Matlab Toolbox Implementation For Ldap Computer Science Essay

Published:

LDAP is a distributed directory service protocol, and is based on a client-server model and runs over TCPIP. It can be used to access standalone directory servers or X.500 directories. The Lightweight Directory Access Protocol (LDAP) is being used for an increasing number of directory applications. Applications include personnel databases for administration, tracking schedules address translation databases for IP telephony, network databases for storing network configuration information and service policy rules[1][2]. This work attempts to build a matlab toolbox for accessing an LDAP server. We have tried to make use of JNDI classes in Matlab and Apache DS has been used as an Active directory server.

Keywords- LDAP, Active Directory, Matlab, Authentication, Tree Searching, Apache DS

Introduction

A directory service is a simplified database. Typically, it does not have the database mechanisms to support transactions. Directories allow both read and write operations, but are intended primarily for high-volume, efficient read operations by clients. LDAP is a distributed directory service protocol, and is based on a client-server model and runs over TCP/IP. It can be used to access standalone directory servers or X.500 directories. [3] LDAP defines a communication protocol. It means that the Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP).

Lady using a tablet
Lady using a tablet

Professional

Essay Writers

Lady Using Tablet

Get your grade
or your money back

using our Essay Writing Service!

Essay Writing Service

The Lightweight Directory Access Protocol (LDAP) is being used for an increasing number of directory applications. Applications include personnel databases for administration, tracking schedules address translation databases for IP telephony, network databases for storing network configuration information and service policy rules.

LDAP working

A client starts an LDAP session by connecting to an LDAP server, called a Directory System Agent (DSA), by default on TCP port 389. [3][4] The client then sends an operation request to the server, and the server sends responses in return. With some exceptions, the client does not need to wait for a response before sending the next request, and the server may send the responses in any order. An application client program initiates an LDAP message by calling an LDAP API. But, an X.500 directory server does not understand LDAP messages. In fact, the LDAP client and X.500 server even use different communication protocols (TCP/IP vs. OSI). The LDAP client actually communicates with a gateway process (also called a proxy or front end) that translates and forwards requests to the X.500 directory server (see Figure 2). This gateway is known as an LDAP server. It services requests from the LDAP client. It does this by becoming a client of the X.500 server. The LDAP server must communicate using both TCP/IP and OSI. This way, clients can access the X.500 directory without dealing with the overhead and complexity which X.500 requires.

Structure of LDAP.

In LDAP, object classes are used to group related information.[5] Typically, an object class models some real-world object such as a person, printer, or network device. The definition of an LDAP object class includes the following pieces of information:

• An object identifier (OID) that uniquely identifies the class;

• A name that also uniquely identifies the class;

• A set of mandatory attributes;

• A set of allowed attributes.

Attributes (also requiring both an OID and a name) that an object class definition includes must be unique throughout the entire directory schema. The set of mandatory (required) attributes is usually fairly short or even empty. The set of allowed (optional) attributes is often quite long. It is the job of each directory server to enforce attribute restrictions of an object class when an entry is added to the directory or modified in any way. One object class can be derived from another, in which case it inherits the Characteristics of the other class[6] This is sometimes called sub classing, or object class inheritance. It includes the following object classes:

• top: - The top object class is an abstract class. All other object classes are subclasses of top. top has just one mandatory attribute: the object Class attribute.

• subschema: - The subschema object class is an auxiliary object class. It contains the schema (for example object classes, attribute types, matching rules, and so on) for the LDAP directory server.

Lady using a tablet
Lady using a tablet

Comprehensive

Writing Services

Lady Using Tablet

Plagiarism-free
Always on Time

Marked to Standard

Order Now

• extensibleObject:- The extensibleObject object class is an auxiliary object class. It contains every attribute defined by a directory server's schema

• replicaObject :- The replicaObject object class is an IBM-defined structural class that is used to represent a directory server replica. It contains attributes used to control directory server replication

• referral:- The referral object class is a structural object class that presents a referral directory entry. It contains a single attribute

• cacheObject :- The cache Object object class is an auxiliary object class that allows a time-to-live attribute, ttl, to be associated with a directory entry.

• container :- The container object class is a structural object class that can contain other objects.

• linkedContainer:- The linkedContainer object class is an abstract object class with a DN-valued property pointing to another container to search if the desired object is not found in the current container. A component of a name is called a relative distinguished name (RDN).[7] An RDN represents a point within the namespace hierarchy. RDNs are separated by and concatenated using the comma. The order of RDNs in an LDAP name is the most specific RDN first followed by the less specific RDNs moving up the DIT hierarchy examples of valid distinguished names written in string form:

• o cn=Joe Q. Public, ou=Austin, o=IBM

This is a name containing three relative distinguished names (RDNs).

• ou=deptUVZS + cn=Joe Q. Public, ou=Austin, o=IBM

This name containing three RDNs in which the first RDN is multi-valued.

• cn=L. Eagle, o=Sue Grabbit and Runn, c=GBA

Basic Toolbox Implementation

LDAP Query Structure

Query 1:

ldapsearch -h localhost -b

"dc=organization-name,dc=gr" "uid=avakali"

Query 2:

ldapsearch -h localhost -b

"ou=people,dc=organization-name,dc=gr" "businesscategory=Assistant

Professor"

The LDAP functional model includes the following operations in general.

