LDAP Directory

AAA Server and LDAP Directories

How LDAP Works

An LDAP client transmits requests to a server, which is then responsible for performing the necessary operations on the Directory. Upon completion of these operations, the server returns a response containing any results or errors to the requesting client. But there is no requirement for synchronous behavior on the part of either client or server implementations. Requests and responses for multiple operations can be exchanged by client and servers in any order, as long as clients eventually receive a response for every request that requires one.

It is possible to see a directory as a kind of database that tends to contain more descriptive, attribute-based information, and the information in a directory is generally read more often than it is written. It usually integrates with existing systems and acts as a central repository for consolidation of employee, customer, supplier and partner information. The big advantage is to have one single repository that any application can access and which stores all information needed for the applications.

Attributes and Values

An LDAP directory service model is based on entries. An entry holds information about an object that might typically be associated with a person. Each object entry known to the Directory is distinguished from all other objects by its name. Thus, each entry is said to have a distinguished name (DN). Each piece of information that describes some aspect of an entry is called an attribute. An attribute comprises an attribute type and one or more attribute value(s). The following table lists some sample basic entries:

Attribute Name Attribute Type (Syntax) Attribute Value

Common Name

String

Paul Smith

Distinguished Name

DN

uid=PSmith
ou= France
ou=People
dc=ActivCard
dc=com

Country

Country String

fr

Phone Number

TelephoneNumber

00331234567890

Fax Number

TelephoneNumber

00331987654321

An entry is a collection of attributes, but users are not allowed to store whatever they want to in the system. Otherwise, the system would be full of user-specific information (usable by only one application) or duplicate information (perhaps held in different formats). The directory maintains the integrity of stored data by imposing constraints on the size, range, and format of the attributes values. The set of rules, which controls all aspects of what can be put into the directory, is called a schema.

LDAP Integration with the AAA Server

An LDAP directory is a hierarchical information repository that contains very descriptive, attribute-based information. Within an LDAP corporate directory, entries are arranged in a hierarchical structure that corresponds to geographic or organizational boundaries, according to each client's requirements.

You have probably mapped your LDAP corporate directory to your actual business processes, rather than arbitrary codes. The information in an LDAP directory usually integrates with existing systems and acts as a central repository for consolidation of employee, customer, supplier, and partner information. Your LDAP directory is one single repository that applications (including the AAA Server) can access and that stores all shared corporate information.

By configuring the AAA Server to communicate with your LDAP directory server, you enable the AAA Server to access user data for authentication purposes.

You can configure the AAA Server to use up to two backup LDAP directories by listing the IP addresses or hostnames of the directory servers.

User Group Configuration Using LDAP Queries

A user group is a logical grouping within the AAA Server that enables the AAA Server to efficiently manage user authentication. A group specifies how a set of users may authenticate to a resource(s) protected by the AAA Server, including which gate(s) they may use to access a resource.

The AAA Server uses the LDAP query you've assigned to the group, as well as any additional filter you've defined for the group, to search your LDAP directory for the users that belong in the group. User groups in the AAA Server can mirror the user groups you have already created in your LDAP directory or not, as needed for authentication purposes. (Remember that a user group is merely a logical grouping within the AAA Server. You continue to manage your users in your LDAP directory.)

Some points to keep in mind as you create groups:

  • Users within a group can have different types of authentication devices. Some can have smart cards, others tokens, while others can log on with static passwords.
  • One purpose of creating groups is to be able to provide access for large groups of people through specific gates and/or servers.
  • You can define specific authentication parameters for groups (for example, the maximum number of times users can attempt to access a resource unsuccessfully before they are shut out).

The AAA Server Administration database communicates with your LDAP server via LDAP queries for groups of users. Therefore, you must create groups in the AAA Server Console based on the defined queries.

User groups identify the authorization and accounting policies to apply to the user's session. Therefore, LDAP queries must efficiently retrieve this information for each user authentication and accounting attempt.

AAA Server groups might mirror the groups in the LDAP directory, or they might be a combination of what you already have plus new attributes. (When you use the AAA Server, you continue to manage your users in your LDAP directory.)

LDAP Referrals

The AAA Server can be configured to 'refer' to several LDAP servers as part of the user search process. The user search starts at one of the LDAP servers in the hierarchy and continues recursively down the hierarchy/tree. These additional directories can be in different domains and forests to that of the AAA Server deployment.

The AAA Server also supports the use of different credentials (Login DN/password) for each LDAP referral. For further information concerning LDAP referral configuration, see Managing the ActivID AAA Server.

Note: The maximum password length is 24 characters.

LDAP Query Setup for Multiple LDAP Servers in a Single Domain/Forest

This configuration requires:

  • One LDAP query with a single LDAP branch (usually the root branch).
  • Subtree selected as the LDAP scope mode.
  • A referral configured for each LDAP server.

The whole LDAP hierarchy is searched for entries matching the search criteria.

LDAP Query Setup for LDAP Servers in a Multiple Trusted Domains/Forests

For deployments with individual LDAP servers in trusted domains/forests, the AAA Server configuration requires:

  • One LDAP query with multiple LDAP branches, each pointing to a different LDAP server in each trusted domain/forest. These branches must be entered manually using the LDAP query setup dialog.
  • A referral configured for each LDAP server.

LDAP Swapping

This functionality enables the interaction between LDAP referrals and trusted domains/forests for 'branch swapping'. In trusted domains/forests deployments, the AAA Server starts LDAP search at the 'LDAP User Root' specified in the LDAP connection settings.

When the search needs to 'swap' to a LDAP branch located on an another LDAP server in another (trusted) domain/forest, the LDAP search engine (OpenLDAP API) uses the same functionality that is used when moving from a LDAP server to a LDAP referral (rebind). It uses the logon credentials that are defined in the LDAP Referral settings. For further information concerning multiple domain/forest deployments, see Multi-Domain Deployment Scenarios.