Page 359 - StudyBook.pdf
P. 359

Communication Security: Web Based Services • Chapter 5  343

                 address. Object classes define what the object represents (i.e., user, computer, and so
                 forth), and a list of what attributes are associated with the object.
                    Because LDAP is binary, to view the attributes of an object, the information
                 can be represented in LDAP Data Interchange Format (LDIF). LDIF is used to
                 show directory entries in an easy-to-follow format, and used when requests are
                 made to add, modify, or delete entries in the directory.The following is an LDAP
                 directory entry with several attributes represented in LDIF:

                 dn: cn=Michael Cross, dc=syngress, dc=com
                 cn: Michael Cross
                 givenName: Michael
                 sn: Cross
                 telephoneNumber: 905 555 1212
                 ext: 1234
                 employeeID: 4321
                 mail: mcross@nonexist.com
                 manager: Andrew Williams
                 objectClass: organizationalPerson
                    As you can see by this entry, the attributes provide a wide degree of informa-
                 tion related to the person represented by the object. By looking at this informa-
                 tion, we can see contact information, employee identification numbers, the person’s
                 manager, and other data. Other attributes could include the person’s Social Security
                 Number or Social Insurance Number, home address, photo, expense account num-
                 bers, credit card numbers issued to the person, or anything else the company
                 wished to include.While this example reflects a user account, a similar wealth of
                 information can be found in objects representing computers and printers (which
                 would include IP addresses) and other resources on the network.As stated earlier,
                 while useful to authorized users, it is also useful for unauthorized intruders who
                 could use the information for identity theft, hacking specific computers, or any
                 number of other attacks.

                 Securing LDAP

                 LDAP is vulnerable to various security threats, including spoofing of directory
                 services, attacks against the databases that provide the directory services, and
                 many of the other attack types discussed in this book (e.g., viruses, OS and pro-
                 tocol exploits, excessive use of resources and denial of service, and so forth.).This
                 isn’t to say that LDAP is completely vulnerable. LDAP supports a number of dif-




                                                                              www.syngress.com
   354   355   356   357   358   359   360   361   362   363   364