sicurezza ii, a.a. 2011/2012 ldap speaker: andré panisson, phd student università degli studi di...

Sicurezza II, A.A. 2011/2012

LDAPLDAP

Speaker:André Panisson, PhD studentUniversità degli Studi di Torino, Computer Science DepartmentCorso Svizzera, 185 – 10149, Torino, [email protected]

Sicurezza II A.A. 2011-2012


LDAP

o LDAP Stands for Lightweight Directory Access Protocol o It is a client-server protocol for reading and editing directories over

an IP network• A directory in this sense is a hierarchical set of records:

• telephone directory, for exampleo Part of the X.500 standards, a series of computer networking

standards covering electronic directory services(X.509 is part of the X.500 series, and it is an ITU-T standard for a

public key infrastructure)

OpenID, OAuth are protocols available for Web users and applications on the Internet. LDAP/SAML are protocols used in Intranets/Enterprises


LDAP – how it works?

o A client starts an LDAP session by connecting to an LDAP server, called a Directory System Agent (DSA), by default on TCP port 389

o The client then sends an operation request to the server, and the server sends responses in return

o Some of the available operations:• Search: search for and/or retrieve directory entries• Add a new entry• Delete an entry• Modify an entry• …


LDIF

o LDIF Stands for LDAP Data Interchange Formato It is a standard plain text data interchange format for representing LDAP

directory content• Example:dn: cn=Andre Panisson,ou=people,dc=di,dc=unito,dc=itobjectclass: inetOrgPersoncn: Andre Panissoncn: Panisson Andresn: Andreuid: panissonuserpassword: provacarlicense: HISCAR 124homephone: 555-111-2223mail: [email protected]: [email protected]: Docenti


X509 certificates

o It opens the possibility to load certificates in the format X509 in order to authenticate users using the user certificate


LDIF Fields

Main Fields:o dn: distinguished nameo dc: domain componento ou: organizational unito cn: common name

dn: cn=The Postmaster,dc=example,dc=com

objectClass: organizationalRole

cn: The Postmaster


Lab Goals

o Deploy a basic LDAP server• Load user info• Browse/search for user info

o Configure Apache to authenticate users using LDAP


Lab Preparation

• Server Apache 2.2.13 at $HOME/apache


OpenLDAP

• www.openldap.org• An open source implementation of the Lightweight Directory

Access Protocol


OpenLDAP

• Download OpenLDAP version 2.4.25• Extract it:

tar -xvzf openldap-2.4.25.tgz• Check the files README, INSTALL• Create the target directory and build it:

mkdir $HOME/openldap/cd openldap-2.4.25./configure --prefix=$HOME/openldap/make dependmakemake install


OpenLDAP

• Edit the file $HOME/openldap/etc/openldap/slapd.conf

• Include the following schemas:include /usr/home/ . . . /openldap/etc/openldap/schema/core.schemainclude /usr/home/ . . . /openldap/etc/openldap/schema/cosine.schemainclude /usr/home/ . . . /openldap/etc/openldap/schema/inetorgperson.schema

• Configure the database:database bdbsuffix "dc=di,dc=unito,dc=it”rootdn "cn=Manager,dc=di,dc=unito,dc=it"


OpenLDAP

• Start LDAP on port 8389:

$HOME/openldap/libexec/slapd -h "ldap://0.0.0.0:8389"

• Connect to the server using ldapsearch:

$HOME/openldap/bin/ldapsearch -h localhost -p 8389 -x -b '' -s base '(objectclass=*)' namingContexts


OpenLDAP

• Create a file user.ldif:dn: dc=di,dc=unito,dc=itdc: diobjectClass: topobjectClass: domain

dn: ou=people,dc=di,dc=unito,dc=itou: peopleobjectClass: topobjectClass: organizationalUnit

dn: cn=Andre Panisson,ou=people,dc=di,dc=unito,dc=itobjectclass: inetOrgPersoncn: Andre Panissoncn: Panisson Andresn: Andreuid: panissonuserpassword: provacarlicense: HISCAR 124homephone: 555-111-2223mail: [email protected]: [email protected]: Docenti


OpenLDAP

• Load to LDAP server using ldapadd:

$HOME/openldap/bin/ldapadd -h localhost -p 8389 \-D "cn=Manager,dc=di,dc=unito,dc=it" -W -f user.ldif


OpenLDAP Clients

• Connect to LDAP using a client:

http://jxplorer.org/

• http://phpldapadmin.sourceforge.net/


Lab Goals

1. Create a Login form that gets the user credentials from LDAP

2. Create a Web app that gets the user credentials from a client certificate


LDAP and Certificates

• Create a new key and X.509 certificate:• Create user key:

openssl genrsa -out userkey.pem 2048openssl req -key userkey.pem -new -out userreq.pem

