Log in / Register
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

LDAP and Active Directory

The Lightweight Directory Access Protocol (LDAP) is an application level protocol that defines the method by which information across an organization can be accessed. LDAP is often used by organizations to store user information for authentication and authorization purpose. It is also used for storing “roles” for information for application users.

LDAP is based on a client/server model. Any client accessing the network resources or an application must first authenticate itself to the LDAP server. Once the LDAP server authenticates the client and checks its resource authorization, only then is access permitted to the client. LDAP implementation can be based on RFC 1777, RFC 4510, RFC 4511, and RFC 2251.

The main benefit of LDAP is that rather than managing user lists for different applications and login IDs to access networks, LDAP can be used as a central directory where any user can be authenticated and authorized from anywhere on the network.

Active Directory is an LDAP compliant database and services are developed by Microsoft. This provides authentication and authorization services. An Active Directory stores information of the user, system, resource, or group as an object and is managed centrally. The objects are organized into organizational units (OUs) and are linked by Group Policy (GP) settings. Active Directory is a trademark of Microsoft service and is an integral part of the Windows 2000 architecture.


Identity and Access Management (IDAM), shown in Figure 4-8, refers to the processes, technologies and policies for managing digital identities and providing authentication and authorization controls to ensure data integrity. An IDAM solution enables a single identity across organizations as well as partner networks.

Figure 4-8. The IDAM Framework

An IDAM solution helps organizations to protect resources from unauthorized access, and to comply with security regulations. The goal of IDAM is to provide the right information to the right user at right time.

IDAM is comprised of people, processes, and policies to manage user identity and access in an enterprise network. IDAM can be classified into four major categories: authentication, authorization, user management, and data management as shown above. The ultimate goal of IDAM is to provide secured access to the right user, to the right information, at the right time.

Active Directory (AD), Single Sign-On (SSO), Password Manager, Security Token Services (STS), OAuth, and RBAC are technologies and are related to the implementation of IDAM solutions.

Single sign-on (SSO) is a user authentication process that permits a user to enter his credentials only once in order to access multiple applications. The SSO process authenticates the user for all the applications that he has the rights to and eliminates the process of entering the login id and password when they switch to a different application during a particular session.

Chapter Summary

We examined what authentication and authorization mean. We explored the importance of access controls and the need for an access control in the context of confidentiality and integrity requirements.

We described the different access control types like network access, system access, and data access. Furthermore, we specified the three layers of access controls: administrative layer, technical (logical) layer, and the physical layer.

Each of these layers serve as important mechanisms to control access to valuable information. Then, important access control methods like Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role Based Access Control (RBAC), and Attribute Based Access Control (ABAC) were explored. Where required, the pros and cons of these are explained.

We discussed how the effective access controls can be implemented technically. Access Control Lists, AAA Framework, RADIUS and TACAS+, LDAP and Active Directory, and the IDAM Framework were explained in detail with supporting diagrams. Single Sign-On (SSO) as an important component of IDAM Framework was also explained.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science