Tag Archives: Active directory services

An Introduction to Lightweight Directory Access Protocol (LDAP)

What is LDAP?

The Lightweight Directory Access Protocol, commonly known as LDAP, is a communication protocol that is used to access directory servers. In other words, LDAP is used to store, update and retrieve data from a directory structure.

The term “lightweight” is used in comparison with X.500, which was the previous standard for directory services. X.500 was complicated, and it relied on the OSI protocol stack. It could not use the TCP/IP protocol stack. LDAP was hence developed as a lightweight alternative, as it could use the much simpler TCP/IP stack, while simplifying and removing some complicated X.500 operations and features. LDAP has become popular owing to the fact that it is a lightweight, open, and cross-platform protocol.

What is LDAP used for?

To understand the services provided by LDAP, it is necessary to understand what a directory is. A directory is a hierarchical database that is used to store and organize information about objects. The information in a directory is read more often than they are written or updated. This is one of the most important characteristics that set directories apart from relational databases. Hence, directories are optimized to respond to high volume search operations or read requests. A telephone directory or phone book is one of the most common examples that can be used for explaining a directory. Each person is represented using an entry and their contact information is represented using key-value pairs.

LDAP defines a message protocol that is used by directory clients and servers. An LDAP directory can be used to store and access various types of information such as images, text, and binary information. Storage and retrieval of data, authentication of clients and searching for specific data are some of the services provided by a directory service. It can be used in a large organization consisting of thousands of employees, for storing and maintaining information about the employees and resources. Apart from storing information, a directory service also provides authentication and authorization services for users. An organization can also use LDAP for directory services authentication.

For an organization that operates in different parts of the world, there are hundreds of divisions based on business roles and thousands of employees. Using LDAP, all the employee information can be stored and organized in a directory for easier access. For instance, employees in an organization can be categorized based on their departments such as marketing, sales, HR, or more. Using LDAP, the HR manager can be delegated control to the HR tree, and the other trees can be given control to the respective department managers. If the HR manager wants to access an employee’s record for changing the salary details, the authorization and access is made easier using LDAP.

What is the difference between Active Directory and LDAP?

LDAP is a protocol that forms the basis for different directory services and access management solutions. These directory services understand and use LDAP. Active Directory is a directory services implementation developed by Microsoft that is used to provide services such as authentication, group and user management, policy administration, etc. It is a directory service that supports LDAP, which means directory access in Active Directory is performed by means of LDAP. While Active Directory is just one such example, there are many directory services like OpenLDAP that support the protocol.

Just like how SMTP and IMAP are the protocols that are used to send and receive emails, while Gmail is the email application that uses the protocol. LDAP is a protocol on which Active Directory is based. In simpler terms, just like how SMTP is a way of speaking to the email application, LDAP is a means of speaking to Active Directory.

Directory Structure of LDAP

Figure.1 LDAP Directory Structure

The directory structure can be used to explain how data is stored and accessed in LDAP. Data in LDAP is stored in objects. The objects contain a set of attributes, which are a set of key-value pairs. The set of attributes that an object may contain is defined using a class.   

In LDAP, a collection of objects are organized in a hierarchical tree structure called the directory information tree (DIT). It is analogous to a tree with the trunk being the directory root, with the branches and leaves being objects. The tree can contain information in both leaf and non-leaf nodes. The root element is present at the top of the hierarchy, and it is entirely conceptual.

What are the components that make up LDAP?

An LDAP directory information tree (DIT) is made up of several components, listed as follows.

Entries: The objects that make up the DIT are called entries, and they have specific positions within the hierarchy. The objects are of two types:

  • Container objects
  • Leaf objects

Each entry has three components namely a Distinguished Name (DN), a collection of attributes, and a collection of objects.

Distinguished Name (DN): The Distinguished Name (DN) acts as the unique identifier for each entry. The value of the DN is the position of an object in the tree. It identifies the entry and its position on the Directory Information Tree (DIT). The DN is made up of attribute=value pairs such as:cn=Tom, ou=people, o=zoho, c=india

Attributes: Attributes are used to describe the object and they are defined as key-value pairs. A standard set of attributes are defined according to LDAP specifications that are used commonly. A collection of attributes are used to define an entry. The attributes are defined in a schema. Attribute names are in the form of strings such as, “cn” for common name, “dc” for domain component, “ou” for organizational unit or “mail” for email address.

The Distinguished Names (DNs) are made up of elements called Relative Distinguished Names (RDNs). The RDNs are derived from the attributes of the entries in the LDAP directory. They take the form of <attribute name> = <value>.

