Directory Services

This post summarizes some standards and implementations of Directory Services.

List of Directory Services

Directory services featured on this post:

  • X.500
  • LDAP

X.500

X.500 is a set of standards related to directory services. One of them is Directory Access Protocol (DAP).

It is based on OSI (Open Systems Interconnection) model.

It is developed by ITU-T.

X.500 defines 4 types of objects that can be represented within the directory and are codified using the ASN.1 notation.

You can read this post about the standard ASN.1.

To add an entry to the directory many conditions should be met, including:

  • A Distinguished Name (DN)
  • Meet directory schema
  • Meet hierarchy
  • User has required addition authorization

Directory System Protocol (DSP)

Directory Access Protocol (DAP)

The Directory System Agent (DSA) is the element that acts as an access point to the directory for users, and is also responsible for storing and managing part of the directory entries

LDAP


Lightweight Directory Access Protocol (LDAP) is a standard, not an implementation.

LDAP was proposed as a simplification of DAP. Instead of implementing all OSI layers, it is restricted to TCP/IP model.

It was developed by Internet Engineering Task Force (IETF) in 1994.

There are different versions of LDAP. As of 2024, latest is LDAP v3. LDAP v3 adds security features that were lacking in the previous versions such as ciphered access.

LDAP v3 uses TLS to establish secure connections.

A domain is a collection of subjects and objects that share a common security policy, and individual domains can operate separately from other domains.

A trust is established between the domains to create a security bridge and allow users from one domain to access another domain.

Official web

You can find a list of LDAP enumeration tools on this post.

Distinguished name (DN) is an absolute path.

Relative distinguished name (RDN) is a relative path.

To add an entry to the directory many conditions should be met, including:

  • A Distinguished Name (DN)
  • Meet directory schema
  • User has required addition authorization

LDAP Data Interchange Format (LDIF) is an ASCII format that is used to exchange data between LDAP customer and server or for export.

Directory Services Markup Language (DSML) is an XML-based representation of directory service information, designed to provide a more flexible and interoperable format compared to the traditional LDIF.

DSML is an OASIS standard. It is less used than LDIF.

LDAP operations:

  • Add
  • Delete
  • Modify

List of Directory Services Implementations

  • Active Directory
  • OpenLDAP
  • Oracle Directory Server
  • Novell NDS eDirectory

Active Directory

Active Directory is a solution by Microsoft that follows the ITU-T X.500 standard.

Do not confuse with Azure Active Directory.

Active Directory is compatible with LDAP, unlike other Microsoft solutions like Azure Active Directory.

A forest is a collection of AD domains grouped together in a hierarchical structure, sharing a common schema, configuration, and global catalog. This term is exclusive to AD.

Types of trusts within AD:

  • Realm trust: regarding Kerberos realms.
  • Shortcut trust: transitive trust between parts of a domain tree or forest that shortens the trust path.
  • Forest trust: transitive trust between two forest root domains.
  • External trust: non-transitive trust between AD domains in separate forests.

Transitive trust means that the trust path flows as the domain tree is formed.

Game of Active Directory (GOAD) is a free pentesting lab. It provides a vulnerable Active Directory environment for pen testers to practice common attack methods.

OpenLDAP


OpenLDAP is an open-source implementation of LDAP.

Official web

Metadirectory

A metadirectory is a directory of directory servers.

Example: Microsoft Identity Integration Server, Critical Path Metadirectory

Metadirectory at Wikipedia

Identity Products

Identity Products:

  • Azure Active Directory
  • Sailpoint

Azure Active Directory

Azure Active Directory, also known as Azure AD, does not use Kerberos authentication; instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and Open ID Connect for authentication.

You might also be interested in…

External References

Leave a Reply

Your email address will not be published. Required fields are marked *