First Option, Incorporated

namibiancurrishInternet et le développement Web

12 nov. 2013 (il y a 7 années et 11 mois)

259 vue(s)

Copyright
© First Option 2008

First Option, Incorporated


The 1st Option in IT.

Copyright
© First Option 2008



Founded in 1995


Located in Mansfield, MA


Expertise in IBM AS/400 configuration and systems
management


Provide application development and custom
programming


Designed and developed two SaaS products iSeries
WebCheck By First Option and First Option
WebCheck using LDAP on iSeries



About First Option

Copyright
© First Option 2008

What is DAP?

X.500 protocols



Series of computer networking standards covering
electronic
directory services
. X.500 series was
developed by
ITU
-
T
, formerly known as CCITT. The
directory services were developed in order to support
the requirements of
X.400

electronic mail exchange
and name lookup.



Late 1980s and early 1990s
-

X.500 directory
specification and Directory Access Protocol is industry
standard. A single
Directory Information Tree

(DIT), a
hierarchical organization of entries which is distributed
across one or more servers. An entry consists of a set
of attributes, each attribute with one or more values.
Each entry has a unique
Distinguished name
, formed
by combining its
Relative distinguished name

(RDN),
one or more attributes of the entry itself, and the RDNs
of each of the superior entries up to the root of the DIT.

Copyright
© First Option 2008

Directory vs. Database

Why use a directory instead of an application
database?



Data that is read frequently but updated much less
frequently. Examples: names, addresses, phone
numbers, passwords, interest profiles.



Data that lends itself to hierarchical organization.
Examples: names in an enterprise organization,
customers in geographical regions.



Data that is general
-
purpose, and tends to be used in
many disparate systems or that may turn out to be
useful to future applications. Examples: names,
addresses, phone numbers, passwords, interest
profiles, locations, reporting structure.

Copyright
© First Option 2008

Directory vs. Database

Directory Advantages



Directories are optimized for high volume read access.


Write access should be limited to system
administrators.



Application
-
independent directory. Application
developers make use of the existence of a directory
service which is accessible through a standard API.


application
-
specific directories not necessary.


Copyright
© First Option 2008

Directory Information Tree (DIT)

Case Study: LDAP Authentication and Authorization for Open Source
Web Applications

Copyright
© First Option 2008

Relationship of DN and RDNs

Relative distinguished Name


Copyright
© First Option 2008

Why the move from DAP to LDAP




DAP is a difficult protocol to use because it is
considered “heavyweight” due to the implementation
requiring seven layer OSI model.



LDAP
-

Lightweight

Directory Access Protocol
specification, first published as RFC
1487

in 1993.
LDAP uses the TCP/IP stack which is easier to use.


Copyright
© First Option 2008

Why use LDAP?



LDAP is being adopted as the defacto standard for
directory access by many organizations and
applications. Microsoft’s Active Directory, Lotus’
Domino Server, Sun/Netscape, Novell, Computer
Associates, IBM and many others offer.



Extremely important component of protocol suite
similar to how developers use FTP, TCP/IP, etc.
Developers spend more time coding application
instead of developing databases of application specific
information for authentication and/or authorization.





Copyright
© First Option 2008

Why use LDAP?



Access Control List (ACLs)
-

Access control lists
(ACLs) provide a means to protect information stored
in a LDAP directory. Administrators use ACLs to
restrict access to different portions of the directory, or
specific directory entries. Changes to each entry and
attribute in the directory can be controlled by using
ACLs. An ACL for a given entry or attribute can be
inherited from its parent entry or can be explicitly
defined.


Authentication and Authorization
-

LDAP can be
used for both Authentication and Authorization.
Supports role based security, i.e. administrators and
users.




Copyright
© First Option 2008

iSeries Directory Services




Beginning with Version 5 Release 1, Directory Services
(LDAP) is automatically installed with OS/400. The
directory server includes a default configuration that
automatically starts the directory server when TCP/IP
is started. LDAP v3 on V5R4.



You have the option of publishing of computer
information from OS/400 to the directory server.

