LDAP 보안 프로세싱의 이해
???? : Understanding LDAP Security Processing
https://blogs.technet.com/askds/archive/2009/09/21/understanding-ldap-security-processing.aspx
??(Randy)???. ??? LDAP ??? ???? ?????. LDAP(Lightweight Directory Access Protocol)? Active Directory ??????? ?? ??? ???? ????????. ??? Active Directory ????(AD ??? ? ???, AD ??? ? ??? ? )? ??? ????? ???? ???? ?? ??????? ????? LDAP? ?????. ??? ??? ? ??? ??????? ??? ? ???? ???? ?? ??? ??? ?????. ? ??????? ???? ?? ??? ?????? Ntdsa.dll? ???? DSA(Directory System Agent)? ?? ?????. Ntdsa.dll? Lsass.exe? ???? LSA(Local Security Authority)? ????? ?????.
?? ??? ?? ??? ? ??? ?????. ?? ??? ???????. ? ???? ????? ??? ??? ????(???? ??? ???? ??). ?? ??? ?? ? ?? ???, ?? ??? ?? ?? ?????. Active Directory ??????? ??? ?? ??? ??? ?? ??? ??? ????. Active Directory ??????? ??? ??? ???? ? ? ?? ??? ??? ???? ????.
? ???? Windows 2008? ?? LDP.EXE ????? ?? ???????. ? ??? Active Directory? ????, ?????, ??? ???? ????? GUI ?????. LDAP ??? ???????? ???? ??? ??? ???? ???(Network Monitor)? ????? ? ????. LDP? ?? Connection ??? "Connect…"? ???? ????? ?? ???.
??? "bind as currently logged on user"? ?????.
??? ?? ? ???? ?? ??? ? ????. DC Locator process? ?? ?? DC? ???? ?? ?? ??? ?????? ???? ?? ???? ???? ???? ???? ??? ?? ???? ??????. ???? ????? ??? ? ? ????? Network Monitor 3.3? ?? LDAP? ????? ? ? ????.
???? ?? ? LDP.exe?? ??? ?????
???? ? ? ?? ???? ?? LDAP Search Requests? Search Responses???. ??? Description ???? ? ? ????.
??? ? LDAP? ????? ?? LDAP search request? ?????? ???? Active Directory ??????? "RootDSE" ???? ?? ??? ?, ? DSA? ????? ???? ??? ?? ??? ???? ?? ???? ???? ?????. ? ???? ?? ??? ?????, Windows Server 2003? ?? ??? Active Directory? ?? ?? ???? ?? ??? ?????. DSHeuristics ?? ???? ? ??? ??? ????. ??? ???? ??? ?? ?? ??? ????? ?????.
LDAP search request? ????? ???? LDAP request parameters? "BaseDN: NULL"?? ?????. "LDAP: Search Request"? ????, "Parser: Search Request"? ????, "Search Request"? ?????.
"BaseDN"? LDAP ???? ??? ???? ???????. NULL? ??? ????? RootDSE? ???. ??? ????? ?? LDP ????? ??? ??? ?? ??? ???? ?????.
"LDAP: Search Result"? "LDAP: Search Result"? ????, "Parser: Search Result"? ????, "SearchResultEntry" ??? ?? ?? ???? ?????.
???? ??? ??? LDP.exe ?? ?? ??? ?? ?????. ??? ?? ? ??? "supportedSASLMechanisms"???. ??? LDAP ????? ??? ? ?? ?? ???????. ??? ? ?? ????? ??????.
? ???? ??? ??? ? "Null"? ??? ????
???? ?? ?? ???? ???? ????? ?????. LDP ?? ??? 'NULL'? ???? ?? ? ? ????.
?? ??? ? ??? ????, ???? ???? ??? ?????. ???? ? ?, 'NULL' ????? ?????, ?? ???? SASL? ????? ???. ? ????, SASL ?????? ?? ??? ??????. ???? ??? ?? ? ??? ? ? ????.
??? ???? ?? Bind Request? ????, LDAP ??? ??? ? ???? ??? ? ? ????.
NULL ????? ??? ?? ? ? ???, SASL ???? ?????. SASL(Simple Authentication and Security Layer)? ???? ????? ??? ???? ?????. ?????, LDAP? NULL ?????? ?????? SASL? ??? ??? ??? ?? ??? ??? ???. bind request?? ?? ????? ????? ? ? ?? GSS-SPEGNO SASL ????? ???? Kerberos ?? ??? ?????.
