First Option, Incorporated The 1st Option in IT.

First Option, Incorporated
The 1st Option in IT.
Copyright © First Option 2008
About First Option
 Founded in 1995
 Located in Mansfield, MA
 Expertise in IBM AS/400 configuration and systems
management
 Provide application development and custom
programming
 Designed and developed two SaaS products iSeries
WebCheck By First Option and First Option
WebCheck using LDAP on iSeries
Copyright © First Option 2008
What is DAP?
X.500 protocols
 Series of computer networking standards covering
electronic directory services. X.500 series was
developed by ITU-T, formerly known as CCITT. The
directory services were developed in order to support
the requirements of X.400 electronic mail exchange
and name lookup.
 Late 1980s and early 1990s - X.500 directory
specification and Directory Access Protocol is industry
standard. A single Directory Information Tree (DIT), a
hierarchical organization of entries which is distributed
across one or more servers. An entry consists of a set
of attributes, each attribute with one or more values.
Each entry has a unique Distinguished name, formed
by combining its Relative distinguished name (RDN),
one or more attributes of the entry itself, and the RDNs
of each of the superior entries up to the root of the DIT.
Copyright © First Option 2008
Directory vs. Database
Why use a directory instead of an application
database?
 Data that is read frequently but updated much less
frequently. Examples: names, addresses, phone
numbers, passwords, interest profiles.
 Data that lends itself to hierarchical organization.
Examples: names in an enterprise organization,
customers in geographical regions.
 Data that is general-purpose, and tends to be used in
many disparate systems or that may turn out to be
useful to future applications. Examples: names,
addresses, phone numbers, passwords, interest
profiles, locations, reporting structure.
Copyright © First Option 2008
Directory vs. Database
Directory Advantages
 Directories are optimized for high volume read access.
• Write access should be limited to system
administrators.
 Application-independent directory. Application
developers make use of the existence of a directory
service which is accessible through a standard API.
• application-specific directories not necessary.
Copyright © First Option 2008
Directory Information Tree (DIT)
Case Study: LDAP Authentication and Authorization for Open Source
Web Applications
Copyright © First Option 2008
Relationship of DN and RDNs
Relative distinguished Name
Copyright © First Option 2008
Why the move from DAP to LDAP
 DAP is a difficult protocol to use because it is
considered “heavyweight” due to the implementation
requiring seven layer OSI model.
 LDAP - Lightweight Directory Access Protocol
specification, first published as RFC 1487 in 1993.
LDAP uses the TCP/IP stack which is easier to use.
Copyright © First Option 2008
Why use LDAP?
 LDAP is being adopted as the defacto standard for
directory access by many organizations and
applications. Microsoft’s Active Directory, Lotus’
Domino Server, Sun/Netscape, Novell, Computer
Associates, IBM and many others offer.
 Extremely important component of protocol suite
similar to how developers use FTP, TCP/IP, etc.
Developers spend more time coding application
instead of developing databases of application specific
information for authentication and/or authorization.
Copyright © First Option 2008
Why use LDAP?
 Access Control List (ACLs) - Access control lists
(ACLs) provide a means to protect information stored
in a LDAP directory. Administrators use ACLs to restrict
access to different portions of the directory, or specific
directory entries. Changes to each entry and attribute
in the directory can be controlled by using ACLs. An
ACL for a given entry or attribute can be inherited from
its parent entry or can be explicitly defined.
 Authentication and Authorization - LDAP can be
used for both Authentication and Authorization.
Supports role based security, i.e. administrators and
users.
Copyright © First Option 2008
iSeries Directory Services
 Beginning with Version 5 Release 1, Directory Services
(LDAP) is automatically installed with OS/400. The
directory server includes a default configuration that
automatically starts the directory server when TCP/IP
is started. LDAP v3 on V5R4.
 You have the option of publishing of computer
information from OS/400 to the directory server.
Copyright © First Option 2008
iSeries LDAP Configuration
Accessing iSeries Directory Services
1. Launch the Operations Navigator.
2. Expand the system that you want to use as the LDAP
server.
3. Expand Network and then Servers.
4. Click TCP/IP. This will show all the TCP/IP server that
exist on the system.