• Create certificate and sign using CAopenssl x509 -days 365 -CA ca-bundle.crt -CAkey CA.key \ -CAcreateserial -CAserial ca.srl -req -in userreq.pem -out usercert.pem

• Convert to pkcs12 format, to use it in your browser:openssl pkcs12 -in usercert.pem -inkey userkey.pem -export -out

usercert.p12• Convert certificate to DER format

openssl x509 -outform DER -in usercert.pem -out usercert.der• Encode it in base64

openssl base64 -A < usercert.der > usercert.der.b64


LDAP and Certificates

• Create a LDIF (cert.ldif) with the certificate contents:

dn: cn=Andre Panisson,ou=people,dc=di,dc=unito,dc=itchangetype: modifyreplace: userCertificate;binaryuserCertificate;binary::< contents of usercert.der.b64 >

• Import it to LDAP:$HOME/openldap/bin/ldapadd -h localhost -p 8389 -D \

"cn=Manager,dc=di,dc=unito,dc=it" -W -f cert.ldif


Apache and LDAP (with PHP)

• Compile PHP with required libraries:

cd $HOME/php-5.3.6./configure --prefix=$HOME/php \ --with-apxs2=$HOME/apache/bin/apxs \ --with-libxml-dir=$HOME/libxml2-2.7.8 \ --with-curl \ --with-zlib \ --with-openssl \ --with-ldap \ --with-libdir=lib64make

• OR get the PHP libraries with LDAP support (only for Postel lab):

cp /usr/home/docenti/panisson/libphp5.so.ldap_support $HOME/apache/modules/libphp5.so



• Edit form.html:

<html><head></head><body><form action="resource.php" method="get">Name: <input type="text" name="name" /><br />Password: <input type="text" name="password" /><br /><input type="submit" value="Submit" /></form></body></html>



• Edit resource.php:

<?php$name = $_GET['name'];$password = $_GET['password'];// specify the LDAP server to connect to$conn = ldap_connect("localhost","8389") or die("Could not connect to server"); ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);// bind to the LDAP server specified above $r = ldap_bind($conn, "cn=Manager,dc=di,dc=unito,dc=it", "secret") or die("Could not bind to server"); // search for credentials$result = ldap_search($conn,"dc=di,dc=unito,dc=it", "(&(uid=".$name.")(userpassword=".$password."))");// get entry data as array$info = ldap_get_entries($conn, $result);if ($info["count"] == 0) {

die("Invalid credentials");}$entry = $info[0];ldap_close($conn);?>



• Edit resource.php (continuation):

<html><head></head><body><?phpecho "dn is: ". $entry["dn"] ."<br>";echo "first cn is: ". $entry["cn"][0] ."<br>";echo "first email address is: ". $entry["mail"][0] ."<br>";echo "password is: ". $entry["userpassword"][0] ."<br>";$certificate = $entry["usercertificate;binary"][0];?></body></html>


Apache and LDAP

• Connect to localhost using a browser and access the formLogin using uid + password


Apache and LDAP

2. Create a Web app that gets the user credentials from a client certificate

Modify the script to recognize the user credentials by using the client certificate


Apache and LDAP

• Configure Apache SSL to require user certificate:Change the file httpd-ssl.conf in the apache configuration<Directory …./apache/htdocs/ssl>

SSLRequireSSLSSLVerifyClient require

</Directory>

• Configure your browser to use client certificateIn Firefox: Edit > Preferences > Advanced >

Encryption > View Certificates > Import >(select your usercert.p12)


Apache and LDAP

• Add to resource.php a section to verify the user certificate:function der2pem($certificate) {

$beginpem = "-----BEGIN CERTIFICATE-----\n";$endpem = "\n-----END CERTIFICATE-----";$result = "";$certificate = base64_encode($certificate);for ($i=0; $i<strlen($certificate); $i++) {

$result .= $certificate[$i];if ($i%64==63) $result .= "\n";

}return $beginpem.$result.$endpem;

}// Build the PEM string.$pemdata = der2pem($certificate);// Get a certificate resource from the PEM string.$cert = openssl_x509_read( $pemdata );// Parse the resource and print out the contents.$cert_data = openssl_x509_parse( $cert );

echo '<p>LDAP Certificate Credentials: '.$cert_data['name'];echo '<p>Client Certificate Credentials: '.$_SERVER["SSL_CLIENT_S_DN"];

// all done? clean upopenssl_x509_free( $cert );


LDAPLDAP

Speaker:André Panisson, PhD studentUniversità degli Studi di Torino, Computer Science DepartmentCorso Svizzera, 185 – 10149, Torino, [email protected]

Sicurezza II A.A. 2011-2012

Grazie per l’attenzione!


©2009 by André Panisson. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.

sicurezza ii, a.a. 2011/2012 ldap speaker: andré panisson, phd student università degli studi di...

Documents

ldap slide

ldap o ldap stands

example o

return o

ldif o ldif

entry slide

user info o

ldap data interchange