Tag Archives: Active directory basics

An Introduction to Lightweight Directory Access Protocol (LDAP)

What is LDAP?

The Lightweight Directory Access Protocol, commonly known as LDAP, is a communication protocol that is used to access directory servers. In other words, LDAP is used to store, update and retrieve data from a directory structure.

The term “lightweight” is used in comparison with X.500, which was the previous standard for directory services. X.500 was complicated, and it relied on the OSI protocol stack. It could not use the TCP/IP protocol stack. LDAP was hence developed as a lightweight alternative, as it could use the much simpler TCP/IP stack, while simplifying and removing some complicated X.500 operations and features. LDAP has become popular owing to the fact that it is a lightweight, open, and cross-platform protocol.

What is LDAP used for?

To understand the services provided by LDAP, it is necessary to understand what a directory is. A directory is a hierarchical database that is used to store and organize information about objects. The information in a directory is read more often than they are written or updated. This is one of the most important characteristics that set directories apart from relational databases. Hence, directories are optimized to respond to high volume search operations or read requests. A telephone directory or phone book is one of the most common examples that can be used for explaining a directory. Each person is represented using an entry and their contact information is represented using key-value pairs.

LDAP defines a message protocol that is used by directory clients and servers. An LDAP directory can be used to store and access various types of information such as images, text, and binary information. Storage and retrieval of data, authentication of clients and searching for specific data are some of the services provided by a directory service. It can be used in a large organization consisting of thousands of employees, for storing and maintaining information about the employees and resources. Apart from storing information, a directory service also provides authentication and authorization services for users. An organization can also use LDAP for directory services authentication.

For an organization that operates in different parts of the world, there are hundreds of divisions based on business roles and thousands of employees. Using LDAP, all the employee information can be stored and organized in a directory for easier access. For instance, employees in an organization can be categorized based on their departments such as marketing, sales, HR, or more. Using LDAP, the HR manager can be delegated control to the HR tree, and the other trees can be given control to the respective department managers. If the HR manager wants to access an employee’s record for changing the salary details, the authorization and access is made easier using LDAP.

What is the difference between Active Directory and LDAP?

LDAP is a protocol that forms the basis for different directory services and access management solutions. These directory services understand and use LDAP. Active Directory is a directory services implementation developed by Microsoft that is used to provide services such as authentication, group and user management, policy administration, etc. It is a directory service that supports LDAP, which means directory access in Active Directory is performed by means of LDAP. While Active Directory is just one such example, there are many directory services like OpenLDAP that support the protocol.

Just like how SMTP and IMAP are the protocols that are used to send and receive emails, while Gmail is the email application that uses the protocol. LDAP is a protocol on which Active Directory is based. In simpler terms, just like how SMTP is a way of speaking to the email application, LDAP is a means of speaking to Active Directory.

Directory Structure of LDAP

Figure.1 LDAP Directory Structure

The directory structure can be used to explain how data is stored and accessed in LDAP. Data in LDAP is stored in objects. The objects contain a set of attributes, which are a set of key-value pairs. The set of attributes that an object may contain is defined using a class.   

In LDAP, a collection of objects are organized in a hierarchical tree structure called the directory information tree (DIT). It is analogous to a tree with the trunk being the directory root, with the branches and leaves being objects. The tree can contain information in both leaf and non-leaf nodes. The root element is present at the top of the hierarchy, and it is entirely conceptual.

What are the components that make up LDAP?

An LDAP directory information tree (DIT) is made up of several components, listed as follows.

Entries: The objects that make up the DIT are called entries, and they have specific positions within the hierarchy. The objects are of two types:

  • Container objects
  • Leaf objects

Each entry has three components namely a Distinguished Name (DN), a collection of attributes, and a collection of objects.

Distinguished Name (DN): The Distinguished Name (DN) acts as the unique identifier for each entry. The value of the DN is the position of an object in the tree. It identifies the entry and its position on the Directory Information Tree (DIT). The DN is made up of attribute=value pairs such as:cn=Tom, ou=people, o=zoho, c=india

Attributes: Attributes are used to describe the object and they are defined as key-value pairs. A standard set of attributes are defined according to LDAP specifications that are used commonly. A collection of attributes are used to define an entry. The attributes are defined in a schema. Attribute names are in the form of strings such as, “cn” for common name, “dc” for domain component, “ou” for organizational unit or “mail” for email address.

