LDAP Gii thiu chung

Ngy Phin bn Trng thi Tc gi 03 23, 2010 1.0 Hon thnh Trng Th Mai

Reviewed by [Name, Position] Approved by [Name, Position]

Lch s thao tc
Ngy 03 23 2010 Phin bn 1.0 M t Gii thiu v Ldap Tc gi Trng Th Mai

Mc Lc
1 GII THIU............................................................4
1.1 MC CH...............................................................................................................................................4 1.2 PHM VI..................................................................................................................................................4 1.3 NH NGHA T VIT TT.......................................................................................................................4 1.4 TI LIU THAM KHO..............................................................................................................................5 1.5 TNG QUAN.............................................................................................................................................5

2 GII THIU CHUNG V LDAP...................................6

2.1 GII THIU C BN.................................................................................................................................6 2.1.1 LDAP - Lightweight Directory Access Protocol.............................................................................6 2.1.2 Phng thc hot ng ca LDAP................................................................................................8 2.1.3 Cu trc file Ldif...........................................................................................................................10 2.2 M HNH LDAP....................................................................................................................................13 2.2.1 M hnh thng tin Ldap (LDAP information model).....................................................................13 2.2.2 M hnh t tn Ldap (LDAP naming model)...............................................................................15 2.2.3 M hnh chc nng Ldap (LDAP function model)........................................................................17
1. Thao tc thm tra (LDAP Interrogation)........................................................................................................17 2. Thao tc cp nht (update).............................................................................................................................19 3. Thao tc xc thc v iu khin (authentiaction and control)........................................................................19 4. Cc thao tc m rng.....................................................................................................................................19

2.2.4 M hnh bo mt Ldap (LDAP Security model)............................................................................20 2.3 CHNG THC TRONG LDAP.................................................................................................................20 2.4 MT S DCH V S DNG NGHI THC LDAP.....................................................................................22

3 P DNG VO KHOA CNTT...................................25

3.1 XY DNG CSDL BAN U.................................................................................................................25 3.2 S ....................................................................................................................................................25 3.3 NI DUNG FILE LDIF.............................................................................................................................26

1 Gii thiu
1.1 Mc ch

Gii thiu chung v cng ngh Ldap dng chng thc tp trung, cc m hnh lm vic ca n v xy dng m hnh ph hp vi khoa CNTT. 1.2 Phm vi

p dng vo m hnh khoa CNTT trng i hc Nng Lm. 1.3 nh ngha t vit tt

STT 1

Tn Ldap

M t Lightweight Directory Access Protocol : giao thc truy nhp nhanh dch v th mc. LDAP Data Interchange Format : nh ngha ra khun dng trao i d liu dng thc vn bn dng m t thng tin v th mc . LDIF cn c th m t mt tp hp cc th mc hay cc cp nht c th c p dng trn th mc. Relative Distingguished Name : l thuc tnh ca DN lm cho i tng l duy nht trong ng cnh . Directory Information Tree : cy thng tin th mc Object Identifier : l mt s duy nht trn ton cu xc nh i tng. Secure Sockets Layer - l mt giao thc thng c s dng qun l an ninh ca mt truyn tin trn Internet. Transport Layer Security - l mt giao thc m bo s ring t (private) gia cc ng dng truyn thng v ngi dng ca h trn Internet. Simple Authentication and Security Layer

Ldif

3 4 5 6

RDN DIT OID SSL

7 8

TSL SASL

1.4 1.5

Ti liu tham kho Lightweight Directory Access Protocol - Wikipedia, the free encyclopedia.htm Understanding LDAP design and Implementation, IBM redbooks (sg244986.pdf). http://www.ust.hk/itsc/ldap/understand.html Tng quan

2 Gii thiu chung v LDAP

2.1 Gii thiu c bn Hin nay, xy dng cc h thng ln, iu ti quan trng l phi lm cch no c th tch hp d liu t c th dng chung gia cc h thng khc nhau. Trong , tch hp ti khon ca ngi s dng l vn cn thit nht trong nhng ci "ti quan trng" trn. Hy tng tng mt h thng vi khong 5 - 6 m un khc nhau, mi m un li c thit k trn mt nn tng khc nhau (C ngi th dng Oracle + AS Portal, c ngi th dng DB2 vi WebSphere, ngi khc th dng MySQL vi phpnuke, ngi th dng Window, ngi th ci Linux), do cn c mt h thng ngi dng khc nhau. Vy th vi mi m un, ngi s dng cn phi c mt User Name, mt mt khu khc nhau, l iu khng th chp nhn c. Ngi dng chng my chc m chn ght h thng. Lm cch no c th tch hp c ngi dng gia cc h thng trn? Cu tr li l LDAP. Vy LDAP l g?

