First Option Incorporated The 1 st Option in

  • Slides: 40
Download presentation
First Option, Incorporated The 1 st Option in IT. Copyright © First Option 2008

First Option, Incorporated The 1 st Option in IT. Copyright © First Option 2008

About First Option q Founded in 1995 q Located in Mansfield, MA q Expertise

About First Option q Founded in 1995 q Located in Mansfield, MA q Expertise in IBM AS/400 configuration and systems management q Provide application development and custom programming q Designed and developed two Saa. S products i. Series Web. Check By First Option and First Option Web. Check using LDAP on i. Series Copyright © First Option 2008

What is DAP? X. 500 protocols q Series of computer networking standards covering electronic

What is DAP? X. 500 protocols q Series of computer networking standards covering electronic directory services. X. 500 series was developed by ITU-T, formerly known as CCITT. The directory services were developed in order to support the requirements of X. 400 electronic mail exchange and name lookup. q Late 1980 s and early 1990 s - X. 500 directory specification and Directory Access Protocol is industry standard. A single Directory Information Tree (DIT), a hierarchical organization of entries which is distributed across one or more servers. An entry consists of a set of attributes, each attribute with one or more values. Each entry has a unique Distinguished name, formed by combining its Relative distinguished name (RDN), one or more attributes of the entry itself, and the RDNs of each of the superior entries up to the root of the DIT. Copyright © First Option 2008

Directory vs. Database Why use a directory instead of an application database? q Data

Directory vs. Database Why use a directory instead of an application database? q Data that is read frequently but updated much less frequently. Examples: names, addresses, phone numbers, passwords, interest profiles. q Data that lends itself to hierarchical organization. Examples: names in an enterprise organization, customers in geographical regions. q Data that is general-purpose, and tends to be used in many disparate systems or that may turn out to be useful to future applications. Examples: names, addresses, phone numbers, passwords, interest profiles, locations, reporting structure. Copyright © First Option 2008

Directory vs. Database Directory Advantages q Directories are optimized for high volume read access.

Directory vs. Database Directory Advantages q Directories are optimized for high volume read access. • Write access should be limited to system administrators. q Application-independent directory. Application developers make use of the existence of a directory service which is accessible through a standard API. • application-specific directories not necessary. Copyright © First Option 2008

Directory Information Tree (DIT) Case Study: LDAP Authentication and Authorization for Open Source Web

Directory Information Tree (DIT) Case Study: LDAP Authentication and Authorization for Open Source Web Applications Copyright © First Option 2008

Relationship of DN and RDNs Relative distinguished Name Copyright © First Option 2008

Relationship of DN and RDNs Relative distinguished Name Copyright © First Option 2008

Why the move from DAP to LDAP q DAP is a difficult protocol to

Why the move from DAP to LDAP q DAP is a difficult protocol to use because it is considered “heavyweight” due to the implementation requiring seven layer OSI model. q LDAP - Lightweight Directory Access Protocol specification, first published as RFC 1487 in 1993. LDAP uses the TCP/IP stack which is easier to use. Copyright © First Option 2008

Why use LDAP? q LDAP is being adopted as the defacto standard for directory

Why use LDAP? q LDAP is being adopted as the defacto standard for directory access by many organizations and applications. Microsoft’s Active Directory, Lotus’ Domino Server, Sun/Netscape, Novell, Computer Associates, IBM and many others offer. q Extremely important component of protocol suite similar to how developers use FTP, TCP/IP, etc. Developers spend more time coding application instead of developing databases of application specific information for authentication and/or authorization. Copyright © First Option 2008