Copyright
© First Option 2008

iSeries LDAP Configuration

Accessing iSeries Directory Services


1.
Launch the Operations Navigator.

2.
Expand the system that you want to use as the LDAP
server.

3.
Expand Network and then Servers.

4.
Click TCP/IP. This will show all the TCP/IP server that
exist on the system.

Copyright
© First Option 2008

LDAP Installation on iSeries

Refer to
Implementation and Practical Use of LDAP on the IBM iSeries Server
4.3
Configuring OS/400 Directory Services for first time configuration



Copyright
© First Option 2008

LDAP Properties

Copyright
© First Option 2008

Directory requirements / Data Design




Directory Requirements
-

What type of application(s) will
use the directory? Will the LDAP service be participating
with an X.500 directory service?


Determine who needs access to the data as a user.
Find out if those users can directly access or even
update the directory. Determine the location of clients
(users or applications). What expectations are there
for privacy concerns? How accurate and up
-
to
-
date
must the directory content be?



Data design
-

Data should be read more often than it is
written. Directory services are typically optimized for
read operations.


Data should be accessed from more than just one
system or client.


Copyright
© First Option 2008

Data Organization



Directory schema



The purpose of a schema is to
control the nature and format of the data stored in the
directory. This means that schemas can be used for data
validation and to control redundant data. A schema is also
used by users and applications as the basis for directory
search criteria.



Predefined Schemas

-

The LDAP specifications include
a standard schema for a typical White Pages directory
(RFC 2256, A Summary of the X.500(96) User Schema
for use with LDAPv3).
(
http://www03.ibm.com/systems/i/software/ldap/
)


Identify schemas provided by the applications or standard and/or vendor
-
supplied schemas.


Select any predefined schemas that meet your needs. Plan for any schema
extensions.


For each piece of data, determine the name of the attribute(s) that you will use
to represent the data in the directory and the object class(es) (the type of
entry) that the data will be stored on.

Copyright
© First Option 2008

inetOrgPerson.schema




http://www.zytrax.com/books/ldap/ape/

-

Provides a list of
object classes and attributes available in this Schema


inherits from organizationPerson
(organizationalPerson.schema)


organizationPerson which inherits from person


http://www.it.ufl.edu/projects/directory/ldap
-
schema/




Directory Server supports object inheritance for object
class and attribute definitions. A new object class can be
defined with parent classes (multiple inheritance) and the
additional or changed attributes.



Copyright
© First Option 2008

inetOrgPerson.schema Object Classes
&Attributes

Copyright
© First Option 2008

Data/Schema


Don’ts



Do not use an attribute to store a specific kind of
information, and then later a different attribute is used
to store the exact same kind of data!



Do not delete Standard schema elements. The use of
a standard schema is beneficial, and specific changes
can be made so long as they are additions. You may,
however, create your own, private schema. But when
doing so, you must take into consideration that
compatibility to any other LDAP service may be lost
and that your application clients have to be aware of
that private schema
.





Copyright
© First Option 2008

LDAP Administration Tools


Use Open Source Tools!




Allow administrator to develop and maintain directory
Schema.



Allow administrator to manually maintain directory entries.



Allow administrator to search for information in the DIT.



Apache Directory Studio
-
http://directory.apache.org/studio

LDAP Admin Tool


http://openldap.org


Copyright
© First Option 2008

LDAP Administration Tools




Apache Directory Studio
-

Apache Directory Studio
available as a eclipse plug
-
in. This is a very attractive
option if using WDSC or Eclipse as IDE.



OpenLDAP is LDAP directory server equivalent of
Apache Directory Server not Apache Directory Studio.



Admin tool also available in Websphere 6.0.



Lots of tools out there!


Copyright
© First Option 2008

Apache Directory Studio




Copyright
© First Option 2008

LDAP Search Utilities

Copyright
© First Option 2008

LDAP Search Utilities

Copyright
© First Option 2008

Example:

First Option WebCheck



FOI SaaS Product that allows users to view check
information via the Internet. First Customer is Daprex a
provider of general accounting software for the iSeries.



Client sends employee and check information via a Web
Service provided by FOI.



Information stored in FOI server.



Authorized Users allow to view information.

Copyright
© First Option 2008

First Option WebCheck


Required
LDAP functionality



Signon screen
-

Is it a valid user and is the password
correct.



Ability to add employee information.



Ability to modify employee password and email address.
Employee must change password on first signon. Also
the password must be changed on system defined
intervals.



