Copyright © First Option 2008 First Option, Incorporated The 1st Option in IT.

Copyright © First Option 2008

First Option, IncorporatedFirst Option, Incorporated

The 1st Option in IT.The 1st Option in IT.


Founded in 1995

Located in Mansfield, MA

Expertise in IBM AS/400 configuration and systems management

Provide application development and custom programming

Designed and developed two SaaS products iSeries WebCheck By First Option and First Option WebCheck using LDAP on iSeries

About First OptionAbout First Option


What is DAP?What is DAP?

X.500 protocols

Series of computer networking standards covering electronic directory services. X.500 series was developed by ITU-T, formerly known as CCITT. The directory services were developed in order to support the requirements of X.400 electronic mail exchange and name lookup.

Late 1980s and early 1990s - X.500 directory specification and Directory Access Protocol is industry standard. A single Directory Information Tree (DIT), a hierarchical organization of entries which is distributed across one or more servers. An entry consists of a set of attributes, each attribute with one or more values. Each entry has a unique Distinguished name, formed by combining its Relative distinguished name (RDN), one or more attributes of the entry itself, and the RDNs of each of the superior entries up to the root of the DIT.

http://en.wikipedia.org/wiki/Directory_service


Directory vs. Database Directory vs. Database

Why use a directory instead of an application database?

Data that is read frequently but updated much less frequently. Examples: names, addresses, phone numbers, passwords, interest profiles.

Data that lends itself to hierarchical organization. Examples: names in an enterprise organization, customers in geographical regions.

Data that is general-purpose, and tends to be used in many disparate systems or that may turn out to be useful to future applications. Examples: names, addresses, phone numbers, passwords, interest profiles, locations, reporting structure.


Directory vs. Database Directory vs. Database

Directory Advantages

Directories are optimized for high volume read access. • Write access should be limited to system

administrators.

Application-independent directory. Application developers make use of the existence of a directory service which is accessible through a standard API.• application-specific directories not necessary.


Directory Information Tree (DIT)Directory Information Tree (DIT)Case Study: LDAP Authentication and Authorization for Open Source Web Applications


Relationship of DN and RDNsRelationship of DN and RDNs

Relative distinguished Name


Why the move from DAP to LDAPWhy the move from DAP to LDAP

DAP is a difficult protocol to use because it is considered “heavyweight” due to the implementation requiring seven layer OSI model.

LDAP - Lightweight Directory Access Protocol specification, first published as RFC 1487 in 1993. LDAP uses the TCP/IP stack which is easier to use.

http://www.ietf.org/rfc/rfc1487.txt?number=1487

http://www.ietf.org/rfc/rfc1487.txt?number=1487


Why use LDAP?Why use LDAP?

LDAP is being adopted as the defacto standard for directory access by many organizations and applications. Microsoft’s Active Directory, Lotus’ Domino Server, Sun/Netscape, Novell, Computer Associates, IBM and many others offer.

Extremely important component of protocol suite similar to how developers use FTP, TCP/IP, etc. Developers spend more time coding application instead of developing databases of application specific information for authentication and/or authorization.


Why use LDAP?Why use LDAP?

Access Control List (ACLs) - Access control lists (ACLs) provide a means to protect information stored in a LDAP directory. Administrators use ACLs to restrict access to different portions of the directory, or specific directory entries. Changes to each entry and attribute in the directory can be controlled by using ACLs. An ACL for a given entry or attribute can be inherited from its parent entry or can be explicitly defined.

Authentication and Authorization - LDAP can be used for both Authentication and Authorization. Supports role based security, i.e. administrators and users.


iSeries Directory ServicesiSeries Directory Services

Beginning with Version 5 Release 1, Directory Services (LDAP) is automatically installed with OS/400. The directory server includes a default configuration that automatically starts the directory server when TCP/IP is started. LDAP v3 on V5R4.

