sicurezza ii, a.a. 2011/2012 ldap speaker: andré panisson, phd student università degli studi di...
TRANSCRIPT
Sicurezza II, A.A. 2011/2012
LDAPLDAP
Speaker:André Panisson, PhD studentUniversità degli Studi di Torino, Computer Science DepartmentCorso Svizzera, 185 – 10149, Torino, [email protected]
Sicurezza II A.A. 2011-2012
Sicurezza II, A.A. 2011/2012
LDAP
o LDAP Stands for Lightweight Directory Access Protocol o It is a client-server protocol for reading and editing directories over
an IP network• A directory in this sense is a hierarchical set of records:
• telephone directory, for exampleo Part of the X.500 standards, a series of computer networking
standards covering electronic directory services(X.509 is part of the X.500 series, and it is an ITU-T standard for a
public key infrastructure)
OpenID, OAuth are protocols available for Web users and applications on the Internet. LDAP/SAML are protocols used in Intranets/Enterprises
Sicurezza II, A.A. 2011/2012
LDAP – how it works?
o A client starts an LDAP session by connecting to an LDAP server, called a Directory System Agent (DSA), by default on TCP port 389
o The client then sends an operation request to the server, and the server sends responses in return
o Some of the available operations:• Search: search for and/or retrieve directory entries• Add a new entry• Delete an entry• Modify an entry• …
Sicurezza II, A.A. 2011/2012
LDIF
o LDIF Stands for LDAP Data Interchange Formato It is a standard plain text data interchange format for representing LDAP
directory content• Example:dn: cn=Andre Panisson,ou=people,dc=di,dc=unito,dc=itobjectclass: inetOrgPersoncn: Andre Panissoncn: Panisson Andresn: Andreuid: panissonuserpassword: provacarlicense: HISCAR 124homephone: 555-111-2223mail: [email protected]: [email protected]: Docenti
Sicurezza II, A.A. 2011/2012
X509 certificates
o It opens the possibility to load certificates in the format X509 in order to authenticate users using the user certificate
Sicurezza II, A.A. 2011/2012
LDIF Fields
Main Fields:o dn: distinguished nameo dc: domain componento ou: organizational unito cn: common name
dn: cn=The Postmaster,dc=example,dc=com
objectClass: organizationalRole
cn: The Postmaster
Sicurezza II, A.A. 2011/2012
Lab Goals
o Deploy a basic LDAP server• Load user info• Browse/search for user info
o Configure Apache to authenticate users using LDAP
Sicurezza II, A.A. 2011/2012
OpenLDAP
• www.openldap.org• An open source implementation of the Lightweight Directory
Access Protocol
Sicurezza II, A.A. 2011/2012
OpenLDAP
• Download OpenLDAP version 2.4.25• Extract it:
tar -xvzf openldap-2.4.25.tgz• Check the files README, INSTALL• Create the target directory and build it:
mkdir $HOME/openldap/cd openldap-2.4.25./configure --prefix=$HOME/openldap/make dependmakemake install
Sicurezza II, A.A. 2011/2012
OpenLDAP
• Edit the file $HOME/openldap/etc/openldap/slapd.conf
• Include the following schemas:include /usr/home/ . . . /openldap/etc/openldap/schema/core.schemainclude /usr/home/ . . . /openldap/etc/openldap/schema/cosine.schemainclude /usr/home/ . . . /openldap/etc/openldap/schema/inetorgperson.schema
• Configure the database:database bdbsuffix "dc=di,dc=unito,dc=it”rootdn "cn=Manager,dc=di,dc=unito,dc=it"
Sicurezza II, A.A. 2011/2012
OpenLDAP
• Start LDAP on port 8389:
$HOME/openldap/libexec/slapd -h "ldap://0.0.0.0:8389"
• Connect to the server using ldapsearch:
$HOME/openldap/bin/ldapsearch -h localhost -p 8389 -x -b '' -s base '(objectclass=*)' namingContexts
Sicurezza II, A.A. 2011/2012
OpenLDAP
• Create a file user.ldif:dn: dc=di,dc=unito,dc=itdc: diobjectClass: topobjectClass: domain
dn: ou=people,dc=di,dc=unito,dc=itou: peopleobjectClass: topobjectClass: organizationalUnit
dn: cn=Andre Panisson,ou=people,dc=di,dc=unito,dc=itobjectclass: inetOrgPersoncn: Andre Panissoncn: Panisson Andresn: Andreuid: panissonuserpassword: provacarlicense: HISCAR 124homephone: 555-111-2223mail: [email protected]: [email protected]: Docenti
Sicurezza II, A.A. 2011/2012
OpenLDAP
• Load to LDAP server using ldapadd:
$HOME/openldap/bin/ldapadd -h localhost -p 8389 \-D "cn=Manager,dc=di,dc=unito,dc=it" -W -f user.ldif
Sicurezza II, A.A. 2011/2012
OpenLDAP Clients
• Connect to LDAP using a client:
http://jxplorer.org/
• http://phpldapadmin.sourceforge.net/
Sicurezza II, A.A. 2011/2012
Lab Goals
1. Create a Login form that gets the user credentials from LDAP
2. Create a Web app that gets the user credentials from a client certificate
Sicurezza II, A.A. 2011/2012
LDAP and Certificates
• Create a new key and X.509 certificate:• Create user key:
openssl genrsa -out userkey.pem 2048openssl req -key userkey.pem -new -out userreq.pem