The Distinguished Names (DNs) are made up of elements called Relative Distinguished Names (RDNs). The RDNs are derived from the attributes of the entries in the LDAP directory. They take the form of <attribute name> = <value>.

Object Classes: A collection of attributes make up an object class. Associated attributes are grouped together to make it easier to describe things. For example, objectClass: person. Object classes are of two types, namely structural or auxiliary.

Schema: A schema is constructed using objectClass definitions and attribute definitions. It is a set of rules that define the structure of the DIT and the kind of information that the server can hold. Many different schemas can exist for the same DIT.

LDAP Architecture:

As mentioned earlier, LDAP is a communication protocol that is used to define the content of messages exchanged between directory clients and servers. These messages specify the operations that are requested by the client and the responses from the server, including the format of data. Examples of the requested operations include search, modify, add and delete. The messages are carried over the TCP/IP protocol stack.

In the previous example, it was mentioned that the HR Manager wanted to access an employee’s record for changing the salary details. How exaclty does the procedure take place? Here, the Sales Manager is the LDAP client that interacts with the LDAP server.

An interaction between the LDAP client and LDAP server takes place in the following manner.

  1. The first step is known as binding, where the client establishes a session with the LDAP server. The client also specifies the host name or IP address and the TCP/IP port number where the server listens.
  2. The client can then provide a user name and password to the server for authentication, or establish an anonymous session with default access rights. A session with stronger security measures such as data encryption can also be established.
  3. The client performs operations on the directory data. Read, update and search capabilities are offered by LDAP. Searching is one of the most common operations in LDAP.
  4. Once the client completes making requests, it closes the session with the server which is known as unbinding.

Thus, the authorized personnel are able to access and modify entries in the directory using the procedure mentioned above.

LDAP Operations:

Some of the operations defined by LDAP for accessing and modifying entries are binding and unbinding, searching, adding and deleting entries, modifying entries and comparing entries.

The basic LDAP operations are described as follows.

  1. Bind: The LDAP bind operation is used to establish a session between the client and server and to authenticate a user.
  2. Unbind: The unbind operation is used to close the connection to the server, after the requested operation has been performed.
  3. Search: The search operation is used to find and retrieve directory entries matching the specified criteria.
  4. Compare: The compare operation is used to check whether an entry has a specified attribute value.
  5. Add: The add operation is used for creating new entries in the directory
  6. Delete: The delete operation is used for removing certain entries from the directory
  7. Modify: The modify operation is used to change an entry in the directory
  8. Modify DN: The modify DN operation can be used to change the Distinguished Name of an entry in the directory.
  9. Abandon: The abandon operation is used to request the server to stop processing an operation which was requested previously.

Extended: This operation is used to request a process that is not defined by any of the other operations.

LDAP Models:

The LDAP models describe the different features of the directory and the services provided by the server. LDAP is based on four models, which are explained as follows:

  1. Information model

The information model describes the way in which information stored in a directory is structured and organized. An entry is the basic unit of information that is stored in a directory. They are made up of a collection of attributes containing information about the object. Each attribute has a certain number of values, where the kind of values that can be stored is defined by the syntax. For example, entries might be people, organizations or servers and the attributes might be name, telephone number, etc.  

  1. Naming model

The naming model defines the way in which the entries are organized and identified. The entries are organized in a hierarchical tree structure called the Directory Information Tree (DIT). Each entry is identified by a unique name called the Distinguished Name (DN), which is composed of a sequence of Relative Distinguished Names (RDN).

  1. Functional model

The functional model describes the various functions and operations that can be performed in the LDAP directory. Under this model, the operations are grouped into three categories, based on the functions they are used to perform.

  1. Authentication

This includes the operations that are used to establish and terminate connections with an LDAP server. It consists of the Bind, Unbind and Abandon operations.

  1. Query

This includes operations that are used to retrieve information from the directory. It consists of the Search and Compare operations.

  1. Update

This includes the operations that are used to make changes to the entries stored in the directory. It consists of the Add, Delete, Modify and ModifyDN operations.

