This post summarizes some standards and implementations of Directory Services.
List of Directory Services
X.500
X.500 is a set of standards related to directory services. One of them is Directory Access Protocol (DAP).
It is based on OSI (Open Systems Interconnection) model.
X.500 defines 4 types of objects that can be represented within the directory and are codified using the ASN.1 notation.
You can read this post about the standard ASN.1.
To add an entry to the directory many conditions should be met, including:
- A Distinguished Name (DN)
- Meet directory schema
- Meet hierarchy
- User has required addition authorization
LDAP
Lightweight Directory Access Protocol (LDAP) is a standard, not an implementation.
LDAP was proposed as a simplification of DAP. Instead of implementing all OSI layers, it is restricted to TCP/IP model.
There are different versions of LDAP. As of 2024, latest is LDAP v3. LDAP v3 adds security features that were lacking in the previous versions such as ciphered access.
A domain is a collection of subjects and objects that share a common security policy, and individual domains can operate separately from other domains.
A trust is established between the domains to create a security bridge and allow users from one domain to access another domain.
You can find a list of LDAP enumeration tools on this post.
To add an entry to the directory many conditions should be met, including:
- A Distinguished Name (DN)
- Meet directory schema
- User has required addition authorization
List of Directory Services Implementations
- Active Directory
- OpenLDAP
Active Directory
Active Directory is a solution by Microsoft that follows the ITU-T X.500 standard.
Do not confuse with Azure Active Directory.
Active Directory is compatible with LDAP, unlike other Microsoft solutions like Azure Active Directory.
A forest is a collection of AD domains grouped together in a hierarchical structure, sharing a common schema, configuration, and global catalog. This term is exclusive to AD.
Types of trusts within AD:
- Realm trust: regarding Kerberos realms.
- Shortcut trust: transitive trust between parts of a domain tree or forest that shortens the trust path.
- Forest trust: transitive trust between two forest root domains.
- External trust: non-transitive trust between AD domains in separate forests.
Transitive trust means that the trust path flows as the domain tree is formed.
Game of Active Directory (GOAD) is a free pentesting lab. It provides a vulnerable Active Directory environment for pen testers to practice common attack methods.
OpenLDAP
OpenLDAP is an open-source implementation of LDAP.
Identity Products
Identity Products:
- Azure Active Directory
- Sailpoint
Azure Active Directory
Azure Active Directory, also known as Azure AD, does not use Kerberos authentication; instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and Open ID Connect for authentication.
You might also be interested in…
- Network Security
- LDAP Enumeration Tools
- AAA Network Protocols
- Web-based Identity and Access Management Protocols
External References
- Kate Lake; “The Difference Between LDAP, OpenLDAP and Active Directory“; JumpCloud