You have the option of publishing of computer information from OS/400 to the directory server.


iSeries LDAP ConfigurationiSeries LDAP Configuration

Accessing iSeries Directory Services

1. Launch the Operations Navigator.

2. Expand the system that you want to use as the LDAP server.

3. Expand Network and then Servers.

4. Click TCP/IP. This will show all the TCP/IP server that exist on the system.


LDAP Installation on iSeries LDAP Installation on iSeries

Refer to Implementation and Practical Use of LDAP on the IBM iSeries Server 4.3 Configuring OS/400 Directory Services for first time configuration


LDAP Properties LDAP Properties


Directory requirements / Data Design Directory requirements / Data Design Directory Requirements - What type of application(s) will

use the directory? Will the LDAP service be participating with an X.500 directory service?• Determine who needs access to the data as a user.

Find out if those users can directly access or even update the directory. Determine the location of clients (users or applications). What expectations are there for privacy concerns? How accurate and up-to-date must the directory content be?

Data design - Data should be read more often than it is written. Directory services are typically optimized for read operations.• Data should be accessed from more than just one

system or client.


Data OrganizationData Organization

Directory schema – The purpose of a schema is to control the nature and format of the data stored in the directory. This means that schemas can be used for data validation and to control redundant data. A schema is also used by users and applications as the basis for directory search criteria.

Predefined Schemas - The LDAP specifications include a standard schema for a typical White Pages directory (RFC 2256, A Summary of the X.500(96) User Schema for use with LDAPv3). (http://www03.ibm.com/systems/i/software/ldap/ )

• Identify schemas provided by the applications or standard and/or vendor-supplied schemas.

• Select any predefined schemas that meet your needs. Plan for any schema extensions.

• For each piece of data, determine the name of the attribute(s) that you will use to represent the data in the directory and the object class(es) (the type of entry) that the data will be stored on.

http://www03.ibm.com/systems/i/software/ldap/


inetOrgPerson.schemainetOrgPerson.schema

http://www.zytrax.com/books/ldap/ape/ - Provides a list of object classes and attributes available in this Schema• inherits from organizationPerson

(organizationalPerson.schema) • organizationPerson which inherits from person• http://www.it.ufl.edu/projects/directory/ldap-schema/

Directory Server supports object inheritance for object class and attribute definitions. A new object class can be defined with parent classes (multiple inheritance) and the additional or changed attributes.


inetOrgPerson.schema Object Classes inetOrgPerson.schema Object Classes &Attributes &Attributes


Data/Schema – Don’tsData/Schema – Don’ts

Do not use an attribute to store a specific kind of information, and then later a different attribute is used to store the exact same kind of data!

Do not delete Standard schema elements. The use of a standard schema is beneficial, and specific changes can be made so long as they are additions. You may, however, create your own, private schema. But when doing so, you must take into consideration that compatibility to any other LDAP service may be lost and that your application clients have to be aware of that private schema.


LDAP Administration ToolsLDAP Administration Tools

Use Open Source Tools!

Allow administrator to develop and maintain directory Schema.

Allow administrator to manually maintain directory entries.

Allow administrator to search for information in the DIT.

Apache Directory Studio -http://directory.apache.org/studio

LDAP Admin Tool – http://openldap.org

http://directory.apache.org/studio

http://openldap.org/


LDAP Administration ToolsLDAP Administration Tools

Apache Directory Studio - Apache Directory Studio available as a eclipse plug-in. This is a very attractive option if using WDSC or Eclipse as IDE.

OpenLDAP is LDAP directory server equivalent of Apache Directory Server not Apache Directory Studio.

Admin tool also available in Websphere 6.0.

Lots of tools out there!


Apache Directory StudioApache Directory Studio


LDAP Search UtilitiesLDAP Search Utilities


LDAP Search UtilitiesLDAP Search Utilities


Example:Example:First Option WebCheckFirst Option WebCheck

FOI SaaS Product that allows users to view check information via the Internet. First Customer is Daprex a provider of general accounting software for the iSeries.

Client sends employee and check information via a Web Service provided by FOI.

Information stored in FOI server.

Authorized Users allow to view information.


First Option WebCheck – Required First Option WebCheck – Required LDAP functionalityLDAP functionality

Signon screen - Is it a valid user and is the password correct.

Ability to add employee information.

Ability to modify employee password and email address. Employee must change password on first signon. Also the password must be changed on system defined intervals.