  1. Security model

The security model defines the way in which information in a directory can be protected from unauthorized access. This model is largely based on the Bind operation, which forms an important part of authentication. This operation can be performed in several ways, allowing the security mechanisms to be applied in different ways.

Security and Authentication in LDAP

While managing a directory that contains information about an organization and its employees, security is of great importance. When security mechanisms are not in place, the directory becomes vulnerable to threats from both within and outside the organization. For example, the salary records of an employee should be accessible only to the concerned HR manager. If it was made available to everyone in an organization, the data possesses risk of being tampered with. This is why security mechanisms should be employed. The term security includes aspects such as authentication, authorization, integrity and confidentiality. Security is maintained in LDAP using the following methods.

  1. No authentication

This is the simplest method and is supposed to be used only when security is not of much importance. This is used when access control permissions are not required, and if the data can be accessed by anyone. For example, this can be used for a directory where the list of employees in an organization can be accessed by anyone. When the DN and password fields are left empty, an anonymous session is assumed by the LDAP server. Hence the required access control is given to the client.

  1. Basic authentication

This method provides the basic level of security which is incorporated in web-based protocols. The client is required to provide a DN and password, following which they are   authenticated by the server. The problem with using this method is that the password can be read from the network. While this provides the minimum level of security, it is not meant to be used for securing highly confidential information.

  1. Simple Authentication and Security Layer (SASL)

The SASL is a framework that is used to add additional authentication mechanisms to the connection oriented protocols. The LDAP version 2 did not support SASL, as a result of which it was added to version 3. Here, the client and server exchange data for authentication and a security layer is established. Subsequent communication is carried out over this layer. SASL supports pluggable authentication; hence the client and server are allowed to negotiate and use any type of authentication that is required.

LDAP server implementations                                                          

Since LDAP is an open protocol, there are several different implementations available. An LDAP server can be chosen based on an organization’s requirements. The administrator or implementer is free to choose the operations of the server, according to their needs. Some of the most commonly used LDAP servers are OpenLDAP, Apache Directory Server, IBM Tivoli Directory Server, Red Hat Directory Servers and many more.       

OpenLDAP is one of the most popular open source LDAP servers available. It was developed for Linux based systems. It requires a reasonable amount of proficiency and is mainly used at the command line. Hence it is usually used by experienced IT professionals.The Apache Directory Server is another popular implementation of LDAP. It includes support for Kerberos, which is a network authentication protocol. It has better management capabilities with the Apache Directory Studio.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Active Directory Groups: An explanation

What are Active Directory groups?

Active Directory is a Microsoft technology that is used to implement directory services. It is a feature of the Windows Server and one of the most popular on-premise directory services, which provides functionalities to store and handle directory information.

A collection of Active Directory objects is called an Active Directory Group. They may include users, devices, and also groups containing other objects. In other words, groups can be thought of as containers that hold users and other objects as members. In Active Directory, the users are classified into groups based on certain criteria and given access to certain resources. Network maintenance and administration are made easier by allowing the group to be managed as a single object.

Types of groups in Active Directory

The Active Directory groups can be classified into two types. They are the Active Directory security groups and the Active Directory distribution groups. Each group type, in turn, has one of three different group scopes. The group type determines the type of task to be performed, while the group scope determines who can be a member of the group.

What are Security groups in Active Directory?

Active Directory security groups enable the administrators to grant permissions and user rights to members of the group. Rather than assigning permission to individual members, security groups allow all the members of the group to receive the permissions and rights. This is more efficient and simplifies the administrative requirements. Members can be added or removed from the groups as per the requirements. Security groups can be mail enabled so as to allow Exchange to distribute emails to the group members. These are called “Distribution lists”, and hence share the capabilities of distribution groups. Mail enabled groups require their group scopes to be set to “universal”.

Security groups can be used to provide specific group access for certain files and to assign administrative responsibilities to perform tasks. Sensitive information can be protected by restricting access rights using security groups. Various levels of permissions can be granted to different user groups. This allows most employees to be given least privilege, while allowing a select group of employees to be given permission to access and modify certain information. This helps greatly in reducing security threats from both within and outside the organization.