2.1.1 LDAP - Lightweight Directory Access Protocol nh ngha v LDAP LDAP (Lightweight Directory Access Protocol) l giao thc truy cp nhanh cc dch v th mc - l mt chun m rng cho nghi thc truy cp th mc. LDAP l mt giao thc tm, truy nhp cc thng tin dng th mc trn server. N dng giao thc dng Client/Server truy cp dch v th mc. LDAP chy trn TCP/IP hoc cc dch v hng kt ni khc. Ngoi ra, LDAP c to ra c bit cho hnh ng "c". Bi th, xc thc ngi dng bng phng tin "lookup" LDAP nhanh, hiu sut, t tn ti nguyn, n gin hn l query 1 user account trn CSDL. C cc LDAP Server nh: OpenLDAP, OPENDS, Active Directory,

Gii thch cm t Lightweight Directory Access Protocol 1. Lightweight Ti sao LDAP c coi l lightweight? Lightweight c so snh vi ci g? tr li nhng cu hi ny, bn cn tm hiu ngun gc ca LDAP. Bn cht ca LDAP l mt phn ca dch v th mc X.500. LDAP thc cht c thit k nh mt giao thc nh nhng, dng nh gateway tr li nhng yu cu ca X.500 server. X500 c bit nh l mt heavyweight, l mt tp cc chun. N yu cu client v server lin lc vi nhau s dng theo m hnh OSI . M hnh 7 tng ca OSI - m hnh chun ph hp trong thit k vi giao thc mng, nhng khi so snh vi chun TCP/IP th n tr nn khng cn hp l. LDAP c so snh vi lightweight v n s dng gi tin overhead thp, n c xc nh chnh xc trn lp TCP ( mc nh l cng 389) ca danh sch cc giao thc TCP/IP. Cn X.500 l mt lp giao thc ng dng, n cha nhiu

th hn, v d nh cc network header c bao quanh cc gi tin mi layer trc khi n c chuyn i trong mng.

Hnh 1. X.500 thng qua m hnh OSI LDAP thng qua TCP/IP Tm li, LDAP c coi l lightweight bi v n lc b rt nhiu nhng phng thc t c dng ca X.500 .

2. Directory Dch v th mc khng c nhm vi mt c s d liu. Th mc c thit k c nhiu hn l ghi vo, cn i vi c s d liu, n ph hp vi c cng vic c v ghi mt cch thng xuyn v lp i lp li. LDAP ch l mt giao thc, n l mt tp nhng thng tin cho vic x l cc loi d liu. Mt giao thc khng th bit d liu c lu tr u. LDAP khng h tr s x l v nhng c trng khc nh ca c s d liu. Client s khng bao gi thy c hoc bit rng c mt b my lu tr backend. V l do ny, LDAP client cn lin tc vi LDAP server theo m hnh chun sau:

Hnh 2. Mi quan h gia LDAP client, LDAP server v ni cha d liu 3. Access Protocol LDAP l mt giao thc truy cp. N a ra m hnh dng cy ca d liu, v m hnh dng cy ny c nhc ti khi bn truy cp mt LDAP server.

Giao thctruy cp client/server ca LDAP c nh ngha trong RFC, mt client c th a ra mt lot nhng yu cu v nhng tr li cho nhng yu cu li c tr li theo nhng cch sp xp khc nhau.

2.1.2 Phng thc hot ng ca LDAP Ldap dng giao thc giao tip client/sever Giao thc giao tip client/sever l mt m hnh giao thc gia mt chng trnh client chy trn mt my tnh gi mt yu cu qua mng n cho mt my tnh khc ang chy mt chng trnh sever (phc v). Chng trnh server ny nhn ly yu cu v thc hin sau n tr li kt qu cho chng trnh client tng c bn ca giao thc client/server l cng vic c gn cho nhng my tnh c ti u ho thc hin cng vic . Mt my server LDAP cn c rt nhiu RAM(b nh) dng lu tr ni dung cc th mc cho cc thao tc thc thi nhanh v my ny cng cn a cng v cc b vi x l tc cao.