??? ??? SASL? ??? ??????
??? ???, SASL? ?? IETF? ??? ??? ? ????. SSPI(Security Support Provider Interface)? ?? ???? ???? ??? ????, SASL? ?? ??? ???? ?? SASL ???? ??? ?????. ?? ??? supportedSASLMechanisms? ?? LDAP ?? ?????. ??? ?????? ??? ? ?? ?? ????? ??? ??????. ??? Windows Server 2008? ?? ???????.
?? ???? |
?? |
GSS-SPNEGO |
GSS-SPNEGO? ????? NTLM? ?? ????? ??? ?????. |
GSSAPI |
GSSAPI? ????? ?? ?? ????? ??? ?????. |
EXTERNAL |
LDAP ?? ???? ???? ??? ?? ?????? ????? ???? ?? ????? ?????. TLS? IPSec? ?? ???? ????? ?????. |
DIGEST-MD5 |
Digest-MD5? ???? ??? ??????. |
LDP ??? ??? ????? ??? ? ????? ?? ??? ??? ? ?? ? ??? ???? ? ?? ??? ?????. ?? ????? ??? ????? ??? ??? ??? ??? ? ????.
?? ????? ?? ??? ???? ??????? ????? ?????. (? : LDAP_Simple_bind, LDAP_Sasl_bind, ?)
LDAP ??(signing)? ??????
?? ???? ?? ??? ?????, LDAP? ?? ???? ?? ?? ? ? ????.
Domain controller: LDAP server signing requirements
Network security: LDAP client signing requirements
? ?? ??? ??\??? ??\?? ??\?? ??\?? ?? ? ????.
??? LDAP ???? man-in-the-middle ??? ???? ?????. LDAP ???? ??????, ??? ???? DC??? ???? LDAP ??? ?????. ? ??? ?????, ???? ???? ??? ? ?? ????? ???? ??? ? ????. ???? ???? ??? ?? ?? ? ? ????. ? ?? ??? ??? DC? ?? LDAP ??? ????.
?? ???? ??????
LDAP ?? ???? LDAP ??? ????? ???? ?? ?????? ????? ???? ????. ??? ???? ?? ???, ?? ?????? ?? ???? ????? ?? ????? ???? ?????. LDP.exe? ? ??? ???? ?? ???? ????? ??? LDAP_Simple_bind ??? ???? ????. ???? ???? LDAP BIND ??? ????? ?????? ????? ? ? ????.
???? ??? ????, LDP.exe? ?? ?? ???? ??? ? ?????. "LDAP_Simple_Bind failed: Strong Authentication Required"?? ??? ?????.
?? ???? ??????
?? ?????, ?? LDAP ??? LDAP ??? RootDSE? ???? ?? ?? ???? ?????. ?? ?? ?????, AD ????? DSHueristics ?? ????, ?? AD ???? ??? ?? ??? LDAP ??? ??? ? ????. ?? ???? ???? ??? ??? ?? ??? ?????. ?? ???? ??? ???? ?? ??? ??? ??? ??????, ??? ????? ???? ??? ??? ??? ??? ???? ???????.
?? ???? ???? ?? OU? ??? ????, ?? ???? ??? ?? ??? ????? ??? ? ?????. ?? ??? ??? ????? ??? ? ?? ??? ?? ?????. "AD ??? ? ???"?? "?? ??"? ?? ??? ??? ? ????.
LDAPS? ??????
LDAPS? LDAP ??? ????? ???? ???? ??? ??? SSL/TLS ??? ?????. ??? LDAP ??? PKI ???? ?? ?????, LDAP??? ?????? ??? ?? ??? ? ???? ?? ? ?? ??? ?????? ?? ???? ??? ? ?? ???? ????? ???? ??? ? ????. LDAPS? ?? ?? ? ? ?? ??? ?? ?????. ???? James Carr ? ??? ?? ??????. ??? ?????.
???? Active Directory ??????? ???? ? ?? ??? ??? ????. LDAP ?????? ??? ??? ?????, AD ???? ?? ??? ???? ???. ??? ???...
Randy “Baby Elvis, thank you verah muuuch” Turner