First Option WebCheckFirst Option WebCheck


LDAP DirectoryLDAP Directory



Context-Security.xml

<bean id="initialDirContextFactory"

class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">

<constructor-arg value="ldap://foi400:389/dc=EXAMPLE,dc=COM" />

</bean>



Context-Security.xml (continued)

<bean id="authenticator"

class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">

<constructor-arg ref="initialDirContextFactory" />

<property name="userDnPatterns">

<list>

<value>uid={0},ou=webcheck</value>

</list>

</property>

</bean>


Spring Security (ACEGI)Spring Security (ACEGI)

Context-Security.xml (continued)

<bean id="authenticationProvider"

class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">

<constructor-arg ref="authenticator" />

<constructor-arg ref="populator" />

</bean>

<bean id="authenticationManager"

class="org.acegisecurity.providers.ProviderManager">

<property name="providers">

<list>

<ref bean="authenticationProvider" />

</list>

</property>

</bean>


Spring Security (ACEGI) Spring Security (ACEGI) Context-Security.xml (continued)

<bean id="authenticationProcessingFilter"

class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">

<property name="filterProcessesUrl"

value="/j_acegi_security_check" />

<property name="authenticationFailureUrl"

value="/login.htm?login_error=1" />

<property name="defaultTargetUrl" value="/" />

<property name="authenticationManager"

ref="authenticationManager" />

</bean>


Spring Security (ACEGI) Spring Security (ACEGI)

Logon.jsp – All we did was call the form!

– <form name=“security" method="post" action="j_acegi_security_check">

– <p align="right">Username: <input type="text" name="j_username">

– <br>– <br>– Passsword: <input type="password"

name="j_password"></p>– <c:if test="${param.login_error == '1'}">– <font color="red" size="4"><c:out value="Invalid ID or

password" /></font> – </c:if>– <p align="right"><br>


Security Configuration Options Security Configuration Options

TOMCAT to use LDAP (Server.XML)<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"

connectionURL="ldap://localhost:389" userPattern="uid={0},ou=people,dc=mycompany,dc=com" roleBase="ou=groups,dc=mycompany,dc=com" roleName="cn" roleSearch="(uniqueMember={0})"/>

Apache HTTP Server

WebSphere Products

We chose to be HTTP and Application server independent and use Spring Security


Spring LDAP Spring LDAP

Spring LDAP is a Java library for simplifying LDAP operations, based on the pattern of Spring's JdbcTemplate. This leaves the programmer to handle the important stuff - where to find data.

This templates used as a jumping off point to add, update, select and delete users from the LDAP directory.

It is one of the tools in the Spring Framework that simplifies the coding required to maintain the LDAP server.


Example – LdapPersonDaoImplExample – LdapPersonDaoImplDelete User

public class LdapPersonDaoImpl extends LdapTemplate implements LdapPersonDao {

public void delete(LdapPerson person) { unbind(buildDn(person)); } protected Name buildDn(LdapPerson person) { ... } ...}


Questions


ReferencesReferences Justin B. Alcorn 9/29/2003 - Case Study:LDAP

Authentication and Authorization for Open Source Web Applications

Luke A. Kanies 08/16/2001 – An Introduction to LDAP

Thomas Barlen, Wolfgang Eckert, John Taylor, Klaus Tebb, Wendy Thomson, Marc Willems - Implementation and Practical Use of LDAP on the IBM iSeries Server


ReferencesReferences

Understanding LDAP Design and Implementation – IBM

WebSphere Application Server for iSeries V6 Building Advanced Configurations – Section 5.7 setting up LDAP with Websphere

iSeries Information Center “Directory Server (LDAP)”

Ed Owens May 2001 - Directory vs. Database:

What Data Goes Where?


Contact Information Contact Information

Contact First Option 508-339-0588 x11• [email protected]

www.1stoption.com – Presentation will be in news and events

mailto:[email protected]

http://www.1stoption.com/

Copyright © First Option 2008 First Option, Incorporated The 1st Option in IT.

Documents

option slide

directory specification

option webcheck

electronic directory

directory servicesitutx

microsofts active directory

use ldap

ldap dap