First Option, Incorporated The 1st Option in IT. Copyright © First Option 2008 About First Option Founded in 1995 Located in Mansfield, MA Expertise in IBM AS/400 configuration and systems management Provide application development and custom programming Designed and developed two SaaS products iSeries WebCheck By First Option and First Option WebCheck using LDAP on iSeries Copyright © First Option 2008 What is DAP? X.500 protocols Series of computer networking standards covering electronic directory services. X.500 series was developed by ITU-T, formerly known as CCITT. The directory services were developed in order to support the requirements of X.400 electronic mail exchange and name lookup. Late 1980s and early 1990s - X.500 directory specification and Directory Access Protocol is industry standard. A single Directory Information Tree (DIT), a hierarchical organization of entries which is distributed across one or more servers. An entry consists of a set of attributes, each attribute with one or more values. Each entry has a unique Distinguished name, formed by combining its Relative distinguished name (RDN), one or more attributes of the entry itself, and the RDNs of each of the superior entries up to the root of the DIT. Copyright © First Option 2008 Directory vs. Database Why use a directory instead of an application database? Data that is read frequently but updated much less frequently. Examples: names, addresses, phone numbers, passwords, interest profiles. Data that lends itself to hierarchical organization. Examples: names in an enterprise organization, customers in geographical regions. Data that is general-purpose, and tends to be used in many disparate systems or that may turn out to be useful to future applications. Examples: names, addresses, phone numbers, passwords, interest profiles, locations, reporting structure. Copyright © First Option 2008 Directory vs. Database Directory Advantages Directories are optimized for high volume read access. • Write access should be limited to system administrators. Application-independent directory. Application developers make use of the existence of a directory service which is accessible through a standard API. • application-specific directories not necessary. Copyright © First Option 2008 Directory Information Tree (DIT) Case Study: LDAP Authentication and Authorization for Open Source Web Applications Copyright © First Option 2008 Relationship of DN and RDNs Relative distinguished Name Copyright © First Option 2008 Why the move from DAP to LDAP DAP is a difficult protocol to use because it is considered “heavyweight” due to the implementation requiring seven layer OSI model. LDAP - Lightweight Directory Access Protocol specification, first published as RFC 1487 in 1993. LDAP uses the TCP/IP stack which is easier to use. Copyright © First Option 2008 Why use LDAP? LDAP is being adopted as the defacto standard for directory access by many organizations and applications. Microsoft’s Active Directory, Lotus’ Domino Server, Sun/Netscape, Novell, Computer Associates, IBM and many others offer. Extremely important component of protocol suite similar to how developers use FTP, TCP/IP, etc. Developers spend more time coding application instead of developing databases of application specific information for authentication and/or authorization. Copyright © First Option 2008 Why use LDAP? Access Control List (ACLs) - Access control lists (ACLs) provide a means to protect information stored in a LDAP directory. Administrators use ACLs to restrict access to different portions of the directory, or specific directory entries. Changes to each entry and attribute in the directory can be controlled by using ACLs. An ACL for a given entry or attribute can be inherited from its parent entry or can be explicitly defined. Authentication and Authorization - LDAP can be used for both Authentication and Authorization. Supports role based security, i.e. administrators and users. Copyright © First Option 2008 iSeries Directory Services Beginning with Version 5 Release 1, Directory Services (LDAP) is automatically installed with OS/400. The directory server includes a default configuration that automatically starts the directory server when TCP/IP is started. LDAP v3 on V5R4. You have the option of publishing of computer information from OS/400 to the directory server. Copyright © First Option 2008 iSeries LDAP Configuration Accessing iSeries Directory Services 1. Launch the Operations Navigator. 2. Expand the system that you want to use as the LDAP server. 3. Expand Network and then Servers. 4. Click TCP/IP. This will show all the TCP/IP server that exist on the system. Copyright © First Option 2008 LDAP Installation on iSeries Refer to Implementation and Practical Use of LDAP on the IBM iSeries Server 4.3 Configuring OS/400 Directory Services for first time configuration Copyright © First Option 2008 LDAP Properties Copyright © First Option 2008 Directory requirements / Data Design Directory Requirements - What type of application(s) will use the directory? Will the LDAP service be participating with an X.500 directory service? • Determine who needs access to the data as a user. Find out if those users can directly access or even update the directory. Determine the location of clients (users or applications). What expectations are there for privacy concerns? How accurate and up-to-date must the directory content be? Data design - Data should be read more often than it is written. Directory services are typically optimized for read operations. • Data should be accessed from more than just one system or client. Copyright © First Option 2008 Data Organization Directory schema – The purpose of a schema is to control the nature and format of the data stored in the directory. This means that schemas can be used for data validation and to control redundant data. A schema is also used by users and applications as the basis for directory search criteria. Predefined Schemas - The LDAP specifications include a standard schema for a typical White Pages directory (RFC 2256, A Summary of the X.500(96) User Schema for use with LDAPv3). (http://www03.ibm.com/systems/i/software/ldap/) • Identify schemas provided by the applications or standard and/or vendorsupplied schemas. • Select any predefined schemas that meet your needs. Plan for any schema extensions. • For each piece of data, determine the name of the attribute(s) that you will use to represent the data in the directory and the object class(es) (the type of entry) that the data will be stored on. Copyright © First Option 2008 inetOrgPerson.schema http://www.zytrax.com/books/ldap/ape/ - Provides