cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

A very high level overview in theory of the concepts required to understand LDAP

1397
Views
0
Helpful
0
Comments

 

Introduction

Rajan Parmar is a wireless expert and working for the Cisco's Technical Assistance Center (TAC) team providing reactive technical support to majority of Cisco’s premium customers and partners. In this document Rajan has explained:

  1. What is LDAP?
  2. How is it related to objects?
  3. What are in fact Objects? 
  4. How are they related to a database?

What is LDAP

LDAP is used to access Directory Servers. Directory servers are compiled communication networking programs which can accept and return pointers to objects.
Anything that can be described in terms of its characteristics/attributes is an object.
One can describe a hand, so hand is an object. Hand can have fingers and fingers can be described, so finger is an object. Finger can have nails and nails can be described, so nail is an object.

So, the object hand has another object called finger which has another object called nail. So an object can have another object. (enough said about objects). An object(class) can be defined in terms of its attributes(variables). Variables has values. Each variable can have values. Mapping between a variable (attribute) and its value can be said to be a key-value pair.

This when we need to store information about about anything in a database, we can store that information in an object oriented database.

Information in an OODBMS can be represented in a tree format. Information about many objects can be stored in a tree, in a hierarchical format.

How are objects/users, named in LDAP?

To refer to any object, we refer to it w.r.t its location in the tree.

For example, if someone talks of me , he will say, I am referring to the Rajan Parmar, who is in the wireless team (out of the many teams) in the Cisco department (out of the many departments) within company.

DN (distinguished name) is unique to each object, as every object has its unique DN and no two objects can have the same DN.
The path of an object, from the root of the tree, is the DN of that object.

Base DN is the base of the tree (database) (Actual significance of BaseDN will become clearer, later). So, there can be many people under the root of the Cisco tree ie, cisco.com or microsoft.com. But the Base of tree/database will be cisco.com or microsoft.com . So cisco.com; microsoft.com; abc.com will be examples of Base DN .

Therefore, the DN of an object will be based on the BaseDN.

Name of the object whose information we are going to either store or retrieve from the database, is termed as CN.
Example: Rajan Parmar is the name of person.

But there can be information of many Rajan Parmars in Cisco's OODBMS.

So, within [company (dc=company , dc = com)],
           [company (dc=company , dc = com , dc= in)],

there can be many departments:
           airtel  (ou= airtel, dc=company , dc = com)  
           wipro   (ou= wipro , dc=company , dc = com)  
           cisco   (ou= cisco , dc=company , dc = com)  

Within the Cisco department, there can be many teams :
           SV (ou=SV , ou= cisco , dc=company , dc = com)  
           content (ou=cnt, ou= cisco , dc=company , dc = com)  
           wireless(ou=wrl, ou= cisco , dc=company , dc = com)  

(its clear from the above example that users are always placed within the container: CN)

Within the Wireless team, my information can be found:
cn=Rajan Parmar, ou=wrl, ou= cisco , dc=company , dc = com   <- Rajan Parmar's distinguished name which informs about the location of Rajan's information within the database of the object (identified by its Base DN)

So, we distinguish a person from a different person is via its distinguished name, which has three components in an order , written as :

COMPONENTS OF A DN : Canonical/Common Name , Organizational Unit and Domain Component ;
FORMAT OF A DN : Canonical/Common Name , Organizational Unit ,   Domain Component ;

So that we can tell to our controller to search for a specific object, we need to know that within which object, will we be able to always search for a given object. That object's name will be called the Base DN.    

How is LDAP related to LDP, Bind and administrators?

The way  web-browsers can be used to browse objects called web pages on the Internet, the same way ldap-browsers can be used to browse objects calls containers in the LDAP database. (we just discussed that which container is called a CN | OU | DC and in which order they are used to name an object via its DN)

This way if I have a magazine which has many container objects called pages (because a magazine contains pages) and have to search for a specific page (object), I will have to browse through the pages to search for that page,

Similarly to browse through the objects of an OODBMS. Either we can let ourselves manually do that (via LDP server) Or we can let the WLC automatically do that (via the BIND feature).

To browse through the objects of an LDAP, Authenticated Bind feature gives the ability to the WLC to authenticate itself (to the LDAP database via LDP) as someone with administrative privileges, so that, once authenticated, the WLC can browse through the objects of the LDAP database with security    

Anonymous Bind feature gives the ability to the WLC to log-in to the LDAP database via LDP) without security, so that, the WLC can browse through the objects of the LDAP database without any security So, if by using the given information of a DN, we can browse through the objects of an LDAP server, via ldp, then by using the same given information of a DN, we should browse through the objects of an LDAP server, via WLC. (this can help in troubleshooting if WLC can't bind to the LDAP server).

Bind feature related to the BaseDN

If we have to search for something in a tree, then it shouldn't be a necessity to start the search , always, from the top to the tree towards the bottom of the tree. What if we know that a user will be available only within a specific scope/portion/zone of that tree ? We refer to the base/root of that scope/portion/zone of the tree, as the Base DN. In fact, while using the Bind Feature, either manually via LDP or automatically via the WLC, when we give the Bind information, we also tell (in both cases), about the Base DN to start browsing from a specific scope/portion/zone/subtree of the LDAP database(and skip all that part of the tree, which is above that specific scope/portion/zone/subtree of the same LDAP database). This can help make the query , return the results, faster.

CN=jtadmin,OU=JR Admins,DC=airport,DC=lan

  • show ldap statistics
  • debug client
  • debug aaa ldap enable

ldap is database of username and passwords

  • AD/ACS talks to LDAP
  • AD/ACS can be bypassed also, so that client talks directly to LDAP.

http://www.zytrax.com/books/ldap/ch2/

To verify if the ldap credentials that the user has supplied to us, to be configured in the WLC, are correct or not we:

WLC 4404 LDAP Bind Fails

EAP-FAST, PEAP-GTC and EAP-TLS doesn't use a password.

if (we use password in clear text) {These authentication flavours can be used with MS AD LDAP}

WLC can be used to query the LDAP server:

  • AD Explorer can browse the ldap database
  • Firefox can browse websites    

Reference

CreatePlease to create content