For example, a security group can be created for the board of directors of an organization, using which sensitive financial information will be restricted to only the board members. No other employee will have access to these resources and hence confidential information is secure against threats.

Functions of security groups

Security groups have two major functions. They are:

Assigning user rights: User rights define what the members of the group can do within the domain or forest. Some security groups are automatically assigned user rights for administration purposes. Group policies can also be used to assign user rights for delegating certain tasks.

Assigning permissions for resources: User permissions are different from user rights. Permissions are mainly concerned with resource sharing, as opposed to user rights. They are used to determine who can access the resources, along with the level of access. Permissions for resources should be assigned to the security groups rather than to the individual users.  Default security groups like the Account Operators group and the Domain Admins group are automatically assigned certain permissions.

What are Distribution groups in Active Directory?

Active Directory Distribution groups are used with email applications such as Microsoft Exchange server, and are used to send email messages to all the users of the group. All members of the group who have enabled mailbox on their accounts, will receive these messages. Distribution groups are not security enabled and hence cannot be used to provide access to domain resources. Security groups also possess all the capabilities of distribution groups, but some applications can only read distribution groups. This is the reason why distribution groups are still required, despite having their functions shared by security groups.

Have you ever wondered how certain emails containing important announcements are sent to all the employees in an organization? Does the administrator send the email individually to each employee? Using distribution groups, the members of the group are sent emails all at once. This greatly simplifies the task of sending emails to large numbers of users. For example, . This is done by adding them to a specific distribution group. Similarly, different types of distribution groups may be created for various purposes.

Differences between Security and Distribution groups in Active Directory

  • Distribution groups are used if only one-way notifications are required from the central controller. Whereas, security groups are used to allow users to both access and modify data.
  • Distribution groups do not have SIDs, as opposed to security groups. They are used only with email applications and cannot be used to provide access to resources. However, security groups can be used for both purposes.
  • Distribution groups differ from Security groups by one bit in the groupType attribute. Security groups have the SECURITY_ENABLED in this attribute, as opposed to distribution groups.

Active Directory Group Scopes

The scope of a group is used to define the extent to which the group is applied in a domain tree or forest. It is also used to identify which of the users can be included as members of the group. Active Directory defines the following group scopes.

Local groups

Local groups are defined and available only on the specific computer in which they were created. They are stored in the local Security Accounts Manager (SAM) database of a domain member computer.

Domain local groups

Permissions for resource access are provided using domain local groups. These resources are located in the same domain in which the domain local group was created. The memberships are not limited; members from any domain can be added to this group. Domain local groups can exist in all mixed, native and interim functional levels of domains and forests. However, domain local groups do not support nesting. These groups are mainly used for assigning permissions and user rights.

Global groups

Users who share similar functions and network access requirements can be organized using global groups. They are used to grant permissions to access resources that are located in any domain in the same forest. So, members can be added only from the domain in which the global group was created. Global groups can exist in all mixed, native and interim functional levels of domains and forests. Group nesting is supported. A global group can also be added to other local and global groups.

Universal groups

Universal groups reside in the Global Catalogue and are not stored in the domain partition level. Hence, forest-wide replication is triggered while adding or removing objects from the group. These groups are typically used for email distribution. They can grant permissions on any domain in the same forest or trusting forests. 

What are Nested Groups?

Groups that have other groups as members are known as nested groups. When a group is nested within another group, the user rights are inherited automatically. Nested groups help reduce management overhead. While Active Directory distribution groups support nesting in both native and mixed mode, the Active Directory security groups support nesting only for domains running in the native mode.

Consider a scenario, where an organization has three different groups based on business roles namely Production, Sales and Accounting. Each of these roles belongs to a separate global group, where each group has a specified number of users. All the members of these domains need to access a file which is located in the Sales domain. Without group nesting, each global group has to be given a separate permission, hence the permission for access should be provided three times. However, if a domain local group is created and all three global groups are added to it, only the domain local group requires permission. This is done by adding the domain local group to the file’s Access Control List (ACL) and providing the required permissions for access.

