Novell Home

OLAC QuickStart and Troubleshooting Guide

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 27 Sep 2001
 

Introduction

The Object Level Access Control (OLAC) service of iChain enables you to integrate and allow access to Web-based applications. Sometimes these resources or objects need additional access control or application information about the user to be passed into the application. This additional information about the user can be stored in NDS or some other database.

After a user has successfully logged in, the Proxy will send information about the logged-in user to the Application running on a Web / Application server. A plug-in program gathers this information. This plug-in reads the required user object's detail from NDS for the currently logged-in user. This data is sent in the HTTP header and is sent as a series of Name=Value pairs. This will allow the applications to perform additional process or customization based on the currently logged-in user. This is the function of Object Level Access Control. iChain's OLAC tries to reduce the overhead on the application to perform a login into NDS to get the details it needs.

Customization of AuthHeader:
Using iChain's OLAC the customization of the HTTP Auth Header is done. Most application servers do not accept the NDS username and password to login to them [Basic (shows in Base64 encoding cn=admin,o=novell:admin)]. Hence it is required that there be some other method by which the HTTP Header has the required information to authenticate into the necessary application servers. To facilitate these application servers to authenticate users by a common name format, enhancement has been made by which two variables (viz., ICHAIN_UID for user identification and ICHAIN_PWD for user's password) have been identified to take the required values from NDS to provide seamless login. This has been performed by injecting ICHAIN_UID and/or ICHAIN_PWD into the authorization header (Auth header) between the iChain ICS box and the application (or web) server as [Basic (shows in Base64 encoding ICHAIN_UID:ICHAIN_PWD)].

Configuration Instructions

  1. Add Guest User.
    • Add a guest user to the ISO object using ConsoleOne (must use a period as separator).
    • Add a guest user in ICS GUI Cache->Access Control->LDAP guest user name (must use a comma as separator).
  2. Enable Forward Authentication information to Web Server:
    • Option must be enabled in ICS GUI Cache ->Web accelerator->Authentication Options (after enabling authentication)-> "Forward Authentication information to Web Server".
    • This allows OLAC to pass the name/value pairs as part of the authorization basic header and URL.
  3. Verify that OACINT has initialized successfully.
    • Switch to the OACINT screen on the ICS console and verify that OAC has initialized successfully on TCP port 4444 and is waiting for requests.
      OACINT will talk to OACJAVA to extract the name/value pairs -- any problems talking to OACJAVA will result in errors being displayed here. For example
      • No attributes returned for user cn=admin,o=novell, resource my_web_server
      • ConnectToOAC failed: could not connect to OAC server: Error 0
      • SendMessageToOAC failed: could not connect to OAC server
  4. Verify that the sys:\ichain\oac.properties file on the iChain ICS Server is configured correctly.

    The existing sys:\ichain\oac.properties file should be edited as shown below. The only required changes are to the

    1. ISO object Name (insert fully distinguished name of ISO object with comma as separator)
    2. Security principal (insert fully distinguished name of admin user with comma as separator)
    3. Provider URL (insert IP address and TCP port of the Access Control LDAP Server)
    4. Security Credentials (insert admin users password)
  5. Make sure that the LDAP Server specified is configured to allow clear text passwords.
    • If the LDAP Server is a Novell LDAP Server, this may be done by using ConsoleOne to select the LDAP Group Object for the Server, and enable the "Allow clear text passwords" option under the General TAB.
    • The iChain ICS server has a built-in LDAP client that tries to extract the following information:
      1. The iChain ICS server will try and get the ISO object name by pulling the information from its own server.
      2. The iChain ICS server then tries to verify that LDAP authentication is enabled and extracts the LDAP information from the proxy configuration (IP address, port number, username and password to be used for LDAP BIND requests).
      3. The iChain ICS LDAP client connects to the LDAP server to read the iChainGuestUser attribute. This operation may display a key OLAC error "readiChainStringAttributebyLDAP failed" in the proxycfg debug screen (reference TID).

        This occurs when the LDAP request cannot return the iChain guest user, required for OLAC to function properly. Only when it gets this guest user does it try to read the ISO protected resources.
      4. The iChain ICS LDAP client connects to the LDAP server to read the iChain protected resources attribute.
  6. Verify that OACJAVA loads successfully from the iChain ICS Server console.
    • After loading the oacjava application from the server console, the "Java Interpreter: /com/novell/ichain/oac/" debug screen will be available to check the status of the OACJAVA parameters. Specifically, check to make sure that:
      • All configured OLAC parameters are displayed.
      • No error messages exist during intialization.

Troubleshooting Instructions

  1. Verify that no errors exist in the OACJAVA screen.

    If there are any issues pulling the OAC name/value pairs from NDS via LDAP, the name/pair information will not be displayed on the OACJAVA debug screen. This implies that one of the following is going wrong:

    • The OAC.PROPERTIES file has not been configured with the correct ISO or LDAP information. Verify that the file contains all the correct information.
    • Check ISO setup in NDS: The ISO object specified in the OAC.PROPERTIES file must have a protected resource with object-level access control attributes enabled. Verify too that the iChainProtectedResource ISO attribute under the "Other" TAB shows the following syntax:

      "1" "1" "protected_resource_name" "protected_resource_url" "1" "Name1" "ldap" "value1" "name2" "ldap" "value2" "name3" "ldap" "value3"

    • Check LDAP setup: Make sure that the LDAP BIND request is successful.
      1. Check that the LDAP server can access clear text passwords.
      2. Check from a trace the LDAP request communication (sample trace required).
      3. Enable debug options on the LDAP server to verify what's going on.
    • Check DS lookups using DSTRACE. Get a sample dstrace that shows a successful lookup and document it.
    • Check timesync on the network. When changing the time-zone of the ICS box back to another time zone such as CET (Central European Time), you will get the Synthetic time messages from NDS. Doing a DSREPAIR to set new time stamps and new epoch resolves the timesync problem but breaks OLAC. To recover, restore the iChain ICS box to the factory default, and reconfigure iChain.

      Note: When switching time zones such as back to a European Time zone, just leave the NDS on the ICS box until it's back in time.

    • Make sure you go into the iChain ICS console and switch to the OACJAVA console screen. There have been cases where OACJAVA does not initialize until you do this, at which point the OACINT is unable to connect to the OAC server (because it is not fully initialized).
  2. Verify that no errors exist in the OLAC screen. Verify that OACJAVA is fully initialized.
  3. Verify that no errors exist in the PROXYCFG screen. The proxy server will try to get the ISO object name by pulling the information from its own server. If this fails, the "Error: iChainISODN NULL" error message will be displayed in the proxycfg debug screen.
  4. Verify that LDAP authentication is enabled and extracts the LDAP information from the proxy configuration (IP address, port number, username and password to be used for LDAP BIND requests). If this fails, the following messages may appear in the proxycfg debug screen:

    "Unable to connect to any ldap server to read ISO information"
    "Could not locate any LDAP profile"
    "Failed to connect to any of %d LDAPservers"

  5. Connect to the LDAP server to read the iChainGuestUser attribute. This operation may display a key OLAC error message "readiChainStringAttributebyLDAP failed" in the proxycfg debug screen (reference TID).
  6. The iChain ICS LDAP client connects to the LDAP server to read the iChain protected resources attribute.
  7. During each of the transactions, memory is allocated to save the resulting response from the LDAP server. iChain ICS requires 256MB of RAM but if running short on memory, memory allocation errors may be displayed such as "proxycfg: memory allocation failure" at this point.

Appendix

Object-level Access Control Plug-ins

Two special iChain OLAC plug-ins are available to access the database and retrieve the additional information:

  • The LDAP plug-in
  • The iChain communities plug-in

By default, these plug-ins allow you to define attributes that are embedded and passed within the HTTP request header.

The following table lists each plug-in and its corresponding entries which are set:

The following table lists each plug-in and its corresponding entries which are set:

 

Plug-in

Description

Data Source

Value

LDAP

Adds User Attributes from a Directory Services with LDAP Support

Ldap

Any LDAP user attribute.

iChain Communities

Adds a list of the user's Communities, in LDAP naming format. (For e.g., ou=Achievers, ou=Sales, o=novell)

iChain

communities

Sample sys:ichain\oac\oac.properties file

[OAC]
Initial Context Factory = com.sun.jndi.ldap.LdapCtxFactory
ISO Object Name = cn=iso,o=uvwxy
Provider URL = ldap://10.10.0.1:389/
Security Principal = cn=admin,o=uvwxy
Security Credentials = admin
Security Authentication = simple
Refresh Time = 60

