Novell Home

WalkID: The iChain LDAP-Query-enabled Plug-in

Novell Cool Solutions: Feature
By Alfredo Luiz Santos, Andre Monteiro

Digg This - Slashdot This

Posted: 9 Dec 2005
 

Are you frustrated about how to improve access to the directory information with your corporate applications? This article provides added value to the Novell iChain 2.3 marketplace, keeping existing assets safe and secure. IT organizations can deploy sophisticated interactive solutions that open up existing business systems. This includes the ability to centrally manage access to all those systems, based on who people are and what you want them to see, which protects your past investments.

The WalkID Tool helps you accomplish these goals. It is available for download at:
http://www.novell.com/coolsolutions/tools/16328.html

Introduction

Sharing knowledge means sharing information, and information is only good when it can be used. Retrieving identity data should always make us think about how to get the right information to the right people. The iChain OLAC framework extends the iChain box to the next level of dynamic data injection against Web applications. This article shows you how to get information faster from Novell eDirectory and push this information to back-end servers, without any LDAP development.

Business Scenario

Companies need to grant access to their products contacts and services to authenticate against the directory, extract information, and push it back to some back-end application. The following example is an "x-ray" from a virtual business.

Suppose you have a conceptual business model running on eDirectory, where the main objects of this directory are:

Customer

The Customer entity represents a customer in the CRM. Each customer uses a single ID - customerID, for instance. The Customer object enables you to group a set of contacts and service instances belonging to this customer. It also allows for storing additional data, such as Customer Name, Type of Customer, Customer Class, and Fidelity Flag.

Contact

The contact object represents a contact in the CRM, where the contact could be the owner or user of a service. The contact could be used for a person to authenticate against the customer tree. Each contact should have a different user ID and password. This allows a person to manage his own products and services, and another contact to manager company products and services with different rights and profiles.

A contact object should use a unique identifier to store extra information, such as contact type, classification, ans address (City, ZipCode, State, e-mail).

Service Instance

The Service Instance object can store a product inside the directory. One service instance is used by one customer to authenticate as a product with personalization. For instance, you could authenticate using a cell phone, your insurance ID, etc. This object also can store attributes such as type of product, start date, end date, service unique ID, category, etc.

Service Element

The service elements represents the services installed with customer products, such as GPS, caller ID, etc. A service element should store extra data like this: Name of element, Type of Element, Start date, End date, etc. An example is shown below.

Figure 1: Service Element example

The Problem

Our extensive experience in working with customers has led us to an effective approach for successfully addressing some of these needs. The LDAP OLAC plug-in can provide any attribute from an object using the Object Access Level Control (OLAC). However, some implementations like the above scenario need to get information from other relative objects.

To avoiding data replication, or the use of components like the DirXML loopback driver as a trigger to copy data, we can instead apply business rules as designed. The user data will sometimes be distributed across other relative objects.

The WalkID Solution

The Identity Navigator is an OLAC plug-in designed to implement advanced searching against eDirectory, sending the results back to an application server. This enables impersonification of objects.

Architecture

The WalkID builds an OAC Framework to process queries against eDirectory.

Figure 2: WalkID architecture

Using WalkID

WalkID can be used for searching objects with a logged object relationship, without data replication in objects. To process a query of one specific attribute at one Ldap server using the WalkID plug in, you need to build a query string as described below:

{SearchBase}{AtributeFilter}{Scope}{Atribute}

Each element in the search string must use the {} delimiter.

Sample Query String

With this sample string you can do a parent-level search for one object. Its object class is Person, with given criteria, and the customerZIP attribute is pushed out to the back-end application.