Object Classes: A collection of attributes make up an object class. Associated attributes are grouped together to make it easier to describe things. For example, objectClass: person. Object classes are of two types, namely structural or auxiliary.

Schema: A schema is constructed using objectClass definitions and attribute definitions. It is a set of rules that define the structure of the DIT and the kind of information that the server can hold. Many different schemas can exist for the same DIT.

LDAP Architecture:

As mentioned earlier, LDAP is a communication protocol that is used to define the content of messages exchanged between directory clients and servers. These messages specify the operations that are requested by the client and the responses from the server, including the format of data. Examples of the requested operations include search, modify, add and delete. The messages are carried over the TCP/IP protocol stack.

In the previous example, it was mentioned that the HR Manager wanted to access an employee’s record for changing the salary details. How exaclty does the procedure take place? Here, the Sales Manager is the LDAP client that interacts with the LDAP server.

An interaction between the LDAP client and LDAP server takes place in the following manner.

  1. The first step is known as binding, where the client establishes a session with the LDAP server. The client also specifies the host name or IP address and the TCP/IP port number where the server listens.
  2. The client can then provide a user name and password to the server for authentication, or establish an anonymous session with default access rights. A session with stronger security measures such as data encryption can also be established.
  3. The client performs operations on the directory data. Read, update and search capabilities are offered by LDAP. Searching is one of the most common operations in LDAP.
  4. Once the client completes making requests, it closes the session with the server which is known as unbinding.

Thus, the authorized personnel are able to access and modify entries in the directory using the procedure mentioned above.

LDAP Operations:

Some of the operations defined by LDAP for accessing and modifying entries are binding and unbinding, searching, adding and deleting entries, modifying entries and comparing entries.

The basic LDAP operations are described as follows.

  1. Bind: The LDAP bind operation is used to establish a session between the client and server and to authenticate a user.
  2. Unbind: The unbind operation is used to close the connection to the server, after the requested operation has been performed.
  3. Search: The search operation is used to find and retrieve directory entries matching the specified criteria.
  4. Compare: The compare operation is used to check whether an entry has a specified attribute value.
  5. Add: The add operation is used for creating new entries in the directory
  6. Delete: The delete operation is used for removing certain entries from the directory
  7. Modify: The modify operation is used to change an entry in the directory
  8. Modify DN: The modify DN operation can be used to change the Distinguished Name of an entry in the directory.
  9. Abandon: The abandon operation is used to request the server to stop processing an operation which was requested previously.

Extended: This operation is used to request a process that is not defined by any of the other operations.

LDAP Models:

The LDAP models describe the different features of the directory and the services provided by the server. LDAP is based on four models, which are explained as follows:

  1. Information model

The information model describes the way in which information stored in a directory is structured and organized. An entry is the basic unit of information that is stored in a directory. They are made up of a collection of attributes containing information about the object. Each attribute has a certain number of values, where the kind of values that can be stored is defined by the syntax. For example, entries might be people, organizations or servers and the attributes might be name, telephone number, etc.  

  1. Naming model

The naming model defines the way in which the entries are organized and identified. The entries are organized in a hierarchical tree structure called the Directory Information Tree (DIT). Each entry is identified by a unique name called the Distinguished Name (DN), which is composed of a sequence of Relative Distinguished Names (RDN).

  1. Functional model

The functional model describes the various functions and operations that can be performed in the LDAP directory. Under this model, the operations are grouped into three categories, based on the functions they are used to perform.

  1. Authentication

This includes the operations that are used to establish and terminate connections with an LDAP server. It consists of the Bind, Unbind and Abandon operations.

  1. Query

This includes operations that are used to retrieve information from the directory. It consists of the Search and Compare operations.

  1. Update

This includes the operations that are used to make changes to the entries stored in the directory. It consists of the Add, Delete, Modify and ModifyDN operations.

  1. Security model

The security model defines the way in which information in a directory can be protected from unauthorized access. This model is largely based on the Bind operation, which forms an important part of authentication. This operation can be performed in several ways, allowing the security mechanisms to be applied in different ways.

Security and Authentication in LDAP

While managing a directory that contains information about an organization and its employees, security is of great importance. When security mechanisms are not in place, the directory becomes vulnerable to threats from both within and outside the organization. For example, the salary records of an employee should be accessible only to the concerned HR manager. If it was made available to everyone in an organization, the data possesses risk of being tampered with. This is why security mechanisms should be employed. The term security includes aspects such as authentication, authorization, integrity and confidentiality. Security is maintained in LDAP using the following methods.