y l mt tin trnh hot ng trao i LDAP client/server :

Hnh 3. M hnh kt ni gia client/server

Client m mt kt ni TCP n LDAP server v thc hin mt thao tc bind. Thao tc bind bao gm tn ca mt directory entry ,v u nhim th s c s dng trong qu trnh xc thc, u nhim th thng thng l pasword nhng cng c th l chng ch in t dng xc thc client. Sau khi th mc c c s xc nh ca thao tc bind, kt qu ca thao tc bind c tr v cho client. Client pht ra cc yu cu tm kim. Server thc hin x l v tr v kt qu cho client. Server gi thng ip kt thc vic tm kim. Client pht ra yu cu unbind, vi yu cu ny server bit rng client mun hu b kt ni. Server ng kt ni.

LDAP l mt giao thc hng thng ip Do client v sever giao tip thng qua cc thng ip, Client to mt thng ip (LDAP message) cha yu cu v gi n n cho server. Server nhn c thng ip v x l yu cu ca client sau gi tr cho client cng bng mt thng ip LDAP. V d: Khi LDAP client mun tm kim trn th mc, client to LDAP tm kim v gi thng ip cho server. Sever tm trong c s d liu v gi kt qu cho client trong mt thng ip LDAP.

Hnh 4. Thao tc tm kim c bn Nu client tm kim th mc v nhiu kt qu c tm thy, th cc kt qu ny c gi n client bng nhiu thng ip

Hnh 5. Nhng thng ip Client gi cho server Do nghi thc LDAP l giao thc hng thng ip nn client c php pht ra nhiu thng ip yu cu ng thi cng mt lc. Trong LDAP, message ID dng phn bit cc yu cu ca client v kt qu tr v ca server.

Hnh 6. Nhiu kt qu tm kim c tr v Vic cho php nhiu thng ip cng x l ng thi lm cho LDAP linh ng hn cc nghi thc khc.

V d nh HTTP, vi mi yu cu t client phi c tr li trc khi mt yu cu khc c gi i, mt HTTP client program nh l Web browser mun ti xung cng lc nhiu file th Web browser phi thc hin m tng kt ni cho tng file, LDAP thc hin theo cch hon ton khc, qun l tt c thao tc trn mt kt ni.

2.1.3 Cu trc file Ldif Khi nim LDIF LDIF ( LDAP Interchange Format) c nh ngha trong RFC 2849, l mt chun nh dng file text lu tr nhng thng tin cu hnh LDAP v ni dung th mc. File LDIF thng c s dng import d liu mi vo trong directory ca bn hoc thay i d liu c. D liu trong file LDIF cn phi tun theo mt lut c trong schema ca LDAP directory. Schema l mt loi d liu c nh ngha t trc trong directory ca bn. Mi thnh phn c thm vo hoc thay i trong directory ca bn s c kim tra li trong schema m bo s chnh xc. Li vi phm schema s xut hin nu d liu khng ng vi cc lut c. Gii php Import d liu ln vo LDAP. Nu d liu c lu trong excel khong vi chc ngn mu tin, vit tool chuyn thnh nh dng trn ri import vo LDAP Server. Thng thng mt file LDIF s theo khun dng sau: o o o Mi mt tp entry khc nhau c phn cch bi mt dng trng S sp t tn thuc tnh : gi tr Mt tp cc ch dn c php lm sao x l c thng tin

Cu trc tp tin Ldif

Nhng yu cu khi khai bo ni dung file LDIF : o o Li ch gii trong file LDIF c g sau du # trong mt dng Thuc tnh c lit k pha bn tri ca du (:) v gi tr c biu din bn phi. Du c bit c phn cch vi gi tr bng du cch trng Thuc tnh dn nh ngha duy nht mt DN xc nh trong entry

10

Di y l v d v cu trc mt file Ldif:

Node root: dc=hcmuaf,dc=edu,dc=c om

dn: dc=hcmuaf,dc=edu,dc=vn objectClass: domain objectClass: top dc: hcmuaf entryUUID: a1255ce5-2710-388c-95a6-3c030a59a8d3

dn: o=it,dc=hcmuaf,dc=edu,dc=vn objectClass: top objectClass: organization description: information technology o: it entryUUID: fbcb85d5-e17c-494e-a36d-5932fb503125 createTimestamp: 20100326000527Z creatorsName: cn=Directory Manager,cn=Root DNs,cn=config

