Page 357 - StudyBook.pdf
P. 357

Communication Security: Web Based Services • Chapter 5  341

                 structure, even if one directory server is compromised, only a branch of the tree
                 (rather than the entire tree) is compromised.

                 Organizational Units

                 The hierarchy of an LDAP directory is possible because of the various objects that
                 make up its structure.These objects represent elements of the network, which are
                 organized using containers called organizational units (OUs). Each OU can be
                 nested in other OUs, similar to having subfolders nested in folders on your hard
                 disk. In the same way the placement of folders on your hard disk makes a directory
                 structure, the same occurs with OUs and objects in an LDAP directory.
                    The topmost level of the hierarchy generally uses the domain name system
                 (DNS) to identify the tree. For example, a company named Syngress might use
                 syngress.com at the topmost level. Below this, organizational units are used to iden-
                 tify different branches of the organization or network. For example, you might have
                 the tree branch off into geographical locations, like PARIS, LONDON, and
                 TORONTO, or use them to mimic the organizational chart of the company, and
                 create OUs with names like ADMINISTRATION, RESEARCH,TECH-
                 NOLOGY, etc. Many companies will even use a combination of these methods,
                 and use the OUs to branch out by geographical location, and then create OUs for
                 divisions of the company within the OUs representing locations.
                    To identify the OUs, each has a name that must be unique in its place in the
                 hierarchy. For example, you can’t have two OUs named PRINTERS in a con-
                 tainer named SALES.As with many elements of the directory it is analogous to
                 the directory structure of a hard disk where you can’t have two subfolders with
                 the same name in the same folder.You can however have OUs with the same
                 name in different areas of the hierarchy, such as having an OU named
                 PRINTERS in the SALES container and another OU named PRINTERS in an
                 OU named SERVICE.
                    The structure of the LDAP directory is not without its own security risks, as it
                 can be a great source of information for intruders.Viewing the placement of OUs
                 can provide a great deal of information about the network structure, showing
                 which resources are located in which areas of the organization. If an administrator
                 followed a particular scheme of designing the hierarchy too closely, a hacker could
                 determine its structure by using information about the organization. For example,
                 companies often provide their organizational charts on the Internet, allowing
                 people to see how the company is structured. If an administrator closely followed
                 this chart in designing a hierarchy, a hacker could speculate how the LDAP direc-




                                                                              www.syngress.com
   352   353   354   355   356   357   358   359   360   361   362