  1. No authentication

This is the simplest method and is supposed to be used only when security is not of much importance. This is used when access control permissions are not required, and if the data can be accessed by anyone. For example, this can be used for a directory where the list of employees in an organization can be accessed by anyone. When the DN and password fields are left empty, an anonymous session is assumed by the LDAP server. Hence the required access control is given to the client.

  1. Basic authentication

This method provides the basic level of security which is incorporated in web-based protocols. The client is required to provide a DN and password, following which they are   authenticated by the server. The problem with using this method is that the password can be read from the network. While this provides the minimum level of security, it is not meant to be used for securing highly confidential information.

  1. Simple Authentication and Security Layer (SASL)

The SASL is a framework that is used to add additional authentication mechanisms to the connection oriented protocols. The LDAP version 2 did not support SASL, as a result of which it was added to version 3. Here, the client and server exchange data for authentication and a security layer is established. Subsequent communication is carried out over this layer. SASL supports pluggable authentication; hence the client and server are allowed to negotiate and use any type of authentication that is required.

LDAP server implementations                                                          

Since LDAP is an open protocol, there are several different implementations available. An LDAP server can be chosen based on an organization’s requirements. The administrator or implementer is free to choose the operations of the server, according to their needs. Some of the most commonly used LDAP servers are OpenLDAP, Apache Directory Server, IBM Tivoli Directory Server, Red Hat Directory Servers and many more.       

OpenLDAP is one of the most popular open source LDAP servers available. It was developed for Linux based systems. It requires a reasonable amount of proficiency and is mainly used at the command line. Hence it is usually used by experienced IT professionals.The Apache Directory Server is another popular implementation of LDAP. It includes support for Kerberos, which is a network authentication protocol. It has better management capabilities with the Apache Directory Studio.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

What is Azure Active Directory?

Azure Active Directory: Introduction

Azure Active Directory is a multi-tenant, cloud-based directory and identity management service provided by Microsoft. It offers identity and access capabilities for applications running in both Microsoft Azure and in an on-premises environment. It is the foundation for Office 365 and other SaaS applications; users are allowed to sign in and access the resources in these applications. As it is entirely cloud based, it offers more flexibility; hence it can act as an organization’s only directory and can also be synced with an on-premises directory.

What is Azure Active Directory used for?

In Azure Active Directory core directory services, access management and identity protection are integrated into a single solution. In a large organization containing thousands of employees, each employee may need to access certain applications and services to perform their tasks. In the absence of Azure AD, the administrator has to provide a separate user ID and password for each application.

For example, a sales manager may need to access a folder containing inventory details, a database containing consumer information and a printer. Without Azure Active Directory, the IT administrator would have to provide a separate set of login credentials such as a user id and password to access each of these resources. This becomes a tedious process if this has to be done in an organization containing thousands of employees. However, with Azure Active Directory, multiple user logins can be handled without any issues. A single set of login credentials is sufficient to access all the services required by the employee. This is enhanced by features such as single sign-on (SSO), multi-factor Authentication (MFA) and conditional access which helps maintain security and ease of access.

Who can use Azure AD?

Azure AD consists of three different types of service audiences namely IT administrators, application developers and online customers.

  • The IT administrators are responsible for authentication and sign-in procedures.
  • Applications are built by the application developers using these services.
  • The online customers use the services provided to them and their needs are taken care of by the service provider.

The service audience can choose an Azure Active Directory plan that works best for their requirements.  

How does Azure AD differ from Windows AD?

While Windows Active Directory is an on-premises directory service, Azure AD Besides the contrast in on-premise and cloud location, there are many other differences listed as follows.

Windows AD is made up of components like organizational units, forests and domains. It uses the Lightweight Directory Access Protocol (LDAP) for communication. It uses Kerberos and NTLM for the process of authentication. It uses Group Policy (GPOs) or other on-premise server management systems and is incapable of managing mobile devices.

Azure AD is composed of a flat directory structure of users and groups, where the instances are called “tenants”. It uses Representational State Transfer (REST) APIs for communication with other web-based services. Cloud based protocols like OAuth2, SAML and WS-Security are used for authorization and authentication. Azure Policy and Azure AD Domain Services are used for managing servers. It is capable of managing mobile devices.

Users and Groups in Azure AD

Users and groups are the basic components that make up Azure Active Directory. Azure resources can only be accessed by users with an Azure user account. This account contains all the authentication information of the user, which is required during the sign-on process. An access token is built after the process of authentication to determine the resources that can be accessed by the user. Users are generally defined in three ways in Azure AD. They are:

  • Administrator users
  • Member users
  • Guest users

Each type of user has a specific level of access. Administrators have the highest level of access followed by members, and the guest users have the lowest level of access.