Why use LDAP? q Access Control List (ACLs) - Access control lists (ACLs) provide

Why use LDAP? q Access Control List (ACLs) - Access control lists (ACLs) provide a means to protect information stored in a LDAP directory. Administrators use ACLs to restrict access to different portions of the directory, or specific directory entries. Changes to each entry and attribute in the directory can be controlled by using ACLs. An ACL for a given entry or attribute can be inherited from its parent entry or can be explicitly defined. q Authentication and Authorization - LDAP can be used for both Authentication and Authorization. Supports role based security, i. e. administrators and users. Copyright © First Option 2008

i. Series Directory Services q Beginning with Version 5 Release 1, Directory Services (LDAP)

i. Series Directory Services q Beginning with Version 5 Release 1, Directory Services (LDAP) is automatically installed with OS/400. The directory server includes a default configuration that automatically starts the directory server when TCP/IP is started. LDAP v 3 on V 5 R 4. q You have the option of publishing of computer information from OS/400 to the directory server. Copyright © First Option 2008

i. Series LDAP Configuration Accessing i. Series Directory Services 1. Launch the Operations Navigator.

i. Series LDAP Configuration Accessing i. Series Directory Services 1. Launch the Operations Navigator. 2. Expand the system that you want to use as the LDAP server. 3. Expand Network and then Servers. 4. Click TCP/IP. This will show all the TCP/IP server that exist on the system. Copyright © First Option 2008

LDAP Installation on i. Series Refer to Implementation and Practical Use of LDAP on

LDAP Installation on i. Series Refer to Implementation and Practical Use of LDAP on the IBM i. Series Server 4. 3 Configuring OS/400 Directory Services for first time configuration Copyright © First Option 2008

LDAP Properties Copyright © First Option 2008

LDAP Properties Copyright © First Option 2008

Directory requirements / Data Design q Directory Requirements - What type of application(s) will

Directory requirements / Data Design q Directory Requirements - What type of application(s) will use the directory? Will the LDAP service be participating with an X. 500 directory service? • Determine who needs access to the data as a user. Find out if those users can directly access or even update the directory. Determine the location of clients (users or applications). What expectations are there for privacy concerns? How accurate and up-to-date must the directory content be? q Data design - Data should be read more often than it is written. Directory services are typically optimized for read operations. • Data should be accessed from more than just one system or client. Copyright © First Option 2008

Data Organization q Directory schema – The purpose of a schema is to control

Data Organization q Directory schema – The purpose of a schema is to control the nature and format of the data stored in the directory. This means that schemas can be used for data validation and to control redundant data. A schema is also used by users and applications as the basis for directory search criteria. q Predefined Schemas - The LDAP specifications include a standard schema for a typical White Pages directory (RFC 2256, A Summary of the X. 500(96) User Schema for use with LDAPv 3). (http: //www 03. ibm. com/systems/i/software/ldap/) • Identify schemas provided by the applications or standard and/or vendorsupplied schemas. • Select any predefined schemas that meet your needs. Plan for any schema extensions. • For each piece of data, determine the name of the attribute(s) that you will use to represent the data in the directory and the object class(es) (the type of entry) that the data will be stored on. Copyright © First Option 2008

inet. Org. Person. schema q http: //www. zytrax. com/books/ldap/ape/ - Provides a list of

inet. Org. Person. schema q http: //www. zytrax. com/books/ldap/ape/ - Provides a list of object classes and attributes available in this Schema • inherits from organization. Person (organizational. Person. schema) • organization. Person which inherits from person • http: //www. it. ufl. edu/projects/directory/ldap-schema/ q Directory Server supports object inheritance for object class and attribute definitions. A new object class can be defined with parent classes (multiple inheritance) and the additional or changed attributes. Copyright © First Option 2008

inet. Org. Person. schema Object Classes &Attributes Copyright © First Option 2008

inet. Org. Person. schema Object Classes &Attributes Copyright © First Option 2008

Data/Schema – Don’ts q Do not use an attribute to store a specific kind

Data/Schema – Don’ts q Do not use an attribute to store a specific kind of information, and then later a different attribute is used to store the exact same kind of data! q Do not delete Standard schema elements. The use of a standard schema is beneficial, and specific changes can be made so long as they are additions. You may, however, create your own, private schema. But when doing so, you must take into consideration that compatibility to any other LDAP service may be lost and that your application clients have to be aware of that private schema. Copyright © First Option 2008