Copyright
© First Option 2008

First Option WebCheck

Copyright
© First Option 2008

LDAP Directory

Copyright
© First Option 2008

First Option WebCheck

Context
-
Security.xml


<bean id="initialDirContextFactory"

class="
org.acegisecurity.ldap.DefaultInitialDirContextFactory
">

<constructor
-
arg
value="
ldap://foi400:389/dc=EXAMPLE,dc=COM
" />

</bean>


Copyright
© First Option 2008

First Option WebCheck

Context
-
Security.xml (continued)


<bean id="authenticator"

class="
org.acegisecurity.providers.ldap.authenticator.BindAut
henticator
">

<constructor
-
arg ref="
initialDirContextFactory
" />

<property name="userDnPatterns">

<list>

<value>uid={0},
ou=webcheck
</value>

</list>

</property>

</bean>

Copyright
© First Option 2008

Spring Security (ACEGI)

Context
-
Security.xml (continued)


<bean id="
authenticationProvider
"

class="
org.acegisecurity.providers.ldap.LdapAuthenticationProvider
">

<constructor
-
arg ref="
authenticator
" />

<constructor
-
arg ref="populator" />

</bean>


<bean id="
authenticationManager
"

class="
org.acegisecurity.providers.ProviderManager
">

<property name="providers">

<list>

<ref bean="
authenticationProvider
" />

</list>

</property>

</bean>



Copyright
© First Option 2008

Spring Security (ACEGI)

Context
-
Security.xml (continued)




<bean id="
authenticationProcessingFilter
"

class="org.acegisecurity.ui.webapp.AuthenticationProcessingFil
ter">

<property name="filterProcessesUrl"

value="/j_acegi_security_check
" />

<property name="authenticationFailureUrl"

value="/login.htm?login_error=1" />

<property name="defaultTargetUrl" value="/" />

<property name="authenticationManager"

ref="authenticationManager" />

</bean>

Copyright
© First Option 2008

Spring Security (ACEGI)

Logon.jsp


All we did was call the form!



<form name=“security" method="post"
action="
j_acegi_security_check
">


<p align="right">Username: <input type="text"
name="
j_username
">


<br>


<br>


Passsword: <input type="password"
name="
j_password
"></p>


<c:if test="${param.login_error == '1'}">


<font color="red" size="4"><c:out value="Invalid ID or
password" /></font>


</c:if>


<p align="right"><br>

Copyright
© First Option 2008

Security Configuration Options



TOMCAT to use LDAP (Server.XML)

<Realm


className="org.apache.catalina.realm.JNDIRealm" debug="99"





connectionURL="ldap://localhost:389"







userPattern="uid={0},ou=people,dc=mycompany,dc=com"










roleBase="ou=groups,dc=mycompany,dc=com"










roleName="cn"








roleSearch="(uniqueMember={0})"

/>


Apache HTTP Server



WebSphere Products



We chose to be HTTP and Application server
independent and use Spring Security

Copyright
© First Option 2008

Spring LDAP



Spring LDAP is a Java library for simplifying LDAP
operations, based on the pattern of Spring's
JdbcTemplate. This leaves the programmer to handle
the important stuff
-

where to find data.



This templates used as a jumping off point to add,
update, select and delete users from the LDAP directory.



It is one of the tools in the Spring Framework that
simplifies the coding required to maintain the LDAP
server.


Copyright
© First Option 2008

Example


LdapPersonDaoImpl

Delete User



public class LdapPersonDaoImpl extends LdapTemplate
implements LdapPersonDao {





public void delete(LdapPerson person) {



unbind(buildDn(person));



}




protected Name buildDn(LdapPerson person) {





...




}



...

}



Copyright
© First Option 2008


Questions

Copyright
© First Option 2008

References


Justin B. Alcorn 9/29/2003
-

Case Study:LDAP
Authentication and Authorization for Open Source Web
Applications



Luke A. Kanies 08/16/2001


An Introduction to LDAP



Thomas Barlen, Wolfgang Eckert, John Taylor, Klaus
Tebb, Wendy Thomson, Marc Willems
-

Implementation and Practical Use of LDAP on the IBM
iSeries Server









Copyright
© First Option 2008

References



Understanding LDAP Design and Implementation


IBM



WebSphere Application Server for iSeries V6 Building
Advanced Configurations


Section 5.7 setting up
LDAP with Websphere



iSeries Information Center “Directory Server (LDAP)”



Ed Owens May 2001
-

Directory vs. Database:


What Data Goes Where?








Copyright
© First Option 2008

Contact Information



Contact First Option 508
-
339
-
0588 x11


pfuller@1stoption.com



www.1stoption.com



Presentation will be in news and
events