Copyright © First Option 2008
LDAP Installation on iSeries
Refer to Implementation and Practical Use of LDAP on the IBM iSeries Server 4.3
Configuring OS/400 Directory Services for first time configuration
Copyright © First Option 2008
LDAP Properties
Copyright © First Option 2008
Directory requirements / Data Design
 Directory Requirements - What type of application(s) will
use the directory? Will the LDAP service be participating
with an X.500 directory service?
• Determine who needs access to the data as a user.
Find out if those users can directly access or even
update the directory. Determine the location of clients
(users or applications). What expectations are there
for privacy concerns? How accurate and up-to-date
must the directory content be?
 Data design - Data should be read more often than it is
written. Directory services are typically optimized for
read operations.
• Data should be accessed from more than just one
system or client.
Copyright © First Option 2008
Data Organization
 Directory schema – The purpose of a schema is to
control the nature and format of the data stored in the
directory. This means that schemas can be used for data
validation and to control redundant data. A schema is also
used by users and applications as the basis for directory
search criteria.
 Predefined Schemas - The LDAP specifications include
a standard schema for a typical White Pages directory
(RFC 2256, A Summary of the X.500(96) User Schema
for use with LDAPv3).
(http://www03.ibm.com/systems/i/software/ldap/)
• Identify schemas provided by the applications or standard and/or vendorsupplied schemas.
• Select any predefined schemas that meet your needs. Plan for any schema
extensions.
• For each piece of data, determine the name of the attribute(s) that you will use
to represent the data in the directory and the object class(es) (the type of
entry) that the data will be stored on.
Copyright © First Option 2008
inetOrgPerson.schema
 http://www.zytrax.com/books/ldap/ape/ - Provides a list of
object classes and attributes available in this Schema
• inherits from organizationPerson
(organizationalPerson.schema)
• organizationPerson which inherits from person
• http://www.it.ufl.edu/projects/directory/ldap-schema/
 Directory Server supports object inheritance for object
class and attribute definitions. A new object class can be
defined with parent classes (multiple inheritance) and the
additional or changed attributes.
Copyright © First Option 2008
inetOrgPerson.schema Object Classes
&Attributes
Copyright © First Option 2008
Data/Schema – Don’ts
 Do not use an attribute to store a specific kind of
information, and then later a different attribute is used
to store the exact same kind of data!
 Do not delete Standard schema elements. The use of a
standard schema is beneficial, and specific changes
can be made so long as they are additions. You may,
however, create your own, private schema. But when
doing so, you must take into consideration that
compatibility to any other LDAP service may be lost
and that your application clients have to be aware of
that private schema.
Copyright © First Option 2008
LDAP Administration Tools
Use Open Source Tools!
 Allow administrator to develop and maintain directory
Schema.
 Allow administrator to manually maintain directory entries.
 Allow administrator to search for information in the DIT.
Apache Directory Studio -http://directory.apache.org/studio
LDAP Admin Tool – http://openldap.org
Copyright © First Option 2008
LDAP Administration Tools
 Apache Directory Studio - Apache Directory Studio
available as a eclipse plug-in. This is a very attractive
option if using WDSC or Eclipse as IDE.
 OpenLDAP is LDAP directory server equivalent of Apache
Directory Server not Apache Directory Studio.
 Admin tool also available in Websphere 6.0.
 Lots of tools out there!
Copyright © First Option 2008
Apache Directory Studio
Copyright © First Option 2008
LDAP Search Utilities
Copyright © First Option 2008
LDAP Search Utilities
Copyright © First Option 2008
Example:First Option WebCheck
 FOI SaaS Product that allows users to view check
information via the Internet. First Customer is Daprex a
provider of general accounting software for the iSeries.
 Client sends employee and check information via a Web
Service provided by FOI.
 Information stored in FOI server.
 Authorized Users allow to view information.
Copyright © First Option 2008
First Option WebCheck – Required
LDAP functionality
 Signon screen - Is it a valid user and is the password
correct.
 Ability to add employee information.
 Ability to modify employee password and email address.
Employee must change password on first signon. Also
the password must be changed on system defined
intervals.
