Directory Service - Progress Community
Download
Report
Transcript Directory Service - Progress Community
Authenticating REST/Mobile clients
using LDAP and OERealm
PUG Challenge Americas - 2014
Michael Jacobs
Senior Software Architect
6.6.2014
Agenda
Configurable REST application authentication process
LDAP authentication
OERealm authentication
When things don’t work as you expect
2
© 2014 Progress Software Corporation. All rights reserved.
Configurable REST application
authentication process
3
© 2014 Progress Software Corporation. All rights reserved.
Configurable REST Authentication Process
Which authentication model (i.e. process) is configured in WEB-INF/web.xml
Common authentication model template policies in WEB-INF/appSecurity…
Plug-in user account system modules
Each template allows configuration of
• User account system connection
• User [http] session control
• URI access controls (Role Based Authorization)
• CORS configuration for Java Script clients
• AppServer [Client-Principal] SSO ( for 11.2+ AppServers )
4
© 2014 Progress Software Corporation. All rights reserved.
LDAP Authentication
5
© 2014 Progress Software Corporation. All rights reserved.
LDAP Essentials
[LDAP] Directory Services widely used for single point of administration
LDAP (Lightweight Directory Access Protocol) is a wire protocol and client API
Most commonly recognized as a Single Point of Authentication (SPA)
A Directory Service ( example: OpenLDAP, Windows Active Directory, Apache DS)
• A hierarchical store of schema defined objects and object attributes
• No two production sites will have the same hierarchy ( of users & groups )
6
© 2014 Progress Software Corporation. All rights reserved.
Key Directory Service Terms and Concepts
Distinguished Name ( DN )
• The path to a specific data object
• Root DN: the name of the object hierarchy's root data object
example: dc=acme,dc=com
• Fully qualified DN: full path to the object from the root DN to the object
example: dn=ldapserver1,ou=IT,dc=acme,dc=com
• Relative DN:
example: dn=ldapserver (child object of: ou=IT,dc=acme,dc=com)
Search root:
7
the fully qualified DN of the data object at which to begin
a decending search for one or more data objects
© 2014 Progress Software Corporation. All rights reserved.
Key Directory Service Terms and Concepts (cont)
Directory Services require logging in to search information
Security policies prevent read/write of another user’s password attribute
Passwords are stored as salted one-way hashes
To test a user account’s password for login
1. You have to login with a fully qualified DN that has search privileges
2. Search to find the user’s account and retrieve its fully qualified DN
3. Logout
4. Login using the user account’s fully qualified DN and password
5. Retrieve user attributes - primarily the Groups (i.e. Role) they are a member of
6. Logout
8
© 2014 Progress Software Corporation. All rights reserved.
Required Information From Directory Service Admin
1. The network address and port(s) of the Directory Service:
“foo.com” 389
2. The ROOT DN of the directory service
“dc=foo, dc=com”
3. The DN & password of an account with ‘query’ privilege:
“uid=admin, ou=ds admins, ou=IT, dc=foo, dc=com”
4. The LDAP DN of the object where the user object search will start
“ou=users, ou=employees, dc=foo, dc=com”
9
© 2014 Progress Software Corporation. All rights reserved.
Required Information From Directory Service Admin
5. The LDAP user account object’s attribute name that holds the user’s login ID
“uid” ( or that non-standard active directory thing… )
6. The LDAP DN of the object where the search for LDAP user groups (roles) will start
“ou=groups,dc=foo,dc=com”
7. The LDAP group object’s attribute name whose value will be the role name inserted
into the user’s login token
“uniqueMember”
8. The LDAP Group attribute holding the Role/Group name
“cn”
10
© 2014 Progress Software Corporation. All rights reserved.
You Configure the Spring Security LDAP Server
LDAP Directory access
#1 host & port
<ldap-server id="PrimayLDAP”
#2 directory root
url="ldap://localhost:389/dc=acwd45,dc=com"
manager-dn="uid=dsclient,ou=users,dc=acwd45,dc=com"
manager-password=”password" />
11
© 2014 Progress Software Corporation. All rights reserved.
#3 User DN
used for queries
You Configure Spring Security LDAP Authentication Manager
Authentication Provider
<authentication-manager id="RestApplicationtAuth" >
<ldap-authentication-provider
#8 group attribute used
as ROLE name
server-ref="PrimayLDAP"
group-role-attribute="cn"
role-prefix="ROLE_"
group-search-filter="(member={0})"
group-search-base=""
user-search-base=""
user-search-filter="(uid={0})" />
</authentication-manager>
12
© 2014 Progress Software Corporation. All rights reserved.
#7 group attribute of
user DN
#6 group search RDN
#4 user search RDN
#5 user login-id attribute
Now, The Live Stuff…
13
© 2014 Progress Software Corporation. All rights reserved.
OERealm Authentication
14
© 2014 Progress Software Corporation. All rights reserved.
OERealm Overview
A write-your-own User Account System running in a state-free AppServer
OERealm [client] user account system plug-in
Current OERealm clients: OEBPM, REST service, (Rollbase under construction)
Current OpenEdge 11.3+ client support: Java & .NET OpenClient
AppServer
AppServer client
authn
process
client
application
code
Service
Interface
Developer written
Service
Interface
Business
Logic
app data
OE written
local
accounts
LDAP
OERealm
OERealm
client
configuration
15
© 2014 Progress Software Corporation. All rights reserved.
Identity
Management
System
account
data
OERealm OOABL Interface Overview
Get a list of user accounts
Get a list of user account attribute (i.e. field) names
Query a list of user account names
Lookup a user account *
• Get user account properties (such as Roles, expiration, … ) *
• Remove a user account’s attribute value
• Set a user account’s attribute value
• Verify a single user account’s password *
* Required
16
© 2014 Progress Software Corporation. All rights reserved.
Development Process Overview
Design for extensibility – focus on security
Implement the OERealm interface (there are now requirements…)
• Provision user accounts (if not already in your application)
• Code minimum OERealm class methods
• Code the optional OERealm SSO Client-Principal validation
• Consider if multi-tenancy ( i.e. multiple domains ) will be required
Optional: Create a sealed Client-Principal for SSO to the AppServer OERealm class
Optional: Create a new OERealm keystore with the OE Domain(s) Access-Code
Deploy OERealm class(es) to AppServer
Configure OERealm in the remote authentication process
Test and debug
17
© 2014 Progress Software Corporation. All rights reserved.
Now, The Live Stuff…
18
© 2014 Progress Software Corporation. All rights reserved.
Deployment Site Considerations
Supply AppServer SSO defaults
• REST security templates (appSecurity-xxxx) configuration
– Default OE Domain and access code ( can be the blank domain )
• AppServer defined default OE Domain and access code for AppServer SSO validation
Supply OERealm class SSO defaults
• Sealed Client-Principal for SSO to OERealm AppServer class
• AppServer defined OE Domain and access code
Instructions for changing AppServer SSO Domain and access code
Instructions for changing OERealm class SSO Client-Principal
19
© 2014 Progress Software Corporation. All rights reserved.
When Things Don’t Work as You
Expect
20
© 2014 Progress Software Corporation. All rights reserved.
Service Logging Will Be Your Friend
The REST service logging configuration found in:
<web-app-name>/WEB-INF/classes/log4j.properties
The REST service’s log file is found in:
<web-app-name>/WEB-INF/adapters/log/xxxx.log
Change the security (Java class) logging to DEBUG
LOTS of logging will be made – log file size will be an issue
21
© 2014 Progress Software Corporation. All rights reserved.