342    Chapter 5 • Communication Security: Web Based Services

             tory is laid out. If the hacker can gain access to the directory using LDAP queries,
             he or she could then use this information to access objects contained in different
             OUs named after departments on the chart. Using naming conventions internal to
             the company (such as calling a London base of operations DISTRICT1) or using
             some creativity in naming schemes (such as calling an OU containing computer
             accounts WK instead of WORKSTATIONS) will make the hierarchy’s structure
             less obvious to outsiders.While using the organizational chart of a company and
             geographical locations can be used as a basis for designing the hierarchy, it should
             not be an easy-to-guess blueprint of the directory and network infrastructure.

             Objects,Attributes and the Schema

             As mentioned, entries in the directory are used to represent user accounts, com-
             puters, printers, services, shared resources, and other elements of the network.These
             objects are named, and as we discussed with organizational units, each object must
             have a name that’s unique to its place in the namespace of the hierarchy. Just as you
             can’t have two files with the same name in a folder on your hard disk, you can’t
             have two objects with the same name in an OU.The name given to each of these
             objects is referred to as a common name, which identifies the object but doesn’t show
             where it resides in the hierarchy.
                 The common name is part of the LDAP naming convention. Just as a filename
             identifies a file, and a full pathname identifies its place in a directory structure, the
             same can be seen in the LDAP naming scheme.The common name identifies the
             object, but a distinguished name can be used to identify the object’s place in the hier-
             archy.An example of a distinguished name is the following, which identifies a com-
             puter named DellDude that resides in an organizational unit called Marketing in
             the tacteam.net domain:

             DN: CN=DellDude,OU=Marketing,DC=tacteam,DC=net
             The distinguished name is a unique identifier for the object, and is made up of sev-
             eral attributes of the object. It consists of the relative distinguished name, which is
             constructed from some attribute(s) of the object, followed by the distinguished
             name of the parent object.
                 Each of the attributes associated with an object are defined in the schema.The
             schema defines the object classes and attribute types, and allows administrators to
             create new attributes and object classes specific to the needs of their network or
             company. For example, a “supervisor” attribute in a user account might contain the
             name of the user’s manager, while a “mail” attribute would contain the user’s e-mail




          www.syngress.com