In Azure Active Directory, users can be organized together to form a group, where the groups behave alike. It is easier to manage permissions using Microsoft Azure AD groups as they may be granted at the group level to make processes like authentication and deactivation easier. Users may either be sourced from an account in Azure AD or from an account in Microsoft. Two different types of groups may be defined in Azure AD. They are:

  • Security groups: These groups can be used to manage and provide access to resources that are shared by a group of users. A security group allows all the members of the group to be provided permissions at once, instead of giving permissions to each member individually. This group may contain users, devices, service principals and other groups as its members.
  • Microsoft 365 groups: This type of group can be used to allow members to access shared Microsoft services such as mailbox, files, calendar, etc. Even external users can be added as members. Unlike security groups, these groups only allow users to be members.

Adding users and groups to Azure AD

Users and groups may be added to Azure AD in the following ways:

  • Syncing users from Windows AD to Azure AD using Azure AD Connect.
  • Adding users manually with the help of Azure Management Portal.
  • Scripting the process with Azure Active Directory PowerShell to add new users.
  • Programming the process using Azure AD Graph API.

The following steps define how to create a basic group in Azure Active Directory and add members to the group.

  1. Sign in to the Azure Portal using a Global Administrator account and select Azure Active Directory.
  2. Once you enter the Azure Active Directory page, select Groups–>New Group, to create a new group.
  3. Enter the required information on the New Group panel such group type, group name, group email address and the group description.
  4. Select a Membership type from the available options such as Assigned, Dynamic user and Dynamic device.
  5. Select Create to create the group and add members.
  6. In the Group page, select the Members option and add members to the group from the Select Members page.
  7. After adding the members, choose the Select option to complete the process.
  8. The members who are added to the group are displayed in the Group Overview page.

Access Management in Azure AD

In Azure AD, access rights can be given to users or groups to use the organization’s resources. Instead of providing access individually, the administrator or resource owner can provide access permissions to the group as a whole. Management rights can also be given to a member of the group, allowing them to add and remove the group members.

Access rights can be provided to users in the following ways.

  1. Direct assignment: The resource is assigned directly to the user, by the resource owner.
  2. Group assignment: The resource is assigned to a group by the owner, which allows all the members of the group to access the resource.
  3. Rule-based assignment: The resource is assigned to the users based on a rule specified by the resource owner. These rules are based on certain attributes assigned to the users.
  4. External authority assignment: The access to the resource is provided by an external source, such as an on-premises directory.

Security in Azure AD

Security can be maintained in Azure Active Directory by performing certain security defaults that are mentioned as follows. This helps protect the organization against both internal and external threats.

  • All users should be required to perform Multi-factor Authentication (MFA).
  • Privileged activities like the Azure portal access should be protected.
  • Legacy authentication protocols should be blocked.

Security defaults can be enabled using the following steps.

  1. Sign in to the Azure portal as a security administrator, global administrator or a Conditional Access administrator and select Azure Active DirectoryàProperties.
  2. Select Manage security defaults and choose the Yes option for Enable security defaults.
  3. Finalize by selecting the Save option.

They can be disabled by following similar steps as mentioned above, and selecting the No option in step 3.

Azure Active Directory Pros and Cons

Azure AD provides high availability and strong security measures. Multi-factor Authentication, Privileged Identity Management and Conditional Access provide an extra layer of security against risks and threats. It is highly flexible and scalable, and is entirely cloud-based. Features like Single Sign-on offer ease of access. On the other hand, Azure AD requires some expertise in managing Microsoft Azure which includes server monitoring and patching. While the single solution offered by Azure AD increases the ease of access, it also increases the risks associated.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Active Directory fundamentals, and workgroup vs domain: An explanation

What you will learn:

Active Directory is a powerful directory service that allows organizations to manage all their resources, apply security configurations, and keep everything organized in one place. In this article, we will get an introduction to Active Directory and how it is structured, take a look at the five services of Active Directory, and then dive into what are workgroups, domains, and the difference between these two.

What is Active Directory

Active Directory is a directory service provided by Microsoft. A directory service is a hierarchical arrangement of resources which are structured in a way that makes accessing them easy. However, functioning as a locator service is not AD’s exclusive purpose. It also helps organizations have a central administration over all the activities carried out in their networks.