LDAP Administration Tools Use Open Source Tools! q Allow administrator to develop and maintain

LDAP Administration Tools Use Open Source Tools! q Allow administrator to develop and maintain directory Schema. q Allow administrator to manually maintain directory entries. q Allow administrator to search for information in the DIT. Apache Directory Studio -http: //directory. apache. org/studio LDAP Admin Tool – http: //openldap. org Copyright © First Option 2008

LDAP Administration Tools q Apache Directory Studio - Apache Directory Studio available as a

LDAP Administration Tools q Apache Directory Studio - Apache Directory Studio available as a eclipse plug-in. This is a very attractive option if using WDSC or Eclipse as IDE. q Open. LDAP is LDAP directory server equivalent of Apache Directory Server not Apache Directory Studio. q Admin tool also available in Websphere 6. 0. q Lots of tools out there! Copyright © First Option 2008

Apache Directory Studio Copyright © First Option 2008

Apache Directory Studio Copyright © First Option 2008

LDAP Search Utilities Copyright © First Option 2008

LDAP Search Utilities Copyright © First Option 2008

LDAP Search Utilities Copyright © First Option 2008

LDAP Search Utilities Copyright © First Option 2008

Example: First Option Web. Check q FOI Saa. S Product that allows users to

Example: First Option Web. Check q FOI Saa. S Product that allows users to view check information via the Internet. First Customer is Daprex a provider of general accounting software for the i. Series. q Client sends employee and check information via a Web Service provided by FOI. q Information stored in FOI server. q Authorized Users allow to view information. Copyright © First Option 2008

First Option Web. Check – Required LDAP functionality q Signon screen - Is it

First Option Web. Check – Required LDAP functionality q Signon screen - Is it a valid user and is the password correct. q Ability to add employee information. q Ability to modify employee password and email address. Employee must change password on first signon. Also the password must be changed on system defined intervals. Copyright © First Option 2008

First Option Web. Check Copyright © First Option 2008

First Option Web. Check Copyright © First Option 2008

LDAP Directory Copyright © First Option 2008

LDAP Directory Copyright © First Option 2008

First Option Web. Check Context-Security. xml <bean id="initial. Dir. Context. Factory" class="org. acegisecurity. ldap.

First Option Web. Check Context-Security. xml <bean id="initial. Dir. Context. Factory" class="org. acegisecurity. ldap. Default. Initial. Dir. Context. Factory"> <constructor-arg value="ldap: //foi 400: 389/dc=EXAMPLE, dc=COM" /> </bean> Copyright © First Option 2008

First Option Web. Check Context-Security. xml (continued) <bean id="authenticator" class="org. acegisecurity. providers. ldap. authenticator.

First Option Web. Check Context-Security. xml (continued) <bean id="authenticator" class="org. acegisecurity. providers. ldap. authenticator. Bind. Aut henticator"> <constructor-arg ref="initial. Dir. Context. Factory" /> <property name="user. Dn. Patterns"> <list> <value>uid={0}, ou=webcheck</value> </list> </property> </bean> Copyright © First Option 2008

Spring Security (ACEGI) Context-Security. xml (continued) <bean id="authentication. Provider" class="org. acegisecurity. providers. ldap. Ldap.

Spring Security (ACEGI) Context-Security. xml (continued) <bean id="authentication. Provider" class="org. acegisecurity. providers. ldap. Ldap. Authentication. Provider"> <constructor-arg ref="authenticator" /> <constructor-arg ref="populator" /> </bean> <bean id="authentication. Manager" class="org. acegisecurity. providers. Provider. Manager"> <property name="providers"> <list> <ref bean="authentication. Provider" /> </list> </property> </bean> Copyright © First Option 2008

Spring Security (ACEGI) Context-Security. xml (continued) <bean id="authentication. Processing. Filter" class="org. acegisecurity. ui. webapp.