• Create certificate and sign using CAopenssl x509 -days 365 -CA ca-bundle.crt -CAkey CA.key \ -CAcreateserial -CAserial ca.srl -req -in userreq.pem -out usercert.pem
• Convert to pkcs12 format, to use it in your browser:openssl pkcs12 -in usercert.pem -inkey userkey.pem -export -out
usercert.p12• Convert certificate to DER format
openssl x509 -outform DER -in usercert.pem -out usercert.der• Encode it in base64
openssl base64 -A < usercert.der > usercert.der.b64
Sicurezza II, A.A. 2011/2012
LDAP and Certificates
• Create a LDIF (cert.ldif) with the certificate contents:
dn: cn=Andre Panisson,ou=people,dc=di,dc=unito,dc=itchangetype: modifyreplace: userCertificate;binaryuserCertificate;binary::< contents of usercert.der.b64 >
• Import it to LDAP:$HOME/openldap/bin/ldapadd -h localhost -p 8389 -D \
"cn=Manager,dc=di,dc=unito,dc=it" -W -f cert.ldif
Sicurezza II, A.A. 2011/2012
Apache and LDAP (with PHP)
• Compile PHP with required libraries:
cd $HOME/php-5.3.6./configure --prefix=$HOME/php \ --with-apxs2=$HOME/apache/bin/apxs \ --with-libxml-dir=$HOME/libxml2-2.7.8 \ --with-curl \ --with-zlib \ --with-openssl \ --with-ldap \ --with-libdir=lib64make
• OR get the PHP libraries with LDAP support (only for Postel lab):
cp /usr/home/docenti/panisson/libphp5.so.ldap_support $HOME/apache/modules/libphp5.so
Sicurezza II, A.A. 2011/2012
Apache and LDAP (with PHP)
• Edit form.html:
<html><head></head><body><form action="resource.php" method="get">Name: <input type="text" name="name" /><br />Password: <input type="text" name="password" /><br /><input type="submit" value="Submit" /></form></body></html>
Sicurezza II, A.A. 2011/2012
Apache and LDAP (with PHP)
• Edit resource.php:
<?php$name = $_GET['name'];$password = $_GET['password'];// specify the LDAP server to connect to$conn = ldap_connect("localhost","8389") or die("Could not connect to server"); ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);// bind to the LDAP server specified above $r = ldap_bind($conn, "cn=Manager,dc=di,dc=unito,dc=it", "secret") or die("Could not bind to server"); // search for credentials$result = ldap_search($conn,"dc=di,dc=unito,dc=it", "(&(uid=".$name.")(userpassword=".$password."))");// get entry data as array$info = ldap_get_entries($conn, $result);if ($info["count"] == 0) {
die("Invalid credentials");}$entry = $info[0];ldap_close($conn);?>
Sicurezza II, A.A. 2011/2012
Apache and LDAP (with PHP)
• Edit resource.php (continuation):
<html><head></head><body><?phpecho "dn is: ". $entry["dn"] ."<br>";echo "first cn is: ". $entry["cn"][0] ."<br>";echo "first email address is: ". $entry["mail"][0] ."<br>";echo "password is: ". $entry["userpassword"][0] ."<br>";$certificate = $entry["usercertificate;binary"][0];?></body></html>
Sicurezza II, A.A. 2011/2012
Apache and LDAP
• Connect to localhost using a browser and access the formLogin using uid + password
Sicurezza II, A.A. 2011/2012
Apache and LDAP
2. Create a Web app that gets the user credentials from a client certificate
Modify the script to recognize the user credentials by using the client certificate
Sicurezza II, A.A. 2011/2012
Apache and LDAP
• Configure Apache SSL to require user certificate:Change the file httpd-ssl.conf in the apache configuration<Directory …./apache/htdocs/ssl>
SSLRequireSSLSSLVerifyClient require
</Directory>
• Configure your browser to use client certificateIn Firefox: Edit > Preferences > Advanced >
Encryption > View Certificates > Import >(select your usercert.p12)
Sicurezza II, A.A. 2011/2012
Apache and LDAP
• Add to resource.php a section to verify the user certificate:function der2pem($certificate) {
$beginpem = "-----BEGIN CERTIFICATE-----\n";$endpem = "\n-----END CERTIFICATE-----";$result = "";$certificate = base64_encode($certificate);for ($i=0; $i<strlen($certificate); $i++) {
$result .= $certificate[$i];if ($i%64==63) $result .= "\n";
}return $beginpem.$result.$endpem;
}// Build the PEM string.$pemdata = der2pem($certificate);// Get a certificate resource from the PEM string.$cert = openssl_x509_read( $pemdata );// Parse the resource and print out the contents.$cert_data = openssl_x509_parse( $cert );
echo '<p>LDAP Certificate Credentials: '.$cert_data['name'];echo '<p>Client Certificate Credentials: '.$_SERVER["SSL_CLIENT_S_DN"];
// all done? clean upopenssl_x509_free( $cert );
Sicurezza II, A.A. 2011/2012
LDAPLDAP
Speaker:André Panisson, PhD studentUniversità degli Studi di Torino, Computer Science DepartmentCorso Svizzera, 185 – 10149, Torino, [email protected]
Sicurezza II A.A. 2011-2012
Grazie per l’attenzione!
Sicurezza II, A.A. 2011/2012
©2009 by André Panisson. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.