Node child : o=it, [Node root]

dn: uid=mai,o=it,dc=hcmuaf,dc=edu,dc=vn objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top givenName: mai uid: mai cn: mai telephoneNumber: 0633649470 sn: mai userPassword: {SSHA}EI41fLuan5bQ1FQA0u8Nvg4/hqRF+i51yrAnNA== mail: mai facsimileTelephoneNumber: 123i entryUUID: b9cb6886-263d-4a0c-bd1f-e315dde47b30 createTimestamp: 20100326000919Z creatorsName: cn=Directory Manager,cn=Root DNs,cn=config pwdChangedTime: 20100326000919.471Z

Node leaf : uid=mai, [path parrent] hoc cn=mai,[path parent]

Ch : Nhng tn trng m ng sau c du :: th gi tr ca n c m ha theo chun BASE64 Encoding, vi charset UTF-8.Nu g ting vit th khi import vo LDAP Server s khng hiu, v th bt buc ta phi m ha theo chun BASE64. o V d: cn:Phm Thi Thy cn:: VHLhuqduIFRow6FpIExvbmc= (du :: cho bit trng ny s dng basecode64)

Ni dung mt entry th mc dng Ldif: Di y l ni dung mt entry trong tp tin Ldif.

11

dn: uid=tuanh,ou=Teacher,o=it,dc=hcmuaf,dc=edu,dc=vn objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top givenName: tuanh uid: tuanh cn: tuanh telephoneNumber: 125698742 sn: tuanh userPassword: {SSHA}WixBYpdCo4bEZPRPwUriImctcWZ9sDgQQ/WElg== mail: tuanh facsimileTelephoneNumber: 5426 entryUUID: bc95b0ee-6e3e-480d-83c1-2c1e13c89dc9 createTimestamp: 20100326001110Z creatorsName: cn=Directory Manager,cn=Root DNs,cn=config pwdChangedTime: 20100326001110.323Z Mt entry l tp hp ca cc thuc tnh, tng thuc tnh ny m t mt nt t trng tiu biu ca mt i tng. Mt entry bao gm nhiu dng : o o dn : distinguished name - l tn ca entry th mc, tt c c vit trn mt dng. Sau ln lt l cc thuc tnh ca entry, thuc tnh dng lu gi d liu. Mi thuc tnh trn mt dng theo nh dng l kiu thuc tnh : gi tr thuc tnh. Th t cc thuc tnh khng quan trng, tuy nhin d c c thng tin chng ta nn t cc gi tr objectclass trc tin v nn lm sao cho cc gi tr ca cc thuc tnh cng kiu gn nhau.

STT 1 2 3 4

Mt s cc thuc tnh c bn trong file Ldif: Tn dn c o ou M t Distinguished Name : tn gi phn bit country 2 k t vit tt tn ca mt nc organization t chc organization unit n v t chc Mi gi tr objectClass hot ng nh mt khun mu cho cc d liu c lu gi trong mt entry. N nh ngha mt b cc thuc tnh phi c trnh by trong entry (V d : entry ny c gi tr ca thuc tnh objectClass l eperson, m trong eperson c quy nh cn c cc thuc tnh l tn, email, uid ,th entry ny s c cc thuc tnh ), cn b cc thuc tnh ty chn c th c hoc c th khng c mt.

objectClass

12

STT 6 7 8 9 10 11 12 13 14 15 16 17 2.2

Tn givenName uid cn telephoneNumber sn userPassword mail facsimileTelephoneNum ber createTimestamp creatorsName pwdChangedTime entryUUID M hnh LDAP

M t tn id ngi dng common name tn thng gi s in thoi surname h mt khu ngi dng a ch email s phch thi gian to ra entry ny tn ngi to ra entry ny thi gian thay i mt khu id ca entry

LDAP cn nh ngha ra bn m hnh, cc m hnh ny cho php linh ng trong vic sp t cc th mc: M hnh LDAP information - xc nh cu trc v c im ca thng tin trong th mc. M hnh LDAP Naming - xc nh cch cc thng tin c tham chiu v t chc. M hnh LDAP Functional - nh ngha cch m bn truy cp v cp nht thng tin trong th mc ca bn. M hnh LDAP Security - nh ngha ra cch thng tin trong th mc ca bn c bo v trnh cc truy cp khng c php.