Spring Security (ACEGI) Context-Security. xml (continued) <bean id="authentication. Processing. Filter" class="org. acegisecurity. ui. webapp. Authentication. Processing. Fil ter"> <property name="filter. Processes. Url" value="/j_acegi_security_check" /> <property name="authentication. Failure. Url" value="/login. htm? login_error=1" /> <property name="default. Target. Url" value="/" /> <property name="authentication. Manager" ref="authentication. Manager" /> </bean> Copyright © First Option 2008

Spring Security (ACEGI) Logon. jsp – All we did was call the form! –

Spring Security (ACEGI) Logon. jsp – All we did was call the form! – <form name=“security" method="post" action="j_acegi_security_check"> – <p align="right">Username: <input type="text" name="j_username"> – – – Passsword: <input type="password" name="j_password"></p> – <c: if test="${param. login_error == '1'}"> – <font color="red" size="4"><c: out value="Invalid ID or password" /></font> – </c: if> – <p align="right"> Copyright © First Option 2008

Security Configuration Options q TOMCAT to use LDAP (Server. XML) <Realm class. Name="org. apache.

Security Configuration Options q TOMCAT to use LDAP (Server. XML) <Realm class. Name="org. apache. catalina. realm. JNDIRealm" debug="99" connection. URL="ldap: //localhost: 389" user. Pattern="uid={0}, ou=people, dc=mycompany, dc=com" role. Base="ou=groups, dc=mycompany, dc=com" role. Name="cn" role. Search="(unique. Member={0})" /> q Apache HTTP Server q Web. Sphere Products q We chose to be HTTP and Application server independent and use Spring Security Copyright © First Option 2008

Spring LDAP q Spring LDAP is a Java library for simplifying LDAP operations, based

Spring LDAP q Spring LDAP is a Java library for simplifying LDAP operations, based on the pattern of Spring's Jdbc. Template. This leaves the programmer to handle the important stuff - where to find data. q This templates used as a jumping off point to add, update, select and delete users from the LDAP directory. q It is one of the tools in the Spring Framework that simplifies the coding required to maintain the LDAP server. Copyright © First Option 2008

Example – Ldap. Person. Dao. Impl Delete User public class Ldap. Person. Dao. Impl

Example – Ldap. Person. Dao. Impl Delete User public class Ldap. Person. Dao. Impl extends Ldap. Template implements Ldap. Person. Dao { public void delete(Ldap. Person person) { unbind(build. Dn(person)); } protected Name build. Dn(Ldap. Person person) { . . . } . . . } Copyright © First Option 2008

Questions Copyright © First Option 2008

Questions Copyright © First Option 2008

 References q Justin B. Alcorn 9/29/2003 - Case Study: LDAP Authentication and Authorization

References q Justin B. Alcorn 9/29/2003 - Case Study: LDAP Authentication and Authorization for Open Source Web Applications q Luke A. Kanies 08/16/2001 – An Introduction to LDAP q Thomas Barlen, Wolfgang Eckert, John Taylor, Klaus Tebb, Wendy Thomson, Marc Willems - Implementation and Practical Use of LDAP on the IBM i. Series Server Copyright © First Option 2008

 References q Understanding LDAP Design and Implementation – IBM q Web. Sphere Application

References q Understanding LDAP Design and Implementation – IBM q Web. Sphere Application Server for i. Series V 6 Building Advanced Configurations – Section 5. 7 setting up LDAP with Websphere q i. Series Information Center “Directory Server (LDAP)” q Ed Owens May 2001 - Directory vs. Database: What Data Goes Where? Copyright © First Option 2008

Contact Information q Contact First Option 508 -339 -0588 x 11 • pfuller@1 stoption.

Contact Information q Contact First Option 508 -339 -0588 x 11 • pfuller@1 stoption. com q www. 1 stoption. com – Presentation will be in news and events Copyright © First Option 2008