Directory Services

This post summarizes some standards and implementations of Directory Services.

List of Directory Services

X.500

X.500 is a set of standards related to directory services. One of them is Directory Access Protocol (DAP).

It is based on OSI (Open Systems Interconnection) model.

X.500 defines 4 types of objects that can be represented within the directory and are codified using the ASN.1 notation.

To add an entry to the directory many conditions should be met, including:

  • A Distinguished Name (DN)
  • Meet directory schema
  • Meet hierarchy
  • User has required addition authorization

LDAP


Lightweight Directory Access Protocol (LDAP) is a standard, not an implementation.

LDAP was proposed as a simplification of DAP. Instead of implementing all OSI layers, it is restricted to TCP/IP model.

There are different versions of LDAP. As of 2024, latest is LDAP v3. LDAP v3 adds security features that were lacking in the previous versions such as ciphered access.

A domain is a collection of subjects and objects that share a common security policy, and individual domains can operate separately from other domains.

A trust is established between the domains to create a security bridge and allow users from one domain to access another domain.

Official web

You can find a list of LDAP enumeration tools on this post.

To add an entry to the directory many conditions should be met, including:

  • A Distinguished Name (DN)
  • Meet directory schema
  • User has required addition authorization

List of Directory Services Implementations

  • Active Directory
  • OpenLDAP

Active Directory

Active Directory is a solution by Microsoft that follows the ITU-T X.500 standard.

Do not confuse with Azure Active Directory.

Active Directory is compatible with LDAP, unlike other Microsoft solutions like Azure Active Directory.

A forest is a collection of AD domains grouped together in a hierarchical structure, sharing a common schema, configuration, and global catalog. This term is exclusive to AD.

Types of trusts within AD:

  • Realm trust: regarding Kerberos realms.
  • Shortcut trust: transitive trust between parts of a domain tree or forest that shortens the trust path.
  • Forest trust: transitive trust between two forest root domains.
  • External trust: non-transitive trust between AD domains in separate forests.

Transitive trust means that the trust path flows as the domain tree is formed.

Game of Active Directory (GOAD) is a free pentesting lab. It provides a vulnerable Active Directory environment for pen testers to practice common attack methods.

OpenLDAP


OpenLDAP is an open-source implementation of LDAP.

Official web

Identity Products

Identity Products:

  • Azure Active Directory
  • Sailpoint

Azure Active Directory

Azure Active Directory, also known as Azure AD, does not use Kerberos authentication; instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and Open ID Connect for authentication.

You might also be interested in…

External References

Leave a Reply

Your email address will not be published. Required fields are marked *