a list of object classes and attributes available in this Schema • inherits from organizationPerson (organizationalPerson.schema) • organizationPerson which inherits from person • http://www.it.ufl.edu/projects/directory/ldap-schema/ Directory Server supports object inheritance for object class and attribute definitions. A new object class can be defined with parent classes (multiple inheritance) and the additional or changed attributes. Copyright © First Option 2008 inetOrgPerson.schema Object Classes &Attributes Copyright © First Option 2008 Data/Schema – Don’ts Do not use an attribute to store a specific kind of information, and then later a different attribute is used to store the exact same kind of data! Do not delete Standard schema elements. The use of a standard schema is beneficial, and specific changes can be made so long as they are additions. You may, however, create your own, private schema. But when doing so, you must take into consideration that compatibility to any other LDAP service may be lost and that your application clients have to be aware of that private schema. Copyright © First Option 2008 LDAP Administration Tools Use Open Source Tools! Allow administrator to develop and maintain directory Schema. Allow administrator to manually maintain directory entries. Allow administrator to search for information in the DIT. Apache Directory Studio -http://directory.apache.org/studio LDAP Admin Tool – http://openldap.org Copyright © First Option 2008 LDAP Administration Tools Apache Directory Studio - Apache Directory Studio available as a eclipse plug-in. This is a very attractive option if using WDSC or Eclipse as IDE. OpenLDAP is LDAP directory server equivalent of Apache Directory Server not Apache Directory Studio. Admin tool also available in Websphere 6.0. Lots of tools out there! Copyright © First Option 2008 Apache Directory Studio Copyright © First Option 2008 LDAP Search Utilities Copyright © First Option 2008 LDAP Search Utilities Copyright © First Option 2008 Example:First Option WebCheck FOI SaaS Product that allows users to view check information via the Internet. First Customer is Daprex a provider of general accounting software for the iSeries. Client sends employee and check information via a Web Service provided by FOI. Information stored in FOI server. Authorized Users allow to view information. Copyright © First Option 2008 First Option WebCheck – Required LDAP functionality Signon screen - Is it a valid user and is the password correct. Ability to add employee information. Ability to modify employee password and email address. Employee must change password on first signon. Also the password must be changed on system defined intervals. Copyright © First Option 2008 First Option WebCheck Copyright © First Option 2008 LDAP Directory Copyright © First Option 2008 First Option WebCheck Context-Security.xml <bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> <constructor-arg value="ldap://foi400:389/dc=EXAMPLE,dc=COM" /> </bean> Copyright © First Option 2008 First Option WebCheck Context-Security.xml (continued) <bean id="authenticator" class="org.acegisecurity.providers.ldap.authenticator.BindAuth enticator"> <constructor-arg ref="initialDirContextFactory" /> <property name="userDnPatterns"> <list> <value>uid={0},ou=webcheck</value> </list> </property> </bean> Copyright © First Option 2008 Spring Security (ACEGI) Context-Security.xml (continued) <bean id="authenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> <constructor-arg ref="authenticator" /> <constructor-arg ref="populator" /> </bean> <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <ref bean="authenticationProvider" /> </list> </property> </bean> Copyright © First Option 2008 Spring Security (ACEGI) Context-Security.xml (continued) <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFil ter"> <property name="filterProcessesUrl" value="/j_acegi_security_check" /> <property name="authenticationFailureUrl" value="/login.htm?login_error=1" /> <property name="defaultTargetUrl" value="/" /> <property name="authenticationManager" ref="authenticationManager" /> </bean> Copyright © First Option 2008 Spring Security (ACEGI) Logon.jsp – All we did was call the form! – <form name=“security" method="post" action="j_acegi_security_check"> – <p align="right">Username: <input type="text" name="j_username"> – <br> – <br> – Passsword: <input type="password" name="j_password"></p> – <c:if test="${param.login_error == '1'}"> – <font color="red" size="4"><c:out value="Invalid ID or password" /></font> – </c:if> – <p align="right"><br> Copyright © First Option 2008 Security Configuration Options TOMCAT to use LDAP (Server.XML) <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://localhost:389" userPattern="uid={0},ou=people,dc=mycompany,dc=com" roleBase="ou=groups,dc=mycompany,dc=com" roleName="cn" roleSearch="(uniqueMember={0})" /> Apache HTTP Server WebSphere Products We chose to be HTTP and Application server independent and use Spring Security Copyright © First Option 2008 Spring LDAP Spring LDAP is a Java library for simplifying LDAP operations, based on the pattern of Spring's JdbcTemplate. This leaves the programmer to handle the important stuff - where to find data. This templates used as a jumping off point to add, update, select and delete users from the LDAP directory. It is one of the tools in the Spring Framework that simplifies the coding required to maintain the LDAP server. Copyright © First Option 2008 Example – LdapPersonDaoImpl Delete User public class LdapPersonDaoImpl extends LdapTemplate implements LdapPersonDao { public void delete(LdapPerson person) { unbind(buildDn(person)); } protected Name buildDn(LdapPerson person) { ... } ... } Copyright © First Option 2008 Questions Copyright © First Option 2008 References Justin B. Alcorn 9/29/2003 - Case Study:LDAP Authentication and Authorization for Open Source Web Applications Luke A. Kanies 08/16/2001 – An Introduction to LDAP Thomas Barlen, Wolfgang Eckert, John Taylor, Klaus Tebb, Wendy Thomson, Marc Willems Implementation and Practical Use of LDAP on the IBM iSeries Server Copyright © First Option 2008 References Understanding LDAP Design and Implementation – IBM WebSphere Application Server for iSeries V6 Building Advanced Configurations – Section 5.7 setting up LDAP with Websphere iSeries Information Center “Directory Server (LDAP)” Ed Owens May 2001 - Directory vs. Database: What Data Goes Where? Copyright © First Option 2008 Contact Information Contact First Option 508-339-0588 x11 • [email protected] www.1stoption.com – Presentation will be in news and events Copyright © First Option 2008
© Copyright 2024