When to use domain local, global and universal groups

  • Domain local groups can be used to manage access to resources within a single domain. For instance, when ten users need to be given access to a particular device such as a printer, they can be added to a group with a global scope. A domain local group can be created and given access to the device. The global group is then added to this group, and all the members can now access the device.
  • Global groups can be used to organize users who share similar purposes and access requirements. They can be used to manage the objects that require maintenance on an everyday basis like user and computer accounts. For example, global groups can be created for separate business roles in an organization such as Sales, Accounting, etc.
  • Universal groups can be used to manage permissions for resources that are used across multiple domains. These groups should be used to manage groups with the least changes as the changes will cause Global Catalogue replication. The members can be added to global groups and these can be nested within universal groups. This makes sure that the groups with universal scope are not affected by any changes in membership within the global groups.

Creating Security and Distribution groups in AD

Security groups and distribution groups can be created in Active Directory using the following steps.

  1. Open the Active Directory Users and Computers console and select the container in which you want your new group to be created.
  2. Select New Group.
  3. Enter the name of the group in the Group Name field and enter a description.
  4. Select the group scope from the available options (Domain local, global or universal).
  5. Select the group type as either Security or Distribution based on your requirements.
  6. Select Next and OK to create your group.
  7. After creating the group, the administrators can define additional properties such as adding members and email addresses to the group.

Changing the scope and type of a group in AD

When a new group is created, it is configured as a security group with global scope, by default. However, the scope of a group can be changed by modifying the group scope in the steps mentioned for creating a group. This can be done based on the following criteria.

  1. From Domain local to Universal: This conversion is allowed only if the group does not have any other domain local nested groups.
  2. From Global to Universal: This conversion is allowed only if the group is not a member of another group with a global scope.
  3. From Universal to Domain local: This conversion is permitted without any restrictions
  4. From Universal to Global: This conversion is allowed only if the group does not have any other universal group as a member.  

Security Group Challenges and Best Practices

Following certain standard guidelines help overcome the challenges faced while using security groups.

  • Protecting default security groups

When an Active Directory domain is set up, default security groups are created.  These groups have to be managed properly as they have extensive permissions. Users should be given permissions only when required, and domain admin access is to be provided on a temporary basis. The Domain Administrator account should be secured. The Local Administrator should be disabled as it is configured with the same password across domains and has the same SID across installations.

  • Using strong passwords

Strong passwords should be set up, using passphrases of random words. Users should be locked out, if the password is not verified for more than two times. Two- factor authentication is to be used for an added layer of protection.

  • Updating Active Directory

All the software on the system must be kept up to date in order to stay protected against vulnerabilities. Patching these vulnerabilities reduces the risk posed by attackers.

  • Maintaining Least Privilege policy

The policy of least privilege means that users are given access only to those resources that are absolutely necessary. This is to prevent against potential insider threats. If everyone is given increased permissions and access, it increases the risk of insider threats and makes it harder to source them.

  • Auditing changes

Security threats can be prevented and minimized through proper monitoring and auditing. Any abnormal changes should produce an alert, including failed login attempts and locked out accounts. User access and permissions should be continuously monitored, so as to prevent potential threats to security.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Active Directory fundamentals, and workgroup vs domain: An explanation

What you will learn:

Active Directory is a powerful directory service that allows organizations to manage all their resources, apply security configurations, and keep everything organized in one place. In this article, we will get an introduction to Active Directory and how it is structured, take a look at the five services of Active Directory, and then dive into what are workgroups, domains, and the difference between these two.

What is Active Directory

Active Directory is a directory service provided by Microsoft. A directory service is a hierarchical arrangement of resources which are structured in a way that makes accessing them easy. However, functioning as a locator service is not AD’s exclusive purpose. It also helps organizations have a central administration over all the activities carried out in their networks.

Organizations primarily use Active Directory to perform authentication and authorization. It is a central database that is contacted before a user identity is verified and granted access to a resource or a service. Once the authenticity of the user is verified, Active Directory helps in determining if the user is authorized to use that particular resource or service. If the user checks out on both counts, access is granted. You can learn more about the basics of Active Directory in this article.