{..}{(&(objectClass=Person)(|(sn=Monteiro)(cn=amonteiro*)))}{base}{customerZIP}

Search Base

The Search Base parameter uses the operators below:

  • . (the base is the own object that the person have used to logging)
  • .. (the base is the parent object of the logged object)
  • ../.. (the base is the grandparent of the logged object)
  • dn (the dn of one point of the tree)

Scope

The Scope parameter uses the operators below:

  • base (only the base search objects are valid for this kind of search)
  • one (the base search objects and one level of child are valid for this kind of search)
  • sub (the base search objects and all levels of child are valid for this kind of search)

Filter

The Filter parameter uses the operators below. This representation is RFC-2254 compliant.

filter	"(" filtercomp ")"
Filtercomp	and / or / not / item
and	"&" filterlist
or	"|" filterlist
not	"!" filter
filterlist	1*filter
item	simple / present / substring / extensible
simple	attr filtertype value
filtertype	equal / approx / greater / less
equal	"="
approx	"~="
greater	">="
less	"<="
present	attr "=*"
substring	attr "=" [initial] any [final]
Initial	Value
any	"*" *(value "*")
final	Value
attr	AttributeDescription
value	AttributeValue
Note: If the value should contain any of these characters:
  • * (0x2a)
  • \ (0x5c)
  • ( (0x28)
  • NUL (0x00)
  • ) (0x29)

then the character should be preceded by '\' (ASCII 0x5c), followed by two hexadecimal digits. For example, a filter checking to see if the CN attribute contains an asterisk (*) at any position should be represented like this:

(cn=*\2a*)

Here are some sample Search filters:

(cn=amonteiro)

Search for an attribute value equal to "amonteiro"

(!(cn=amonteiro))

Search for attribute value different from "amonteiro"

(&(objectClass=Person)(|(sn=Monteiro)(cn=amonteiro*)))

Search for a person's objects, where the sn is different from "Monteiro" and the cn starts with "amonteiro"

Macro Attribute

The Search filter parameter has a feature that uses dynamic values (Macro Attribute) of logged objects on LDAP filters. The format is "%attribute%". For example:

(&(objectclass=CustomerUser)(CustomerDepartament=%L%))

In the above example, the value of the L attribute of the logged object will be used in the search filter.

Attribute

This is the attribute returned to the application. The results of multi-value fields, such as groupMembership, are "#"-delimited when they have more than one value.

Resulting multi-values can be parsed with these rules:

Name Description Format Sample
Contains Return only values with containing the string Atribute.contains("value") {groupMembership.contains("eGuide")}
Equals Return only values equal to the string Attribute.equals("value") {groupMembership.equals("cn=[root],cn=Information General,cn=Role Based Service 2,ou=RBS,ou=Servicos,o=BrT")}
BeginsWith Return only values beginning with the string Attribute.beginsWith("value") {groupMembership.beginsWith("cn=[root]")}
EndsWith Return only values ending with the string Attribute.endsWith("value") {groupMembership.endsWith("o=BrT")}
EndsWithClean Return only values ends with one string, cleaning the string parameter on response Attribute.endsWithClean("value") {groupMembership.endsWithClean("o=BrT")}

Plug-in Installation and Configuration

To install the WalkID OLAC plug-in,

1. Copy OLACWalkID.jar file to iChain server and include the jar on CLASSPATH SYS:\system\oacjava.ncf.

2. Create a new plug-in session in SYS:\iChain\oac\oac.properties.

3. Add the plug-in and class. Use this format:

[WalkID Processor]
Class Name = com.novell.ichain.oac.walkid.ParamListBuilder

4. In the Protected Resource of the ISO object on ConsoleOne, add a new OLAC parameter using the WalkID plug-in:

  • Name: Return field (Name of field returned to application)
  • Data Source: WalkID
  • Value: Query String (parameter string for the search)

Now you can refresh the OLAC, or reset the iChain proxy server and verify the console. OACINT.NLM and OACJAVA have console screens with related messages for the OLAC process.

Plug-in Configuration

This plug-in needs no additional configuration because it uses the default iChain/OLAC configuration.

1. Install log4j in classpath to capture the log for WalkID activity.

2. Copy log4j.properties to your ROOT directory.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell