword"][0] ."<br>";
$certificate = $info[$i]["usercertificate;binary"][0];
}
?>
</body>
</html>
Sicurezza II, A.A. 2010/2011
Apache and LDAP
• Connect to localhost using a browser, access the protected
resources
• Change the password using LDAP client. What happens?
• Edit httpd.conf, add
LDAPCacheTTL 1
• Restart Apache and try to access the protected resources
• What happens now if we change the password using the LDAP
client?
Sicurezza II, A.A. 2010/2011
Apache and LDAP
• Next steps:
• Configure apache with SSL to use LDAP authentication
• Configure SSL to require user certificate:
•
•
SSLRequireSSL
SSLVerifyClient require
• Still under development:
• AuthType Certificate
Sicurezza II, A.A. 2010/2011
Apache and LDAP
•
Create a PHP script to verify the user certificate:
function der2pem($certificate) {
$beginpem = "-----BEGIN CERTIFICATE-----\n";
$endpem = "-----END CERTIFICATE-----";
$result = "";
$certificate = base64_encode($certificate);
for ($i=0; $i<20; $i++) {$result .= substr($certificate, $i*64, 64)."\n";}
return $beginpem.$result.$endpem;
}
// Build the PEM string.
$pemdata = der2pem($certificate);
// Get a certificate resource from the PEM string.
$cert = openssl_x509_read( $pemdata );
// Parse the resource and print out the contents.
$cert_data = openssl_x509_parse( $cert );
echo '<p>LDAP Certificate Credentials: '.$cert_data['name'];
echo '<p>Client Certificate Credentials: '.$_SERVER["SSL_CLIENT_S_DN"];
// all done? clean up
openssl_x509_free( $cert );
Sicurezza II, A.A. 2010/2011
Sicurezza II A.A. 2010-2011
LDAP
Grazie per l’attenzione!
Speaker:
André Panisson, PhD student
Università degli Studi di Torino, Computer Science Department
Corso Svizzera, 185 – 10149, Torino, Italy
[email protected]
Sicurezza II, A.A. 2010/2011
©2009 by André Panisson. Permission to make digital or hard copies of part or all of this
material is currently granted without fee provided that copies are made only for personal
or classroom use, are not distributed for profit or commercial advantage, and that new
copies bear this notice and the full citation.
Sicurezza II, A.A. 2010/2011