2.2.1 M hnh thng tin Ldap (LDAP information model) Khi nim M hnh LDAP Information nh ngha ra cc kiu ca d liu v cc thnh phn thng tin c bn m bn c th cha trong th mc. Hay n m t cch xy dng ra cc khi d liu m chng ta c th s dng to ra th mc. Thnh phn c bn ca thng tin trong mt th mc gi l entry. y l tp hp cha cc thng tin v i tng (Object).

M hnh thng tin Ldap

13

Hnh 7. Mt cy th mc vi cc entry l cc thnh phn c bn

Hnh 8. Mt entry vi cc thuc tnh c bn Thng tin m t d liu c lu tr theo cu trc trong tp tin *.ldif. Cu trc file Ldif c gii thiu phn trn.

14

2.2.2 M hnh t tn Ldap (LDAP naming model) Khi nim M hnh LDAP Naming nh ngha ra cch chng ta c th sp xp v tham chiu n d liu ca mnh. Hay c th ni m hnh ny m t cch sp xp cc entry vo mt cu trc c logic, v m hnh LDAP Naming ch ra cch chng ta c th tham chiu n bt k mt entry th mc no nm trong cu trc . M hnh LDAP Naming cho php chng ta c th t d liu vo th mc theo cch m chng ta c th d dng qun l nht. V d nh chng ta c th to ra mt container cha tt c cc entry m t ngi trong mt t chc(o), v mt container cha tt c cc group ca bn, hoc bn c th thit k entry theo m hnh phn cp theo cu trc t chc ca bn. Vic thit k tt cn phi c nhng nghin cu tho ng.

Cch sp xp d liu

Hnh 9. Mt cy th mc LDAP Ta c th thy rng entry trong th mc c th ng thi l tp tin v l th mc.

Hnh 10. Mt phn th mc LDAP vi cc entry cha thng tin Ging nh ng dn ca h thng tp tin, tn ca mt entry LDAP c hnh thnh bng cch ni tt c cc tn ca tng entry cp trn (cha) cho n khi tr ln root.

15

Nh hnh trn ta thy node c mu m s c tn l uid=bjensen, ou=people, dc=airius, dc=com, nu chng ta i t tri sang phi th chng ta c th quay ngc li nh ca cy, chng ta thy rng cc thnh phn ring l ca cy c phn cch bi du ,. Vi bt k mt DN, thnh phn tri nht c gi l relative distingguished name (RDN), nh ni DN l tn duy nht cho mi entry trn th mc, do cc entry c cng cha th RDN cng phi phn bit.

Hnh 11. V d nh hnh trn, mc d hai entry c cng RDN cn=Joohn Smith nhng hai entry hai nhnh khc nhau. Nhng entry b danh (Aliases entry)trong th mc LDAP cho php mt entry ch n mt entry khc. Chng ta c th xy dng ra cu trc m th bc khng cn chnh xc na, khi nim Aliases entry ging nh khi nim symbolic links trong UNIX hay shortcuts trn Windows9x/NT. to ra mt alias entry trong th mc trc tin bn phi to ra mt entry vi tn thuc tnh l aliasedOjecctName vi gi tr thuc tnh l DN ca entry m chng ta mun alias entry ny ch n. Hnh di y cho ta thy c mt aliases entry tr n mt entry tht s.

B danh (Aliases) cch tham chiu n d liu

Hnh 12. LDAP vi Alias entry Nhng khng phi tt c cc LDAP Directory Server u h tr Aliases. Bi v mt alias entry c th ch n bt k mt entry no, k c cc entry LDAP server khc. V vic tm kim khi gp phi mt b danh c th phi thc hin

16

tm kim trn mt cy th mc khc nm trn cc server khc, do lm tng chi phi cho vic tm kim, l l do chnh m cc phn mm khng h tr alias. 2.2.3 M hnh chc nng Ldap (LDAP function model) Khi nim y l m hnh m t cc thao tc cho php chng ta c th thao tc trn th mc. M hnh LDAP Functional cha mt tp cc thao tc chia thnh 3 nhm: o o o Thao tc thm tra (interrogation) cho php bn c th search trn th mc v nhn d liu t th mc. Thao tc cp nht (update): add, delete, rename v thay i cc entry th mc. Thao tc xc thc v iu khin(authentiaction and control) cho php client xc nh mnh n ch th mc v iu kin cc hot ng ca phin kt ni.