* StartTLS - use the LDAPv3 Transport Layer Security (TLS) extension for a secure connection

* Bind - authenticate and specify LDAP protocol version

* Search - search for and/or retrieve directory entries

* Compare - test if a named entry contains a given attribute value

* Add a new entry

* Delete an entry

* Modify an entry

* Abandon - abort a previous request

* Modify Distinguished Name (DN) - move or rename an entry

* Extended Operation - generic operation used to define other operations

* Unbind - close the connection

Methodology

The proposed functional toolbox is intended to implement these operations thereby providing it the functionality to connect and interact with an active directory server. We have used an instance of an Apache Directory server 2.0 created using Apache Design suite. Fig 1 shows a snapshot of the server instance in Apache Design suite window.

LDAP - ou=system - ApacheDS 2

Fig. Screenshot of the Apache DS used as an LDAP and LDAPS server

The test data that has been fed into the server is provided below in Table I [8]

TABLE

LDIF FILE For Test Data

dn: dc=example,dc=com

objectClass: domain

objectClass: top

dc: example

dn: ou=Users,dc=example,dc=com

objectClass: organizationalUnit

objectClass: top

ou: Users

dn: ou=Groups,dc=example,dc=com

objectClass: organizationalUnit

objectClass: top

ou: Groups

dn: cn=Adan Abrams,ou=Users,dc=example,dc=com

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: person

objectClass: top

cn: Adan Abrams

sn: Abrams

description: 19741108000000Z

employeeNumber: 7

givenName: Adan

telephoneNumber: 254-323-1920

telephoneNumber: 902-451-7619

uid: aabrams

userPassword:: c2VjcmV0

dn: cn=Chuck Brunato,ou=Users,dc=example,dc=com

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: person

objectClass: top

cn: Chuck Brunato

sn: Brunato

description: 19650324000000Z

employeeNumber: 3

givenName: Chuck

telephoneNumber: 169-637-3314

telephoneNumber: 907-547-9114

uid: cbrunato

userPassword:: c2VjcmV0

Based on the LDAP functional model, we propose to implement the following functions(Client end only)

LDAP_URL: A tool for generating LDAP based URL's

Lady using a tablet
Lady using a tablet

This Essay is

a Student's Work

Lady Using Tablet

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Examples of our work

LDAP_search: A tool for searching LDAP Directories

LDAP_LoginPassword: A tool for changing LDAP passwords

LDAP_modrdn : Tool to modify an entry's RDN using LDAP

LDAP_modify: Tool to modify or add entries using LDAP

LDAP_exop: a tool for performing well-known extended operations

LDAP_delete: Tool to delete an entry using LDAP

LDAP_compare: LDAP compare tool

common : Common routines for the ldap client tools

Authenticating to the LDAP by Using the JNDI

The implementation has been achieved making use of the lesser known property of MATLAB to make use of JNDI classes (Java naming Directory Interface) of Java.

In the JNDI, authentication information is specified in environment properties. When you create an initial context by using the InitialDirContext(in the API reference documentation) class (or its superclass or subclass), we need to supply a set of environment properties, some of which might contain authentication information. We can use the following environment properties to specify the authentication information.

Context.SECURITY_AUTHENTICATION: ("java.naming.security.authentication"): Specifies the authentication mechanism to use. For the Sun LDAP service provider, this can be one of the following strings: "none", "simple", sasl_mech, where sasl_mech is a space-separated list of SASL mechanism names.

Context.SECURITY_PRINCIPAL("java.naming.security.principal"). Specifies the name of the user/program doing the authentication and depends on the value of the Context.SECURITY_AUTHENTICATION property.

Context.SECURITY_CREDENTIALS("java.naming.security.credentials").Specifies the credentials of the user/program doing the authentication and depends on the value of the Context.SECURITY_AUTHENTICATION property.

When the initial context is created, the underlying LDAP service provider extracts the authentication information from these environment properties and uses the LDAP "bind" operation to pass them to the server.

A sample script for the password tool has been provided below in fig 2

function [dctx, sc] = ldap_LoginPassword(curUser, pwd)

env = java.util.Hashtable();

sp = 'com.sun.jndi.ldap.LdapCtxFactory';

env.put(javax.naming.Context.INITIAL_CONTEXT_FACTORY, sp);

ldapUrl = 'ldap://company.com:389';

env.put(javax.naming.Context.PROVIDER_URL, ldapUrl);

env.put(javax.naming.Context.SECURITY_AUTHENTICATION, 'simple');

env.put(javax.naming.Context.SECURITY_PRINCIPAL, ['CN=' curUser ',OU='upper(curUser(1)) ',OU=Useraccounts,OU=Abt,DC=de,DC=company,DC=com']);

env.put(javax.naming.Context.SECURITY_CREDENTIALS, pwd);

dctx = javax.naming.directory.InitialLdapContext(env, []);

sc = javax.naming.directory.SearchControls();

attributeFilter = {'department'};

sc.setReturningAttributes(attributeFilter);

sc.setSearchScope(javax.naming.directory.SearchControls.SUBTREE_SCOPE);

Fig. 2 Sample Authentication tool

The connection is done on the default port 10389 for LDAP and 10636 for LDAPS.

The sample search tool has been given in Fig 3

function result = getDepartment(user,dctx,sc)

base = 'DC=de,DC=company,DC=com';

filter = sprintf('(| (cn=%s) (cn=%s))', lower(user), upper(user));

results = dctx.search(base, filter, sc);

if results.hasMore();

result = results.next();

else

result = '';

end

dctx.close();

Fig. 3 Sample Search tool

Conclusion

This work is an attempt to construct a comprehensive toolbox for Matlab which enables socket based connection from Matlab environment to LDAP server. The toolbox when implemented to its fullest can enable designers to design LDAP based applications using MATLAB as an environment and making use of the rich toolboxes available in Matlab.