Directory Services

This post summarizes some standards and implementations of Directory Services.

List of Directory Services

X.500

X.500 is a set of standards related to directory services. One of them is Directory Access Protocol (DAP).

It is based on OSI (Open Systems Interconnection) model.

X.500 defines 4 types of objects that can be represented within the directory and are codified using the ASN.1 notation.

You can read this post about the standard ASN.1.

To add an entry to the directory many conditions should be met, including:

  • A Distinguished Name (DN)
  • Meet directory schema
  • Meet hierarchy
  • User has required addition authorization

LDAP


Lightweight Directory Access Protocol (LDAP) is a standard, not an implementation.

LDAP was proposed as a simplification of DAP. Instead of implementing all OSI layers, it is restricted to TCP/IP model.

There are different versions of LDAP. As of 2024, latest is LDAP v3. LDAP v3 adds security features that were lacking in the previous versions such as ciphered access.

A domain is a collection of subjects and objects that share a common security policy, and individual domains can operate separately from other domains.

A trust is established between the domains to create a security bridge and allow users from one domain to access another domain.

Official web

You can find a list of LDAP enumeration tools on this post.

To add an entry to the directory many conditions should be met, including:

  • A Distinguished Name (DN)
  • Meet directory schema
  • User has required addition authorization

List of Directory Services Implementations

  • Active Directory
  • OpenLDAP

Active Directory

Active Directory is a solution by Microsoft that follows the ITU-T X.500 standard.

Do not confuse with Azure Active Directory.

Active Directory is compatible with LDAP, unlike other Microsoft solutions like Azure Active Directory.

A forest is a collection of AD domains grouped together in a hierarchical structure, sharing a common schema, configuration, and global catalog. This term is exclusive to AD.

Types of trusts within AD:

  • Realm trust: regarding Kerberos realms.
  • Shortcut trust: transitive trust between parts of a domain tree or forest that shortens the trust path.
  • Forest trust: transitive trust between two forest root domains.
  • External trust: non-transitive trust between AD domains in separate forests.

Transitive trust means that the trust path flows as the domain tree is formed.

Game of Active Directory (GOAD) is a free pentesting lab. It provides a vulnerable Active Directory environment for pen testers to practice common attack methods.

OpenLDAP


OpenLDAP is an open-source implementation of LDAP.

Official web

Identity Products

Identity Products:

  • Azure Active Directory
  • Sailpoint

Azure Active Directory

Azure Active Directory, also known as Azure AD, does not use Kerberos authentication; instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and Open ID Connect for authentication.

You might also be interested in…

External References

Leave a Reply

Your email address will not be published. Required fields are marked *