Vi version 3 nghi thc LDAP ngoi 3 nhm thao tc trn, cn c thao tc LDAP extended, thao tc ny cho php nghi thc LDAP sau ny c th m rng mt cch c t chc v khng lm thay i n nghi thc.

M t cc thao tc 1. Thao tc thm tra (LDAP Interrogation) Cho php client c th tm v nhn li thng tin t th mc. Thao tc tm kim (LDAP search operation) yu cu 8 tham s (V d: search (o=people,dc=airius,dc=com,base,derefInsearching,10,60,Filter,ArrayAt tribute) o Tham s u tin l i tng c s m cc thao tc tm kim thc hin trn , tham s ny l DN ch n nh ca cy m chng ta mun tm. Tham s th hai l phm vi cho vic tm kim, chng ta c 3 phm vi thc hin tm kim: Phm vi base ch ra rng bn mun tm ngay ti i tng c s. Phm vi onelevel thao tc tm kim din ra ti cp di (con trc tip ca i tng c s) Phm vi subtree thao tc ny thc hin tm ht trn cy m i tng c s l nh.

17

Hnh 13. Thao tc tm kim vi phm vi base

Hnh 14. Thao tc tm kim vi phm vi onelevel

Hnh 15. Thao tc tm kim vi phm vi subtree o Tham s th ba derefAliases , cho server bit rng liu b danh aliases c b b qua hay khng khi thc hin tm kim, c 4 gi tr m derefAliases c th nhn c: nerverDerefAliases - thc hin tm kim v khng b qua b danh (aliases) trong lc thc hin tm kim v p dng vi c i tng c s.

18

derefInsearching - b qua cc aliases trong trong cc entry cp di ca i tng c s, v khng quan tm n thuc tnh ca i tng c s. derefFindingBaseObject - tm kim s b qua cc aliases ca i tng c s, v khng quan tm n thuc tnh ca cc entry thp hn i tng c s. derfAlways - b qua c hai nu vic tm kim thy i tng c s hay l cc entry cp thp l cc entry aliases.

o o o

Tham s th bn cho server bit c ti a bao nhiu entry kt qu c tr v. Tham s th nm qui nh thi gian ti a cho vic thc hin tm kim. Tham s th su: attrOnly l tham s kiu bool, nu c thit lp l true, th server ch gi cc kiu thuc tnh ca entry cho client, nhng sever khng gi gi tr ca cc thuc tnh i, iu ny l cn thit nu nh client ch quan tm n cc kiu thuc tnh cha trong. Tham s th by l b lc tm kim(search filter) y l mt biu thc m t cc loi entry s c gi li. Tham s th tm: danh sch cc thuc tnh c gi li vi mi entry.

o o

2. Thao tc cp nht (update) Chng ta c 4 thao tc cp nht l add, delete, rename(modify DN), v modify Add Delete Rename Update

3. Thao tc xc thc v iu khin (authentiaction and control) Thao tc xc thc gm: thao tc bind v unbind: Bind : cho php client t xc nh c mnh vi th mc, thao tc ny cung cp s xc nhn v xc thc chng thc Unbind : cho php client hu b phn on lm vic hin hnh

Thao tc iu kin ch c abandon: Abandon : cho php client ch ra cc thao tc m kt qu client khng cn quan tm n na.

4. Cc thao tc m rng Ngoi 9 thao tc c bn, LDAP version 3 c thit k m rng thng qua 3 thao tc : Thao tc m rng LDAP (LDAP extended operations) o y l mt nghi thc thao tc mi. Trong tng lai nu cn mt thao tc mi, th thao tc ny c th nh ngha v tr thnh chun m khng yu cu ta phi xy dng li cc thnh phn ct li ca LDAP.

19

V d mt thao tc m rng l StarTLS, ngha l bo cho sever rng client mun s dng transport layer security(TLS) m ho v tu chn cch xc thc khi kt ni.

LDAP control o L nhng phn ca thng tin km theo cng vi cc thao tc LDAP, thay i hnh vi ca thao tc trn cng mt i tng.

Xc thc n gin v tng bo mt (Simple Authentication and Security Layer SASL) o o o L mt m hnh h tr cho nhiu phng thc xc thc. Bng cch s dng m hnh SASL thc hin chng thc, LDAP c th d dng thch nghi vi cc phng thc xc thc mi khc. SASL cn h tr mt m hnh cho client v server c th m phn trn h thng bo mt din ra cc tng thp (dn n an ton cao).