The five services of Active Directory

Active Directory (AD) is a set of five services that run on a Windows server to manage permissions and access to network resources. These five services are:

  1. AD Domain Services (AD DS)
  2. AD Lightweight Directory Services (AD LDS)
  3. AD Federation Services (AD FS)
  4. AD Certificate Services (AD CS)
  5. AD Rights Management Services (AD RMS)

Active Directory Directory Service in a nutshell

AD DS is commonly referred to as AD. AD DS is the most deployed component of AD. In a way, AD DS has become synonymous with AD, and when people speak about AD, they’re usually referring to AD DS. If they want to refer to any of the other four services, they explicitly mention that service by name. AD DS is essentially a service for storage of information just like a telephone directory. Let’s use the below table to understand how AD DS functions.

BurnsJoe1 Dorset Place804 0650
AdamsMarilyn20 Dundurn Street391 7683
RajanRanjit60 Mistdale Cres691 8967

Imagine each row in the table as a distinct object with information attributes like last name, first name, address, and phone number. In an AD environment, these distinct objects can be users, computers, groups, printers, and more. Each of these objects has characteristics or pieces of information called object attributes. Both the objects and their attributes are stored in AD. AD is extensible, which means that we can add objects and object attributes to it as and when needed.

Is Active Directory a database or a directory service?

Some people consider AD as a database. After all, you can write data to it, retrieve data from it, and store data in it. However, it’s more of a directory than a database since it’s optimized for read operations rather than write operations. While you can add new data to AD, the existing data usually doesn’t undergo many changes. Furthermore, the data in AD is arranged in a logical and hierarchical manner so that finding information is easy. This is just like how a regular directory book organizes contact information by types of business or in alphabetical order.

Structure of Active Directory

When we deploy AD in an organization, we need to consider two sides of its structure:

  1. The logical side: This is the hierarchy of objects such as users, computers, groups, and organizational units. The AD administrator needs to design a logical side that closely mimics how the organization functions and helps them effectively manage their IT infrastructure. Arranging these various objects in a logic that is efficient helps administrators to easily manage permissions (access) and security.
  2. The physical side: When designing the physical side, the administrator needs to consider the servers that provide AD services and contain all the critical directory information. They need to answer questions such as:
  • How will these servers speak to each other and share information?
  • What network links need to be set up so that remote users can be given access?
  • How can users in different locations be directed to the servers?

What is a workgroup in Active Directory?

An AD workgroup is a peer-to-peer network with no central authentication. Each computer in a workgroup functions as both a client and a server. When a user in an AD workgroup wants to access another user’s computer or even a shared resource like a file, they need to create their username and password on the other user’s computer.

What is a domain in Active Directory?

An AD domain on the other hand comprises of computers on a client-server model. The computers are all connected to a central server which provides the authentication services. Files and folders are also stored centrally so a user can access those files from any computer.

Workgroup vs domain

Workgroups are great for small office networks with 15 or less computers. However, they aren’t ideal for larger companies with hundreds or thousands of users, as it will become difficult to access files and folders of one computer with another computer. SImply put, AD workgroups are fine for small offices, but they are not efficient in scaling to big organizations.

So, for big environments, we need to set up a client-server network environment. In Windows, this is achieved by setting up domains. The domain set up ensures better security as we can give varying degrees of permissions for different users or groups of users. Furthermore, we can deploy company-wide policies for easier administration in a domain than a workgroup.

In an AD domain, all login and access requests by users are managed by a domain controller (DC) that runs AD. A DC is a centralized server that responds to all such requests, and is effectively a security gatekeeper for the network. Both authentication and authorization are done by the DC.

  • Authentication: The client and server authenticate each other to verify who the user or computer is.
  • Authorization: The server determines if the client has the required permissions to access a resource.

Authentication is done through usernames and passwords (along with a process of encryption). The DC will check in its AD database to authenticate users requesting access to the domain. If the user’s credentials match the information contained in AD, they are allowed to log on to the network. Authentication is completed using the Kerberos authentication protocol. Authorization is done through Access Control Lists (ACLs). An ACL is a list of permissions attached to an object and it also specifies which users are allowed access to the object, and what operations they can do. You can learn more about authorization and authentication in this article.

1 Star2 Stars3 Stars4 Stars5 Stars (6 votes, average: 4.00 out of 5)