Organizations primarily use Active Directory to perform authentication and authorization. It is a central database that is contacted before a user identity is verified and granted access to a resource or a service. Once the authenticity of the user is verified, Active Directory helps in determining if the user is authorized to use that particular resource or service. If the user checks out on both counts, access is granted. You can learn more about the basics of Active Directory in this article.

The five services of Active Directory

Active Directory (AD) is a set of five services that run on a Windows server to manage permissions and access to network resources. These five services are:

  1. AD Domain Services (AD DS)
  2. AD Lightweight Directory Services (AD LDS)
  3. AD Federation Services (AD FS)
  4. AD Certificate Services (AD CS)
  5. AD Rights Management Services (AD RMS)

Active Directory Directory Service in a nutshell

AD DS is commonly referred to as AD. AD DS is the most deployed component of AD. In a way, AD DS has become synonymous with AD, and when people speak about AD, they’re usually referring to AD DS. If they want to refer to any of the other four services, they explicitly mention that service by name. AD DS is essentially a service for storage of information just like a telephone directory. Let’s use the below table to understand how AD DS functions.

BurnsJoe1 Dorset Place804 0650
AdamsMarilyn20 Dundurn Street391 7683
RajanRanjit60 Mistdale Cres691 8967

Imagine each row in the table as a distinct object with information attributes like last name, first name, address, and phone number. In an AD environment, these distinct objects can be users, computers, groups, printers, and more. Each of these objects has characteristics or pieces of information called object attributes. Both the objects and their attributes are stored in AD. AD is extensible, which means that we can add objects and object attributes to it as and when needed.

Is Active Directory a database or a directory service?

Some people consider AD as a database. After all, you can write data to it, retrieve data from it, and store data in it. However, it’s more of a directory than a database since it’s optimized for read operations rather than write operations. While you can add new data to AD, the existing data usually doesn’t undergo many changes. Furthermore, the data in AD is arranged in a logical and hierarchical manner so that finding information is easy. This is just like how a regular directory book organizes contact information by types of business or in alphabetical order.

Structure of Active Directory

When we deploy AD in an organization, we need to consider two sides of its structure:

  1. The logical side: This is the hierarchy of objects such as users, computers, groups, and organizational units. The AD administrator needs to design a logical side that closely mimics how the organization functions and helps them effectively manage their IT infrastructure. Arranging these various objects in a logic that is efficient helps administrators to easily manage permissions (access) and security.
  2. The physical side: When designing the physical side, the administrator needs to consider the servers that provide AD services and contain all the critical directory information. They need to answer questions such as:
  • How will these servers speak to each other and share information?
  • What network links need to be set up so that remote users can be given access?
  • How can users in different locations be directed to the servers?

What is a workgroup in Active Directory?

An AD workgroup is a peer-to-peer network with no central authentication. Each computer in a workgroup functions as both a client and a server. When a user in an AD workgroup wants to access another user’s computer or even a shared resource like a file, they need to create their username and password on the other user’s computer.

What is a domain in Active Directory?

An AD domain on the other hand comprises of computers on a client-server model. The computers are all connected to a central server which provides the authentication services. Files and folders are also stored centrally so a user can access those files from any computer.

Workgroup vs domain

Workgroups are great for small office networks with 15 or less computers. However, they aren’t ideal for larger companies with hundreds or thousands of users, as it will become difficult to access files and folders of one computer with another computer. SImply put, AD workgroups are fine for small offices, but they are not efficient in scaling to big organizations.

So, for big environments, we need to set up a client-server network environment. In Windows, this is achieved by setting up domains. The domain set up ensures better security as we can give varying degrees of permissions for different users or groups of users. Furthermore, we can deploy company-wide policies for easier administration in a domain than a workgroup.

In an AD domain, all login and access requests by users are managed by a domain controller (DC) that runs AD. A DC is a centralized server that responds to all such requests, and is effectively a security gatekeeper for the network. Both authentication and authorization are done by the DC.

  • Authentication: The client and server authenticate each other to verify who the user or computer is.
  • Authorization: The server determines if the client has the required permissions to access a resource.

Authentication is done through usernames and passwords (along with a process of encryption). The DC will check in its AD database to authenticate users requesting access to the domain. If the user’s credentials match the information contained in AD, they are allowed to log on to the network. Authentication is completed using the Kerberos authentication protocol. Authorization is done through Access Control Lists (ACLs). An ACL is a list of permissions attached to an object and it also specifies which users are allowed access to the object, and what operations they can do. You can learn more about authorization and authentication in this article.

1 Star2 Stars3 Stars4 Stars5 Stars (6 votes, average: 4.00 out of 5)