2.2.4 M hnh bo mt Ldap (LDAP Security model) Vn cui cng trong cc m hnh LDAP l vic bo v thng tin trong th mc khi cc truy cp khng c php. Khi thc hin thao tc bind di mt tn DN hay mt ngi v danh th vi mi user c mt s quyn thao tc trn th mc entry. V nhng quyn no c entry chp nhn tt c nhng iu trn gi l truy cp iu khin (access control). Hin nay LDAP cha nh ngha ra mt m hnh Access Control, cc iu kin truy cp ny c thit lp bi cc nh qun tr h thng bng cc server software. Chng thc trong LDAP Vic xc thc trong mt th mc LDAP l mt iu cn thit v khng th thiu. Cc qu trnh xc thc c s dng thit lp cc quyn ca khch hng cho mi ln s dng. Tt c cc cng vic nh tm kim, truy vn, vv c s kim sot bi cc mc u quyn ca ngi c xc thc. Khi xc nhn mt ngi dng ca LDAP cn tn ngi dng c xc nh nh l mt DN (v d cn = tuanh, o = it, dc = nlu, dc = info) v mt khu tng ng vi DN . Xc thc ngi dng cha xc nh (Anonymous Authentication) o Xc thc ngi dng cha xc nh l mt x l rng buc ng nhp vo th mc vi mt tn ng nhp v mt khu l rng. Cch ng nhp ny rt thng dng v uc thng xuyn s dng i vi ng dng client.

2.3

Mt s phng thc xc thc ngi dng

Xc thc ngui dng n gin ( Simple Authtication) o i vi xc thc ngui dng n gin, tn ng nhp trong DN c gi km cng vi mt mt khu di dng clear text ti my ch LDAP.

20

My ch s so snh mt khu vi gi tr thuc tnh userPassword hoc vi nhng gi tr thuc tnh c nh ngha truc trong entry cho DN . Nu mt khu uc lu di dng b bm( m ho), my ch s s dng hm bm tung ng bin i mt khu a vi v so snh vi gi tr vi gi tr mt khu m ho t trc. Nu c hai mt khu trng nhau, vic xc thc client s thnh cng.

Xc thc n gin qua SSL/TLS o Nu vic gi username v mt khu ca bn qua mng khin bn khng cm thy yn tm v tinh bao mt, se la an toan hn khi truyn thng tin trong mt lp truyn tai c ma hoa. LDAP se vt qua lp truyn tai a c ma hoa nay trc khi thc hin bt c hoat ng kt ni nao. Do o, tt ca thng tin ngi dung se c am bao an toan (it nht la trong sut session o) Co hai cach s dung SSL/TSL vi LDAPv3

1. LDAP vi SSL LDAP vi SSL (LDAPs-tcp/636) c h tr bi rt nhiu bi cac may chu LDAP (ca phin ban thng mai va ma ngun m). Mc du c s dung thng xuyn, no vn khng chp nhn qua trinh m rng LDAP vi StartTLS. SSL s dng mt lp chng trnh nm gia cc lp ca Internet Hypertext Transfer Protocol (HTTP) v Transport Control Protocol (TCP). Trong iu khon ca layman, d liu c m ha trong trnh duyt web ca ngi dng, s dng mt kho mt m m thuc v trang web. D liu c chuyn t trnh duyt web vo trang web nh dng c m ha. iu ny m bo rng thng tin c nhn ca ngi s dng khng c chuyn giao trong nh dng c th c c cho bt c ai nm bt v c khi n truyn trn Internet. RFC 2830 a ra mt phng thc m rng i vi LDAPv3 cho vic x ly TLS qua cng tiu chun tcp/389. Phng thc nay c bit n nh la mt StartTLS, giup cho may chu co th h tr cac vic ma hoa va giai ma cac phin giao dich trn cung mt cng. Khi my ch v my khch giao tip, TLS m bo rng khng c bn th ba c th nghe trm hoc gi mo tin nhn bt k. TLS cho php cc my ch v khch hng xc thc ln nhau v thng lng mt thut ton m ha v kha m ha trc khi d liu c trao i. TLS l s k tha ca Secure Sockets Layer (SSL), v da trn cng ngh . Bng cch ny, c th ni rng SSL pht trin thnh cc giao thc TLS.