Copyright © First Option 2008
First Option WebCheck
Copyright © First Option 2008
LDAP Directory
Copyright © First Option 2008
First Option WebCheck
Context-Security.xml
<bean id="initialDirContextFactory"
class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
<constructor-arg
value="ldap://foi400:389/dc=EXAMPLE,dc=COM" />
</bean>
Copyright © First Option 2008
First Option WebCheck
Context-Security.xml (continued)
<bean id="authenticator"
class="org.acegisecurity.providers.ldap.authenticator.BindAuth
enticator">
<constructor-arg ref="initialDirContextFactory" />
<property name="userDnPatterns">
<list>
<value>uid={0},ou=webcheck</value>
</list>
</property>
</bean>
Copyright © First Option 2008
Spring Security (ACEGI)
Context-Security.xml (continued)
<bean id="authenticationProvider"
class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
<constructor-arg ref="authenticator" />
<constructor-arg ref="populator" />
</bean>
<bean id="authenticationManager"
class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref bean="authenticationProvider" />
</list>
</property>
</bean>
Copyright © First Option 2008
Spring Security (ACEGI)
Context-Security.xml (continued)
<bean id="authenticationProcessingFilter"
class="org.acegisecurity.ui.webapp.AuthenticationProcessingFil
ter">
<property name="filterProcessesUrl"
value="/j_acegi_security_check" />
<property name="authenticationFailureUrl"
value="/login.htm?login_error=1" />
<property name="defaultTargetUrl" value="/" />
<property name="authenticationManager"
ref="authenticationManager" />
</bean>
Copyright © First Option 2008
Spring Security (ACEGI)
Logon.jsp – All we did was call the form!
– <form name=“security" method="post"
action="j_acegi_security_check">
– <p align="right">Username: <input type="text"
name="j_username">
– <br>
– <br>
– Passsword: <input type="password"
name="j_password"></p>
– <c:if test="${param.login_error == '1'}">
– <font color="red" size="4"><c:out value="Invalid ID or
password" /></font>
– </c:if>
– <p align="right"><br>
Copyright © First Option 2008
Security Configuration Options
 TOMCAT to use LDAP (Server.XML)
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://localhost:389"
userPattern="uid={0},ou=people,dc=mycompany,dc=com"
roleBase="ou=groups,dc=mycompany,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
/>
 Apache HTTP Server
 WebSphere Products
 We chose to be HTTP and Application server
independent and use Spring Security
Copyright © First Option 2008
Spring LDAP
 Spring LDAP is a Java library for simplifying LDAP
operations, based on the pattern of Spring's
JdbcTemplate. This leaves the programmer to handle
the important stuff - where to find data.
 This templates used as a jumping off point to add,
update, select and delete users from the LDAP directory.
 It is one of the tools in the Spring Framework that
simplifies the coding required to maintain the LDAP
server.
Copyright © First Option 2008
Example – LdapPersonDaoImpl
Delete User
public class LdapPersonDaoImpl extends LdapTemplate
implements LdapPersonDao {
public void delete(LdapPerson person) {
unbind(buildDn(person));
}
protected Name buildDn(LdapPerson person) {
...
}
...
}
Copyright © First Option 2008
Questions
Copyright © First Option 2008
References
 Justin B. Alcorn 9/29/2003 - Case Study:LDAP
Authentication and Authorization for Open Source Web
Applications
 Luke A. Kanies 08/16/2001 – An Introduction to LDAP
 Thomas Barlen, Wolfgang Eckert, John Taylor, Klaus
Tebb, Wendy Thomson, Marc Willems Implementation and Practical Use of LDAP on the IBM
iSeries Server
Copyright © First Option 2008
References
 Understanding LDAP Design and Implementation –
IBM
 WebSphere Application Server for iSeries V6 Building
Advanced Configurations – Section 5.7 setting up
LDAP with Websphere
 iSeries Information Center “Directory Server (LDAP)”
 Ed Owens May 2001 - Directory vs. Database:
What Data Goes Where?
Copyright © First Option 2008
Contact Information
 Contact First Option 508-339-0588 x11
• [email protected]
 www.1stoption.com – Presentation will be in news and
events
Copyright © First Option 2008