2. LDAP vi TSL

21

2.4

Mt s dch v s dng nghi thc LDAP

Bng cch kt hp cc thao tc LDAP n gin ny. Th mc client c th thc hin cc thao tc phc tp nh cc v d sau y. 1. M hnh lu tr d liu Mt chng trnh mail c th thc hin dng chng ch in t cha trong th mc trn server LDAP k, bng cch gi yu cu tm kim cho LDAP server. LDAP server gi li cho client chng ch in t ca n. Sau chng trnh mail dng chng ch in t k v gi cho Message sever. Nhng gc ngi dng th tt c qu trnh trn u hot ng mt cch t ng v ngi dng khng phi quan tm.

Hnh 16. Mt m hnh lu tr n gin 2. Qun l th Netscape Message server c th s dng LDAP directory thc hin kim tra cc mail. Khi mt mail n t mt a ch, messeage server tm kim a ch email trong th mc trn LDAP server lc ny Message server bit c hp th ngi s dng c tn ti.

22

Hnh 17. Dng LDAP qun l th

23

3. Xc thc dng LDAP Dng LDAP xc thc mt user ng nhp vo mt h thng qua chng trnh thm tra, chng trnh thc hin nh sau : o u tin chng trnh thm tra to ra mt i din xc thc vi LDAP thng qua (1) o Sau so snh mt khu ca user A vi thng tin cha trong th mc. Nu so snh thnh cng th user A xc thc thnh cng.

Hnh 18. Xc thc dng LDAP

24

3 p dng vo khoa CNTT

3.1 Xy dng CSDL ban u LDAP t chc d liu dng cy. Do trong CSDL phi c mt c s, cc nhnh, cc nhnh ca nhnh v cc nt l (cc entries trong CSDL). Trong ng dng vi khoa CNTT trng H Nng Lm ta s xy dng CSDL c cu trc nh sau: C s (base): dc=hcmuaf, dc = edu, dc=vn Nhnh ca khoa CNTT: o = it : khoa cng ngh thng tin ou=Teacher : lu tr thng tin v gio vin ou=Student : lu tr thng tin v sinh vin ou= EduServices : lu tr thng tin v gio v khoa

3.2

S Vi c s d liu c cu trc nh trn ta c th biu din thnh s sau: dc=hcmuaf; dc = edu; dc=vn

o = it

ou=Teacher

ou = Student

ou = EduServices

uid = thoangtt uid = tuanh uid = dung ng vi c s v mi nhnh s c mt ngi c ton quyn qun l. V do LDAP t chc d liu kiu cy cho nn ngi mc cao hn s c quyn cao hn.

25

3.3

Ni dung file Ldif Vi m hnh v cu trc c s d liu nh trn, tng ng vi ni dung trong file Ldif l:

dn: dc=hcmuaf,dc=edu,dc=vn objectClass: domain objectClass: top dc: hcmuaf entryUUID: a1255ce5-2710-388c-95a6-3c030a59a8d3 dn: o=it,dc=hcmuaf,dc=edu,dc=vn objectClass: top objectClass: organization description: information technology o: it entryUUID: fbcb85d5-e17c-494e-a36d-5932fb503125 createTimestamp: 20100326000527Z creatorsName: cn=Directory Manager,cn=Root DNs,cn=config dn: ou=student,o=it,dc=hcmuaf,dc=edu,dc=vn objectClass: organizationalUnit objectClass: top ou: student entryUUID: a05481a4-f448-44a0-902f-a1f0cc6ee63f createTimestamp: 20100326000608Z creatorsName: cn=Directory Manager,cn=Root DNs,cn=config dn: ou=Teacher,o=it,dc=hcmuaf,dc=edu,dc=vn objectClass: organizationalUnit objectClass: top ou: Teacher entryUUID: 675d5e04-fa4f-40fe-98fb-79fba17e2ba8 createTimestamp: 20100326000638Z creatorsName: cn=Directory Manager,cn=Root DNs,cn=config dn: ou=EduServices,o=it,dc=hcmuaf,dc=edu,dc=vn objectClass: organizationalUnit objectClass: top ou: EduServices entryUUID: 8150807d-d796-475d-968b-3fc1fcf231ff createTimestamp: 20100326000705Z creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
Trong phn d liu trn th account Directory Manager c to ra qun l ton b CSDL v ngi dng c to ra cho php cc my client kt ni c vo server c c thng tin trong CSDL ca LDAP nhm phc v cho vic ng nhp. Sau ny th ta s dng account Directory Manager thay i, thm vo thng tin ngi dng hay account ty theo yu cu.

26