[LDAP Processor]
Initial Context Factory = com.sun.jndi.ldap.LdapCtxFactory
Provider URL = ldap://10.10.0.1:389/
Security Principal = cn=admin,o=uvwxy
Security Credentials = admin
Security Authentication = simple
Class Name = com.novell.ichain.oac.ldap.ParamListBuilder

[iChain Processor]
Initial Context Factory = com.sun.jndi.ldap.LdapCtxFactory
Provider URL = ldap://10.10.0.1:389/
Security Principal = cn=admin,o=uvwxy
Security Credentials = admin
Security Authentication = simple
Class Name = com.novell.ichain.oac.community.ParamListBuilder

An explanation of the above is found in the table below:

Name

Description

Required?

Default Value

Initial Context Factory

The JNDI factory class that creates the context for directory lookups.

Yes

None

ISO Object Name

Specifies the distinguished name of the iChain Service Object. The name must be specified as an LDAP name.

Yes

None

Provider URL

The URL of the LDAP Server where the iChain Service Object is. Used to create the DirContext object. Typically specified as ldap: //ip_address: 389/.

Yes

None

Security Principal

Specifies the name of the user the framework should login as.

No

If not specified then the framework will login as the anonymous user.

Security Credentials

Specifies the password for the Security Principal. Note that the framework only uses simple authentication currently.

No

None

Security Authentication

Specifies the authentication method to use. Currently only "simple" is supported.

No

If not specified "simple" will be used.

Refresh Time

The number of minutes after which the olac configuration will be re-read from the ISO

No

60

Class Name

The name of the class implementing the LDAP plug-in.

Yes

The respective values as shown below:

For [LDAP Processor]:

com.novell.ichain. oac.ldap. ParamListBuilder

For [iChain Processor]:

com.novell.ichain. oac.community. ParamListBuilder

Test Cases Used for Testing OLAC & Auth Header

Assumptions made in this extract:

  • "cn" (Common Name in NDS)=Robert
  • "sn" (Surname in NDS)=Redford
  • "mail" (Internet mail in NDS)=rredford@uvwxy.com
  • username=rredford
  • password=Rob4Red

Case I

With OLAC Attributes set in ConsoleOne (running the iChain Snap-ins). Select Properties of ISO Object_Protected Resource and after selecting the Protected Resource and click on the first button on the left (before the create and delete buttons).

Name:

Name

DataSource:

ldap

Value

cn

The Auth header would be sending the following:

Basic (shows in Base64 encoding cn=rredford,o=uvwxy:Rob4Red)

The OLAC parameters added to the URL would be the following: URL:http://www.uvwxy.com/iChain/query.html? Name=robert

This can be seen by using a sniffer trace or running servlets to check the Auth header and the query string.

Case II

With OLAC Attributes

Name:

Name

ICHAIN_UID

DataSource:

ldap

ldap

Value

cn

cn

The Auth header would be sending the following:

Basic (shows in Base64 encoding robert: Rob4Red)

The olac parameters added to the URL would be the following : URL:http://www.uvwxy.com/iChain/query.html? Name=robert

This can be seen by using a sniffer trace or running servlets to check the Auth header and the query string.

Case III

With OLAC Attributes

Name:

Name

ICHAIN_UID

ICHAIN_PWD

DataSource:

ldap

ldap

ldap

Value

cn

cn

cn

The Auth header would be sending the following:

Basic (shows in Base64 encoding robert:robert)

The olac parameters added to the URL would be the following : URL:http://www.uvwxy.com/iChain/query.html? Name=robert

This can be seen by using a sniffer trace or running servlets to check the Auth header and the query string.

Case IV

With OLAC Attributes

Name:

Name

ICHAIN_PWD

ICHAIN_UID

SName

E-mail

DataSource:

Ldap

ldap

ldap

Ldap

Ldap

Value

cn

cn

cn

sn

mail

The Auth header would be sending the following:

Basic (shows in Base64 encoding robert:robert)

The olac parameters added to the URL would be the following : URL:http://www.uvwxy.com/iChain/query.html? Name= robert&Sname=Redford&Email=rredford@uvwxy.com

This can be seen by using a sniffer trace or running servlets to check the Auth header and the query string.

OACINT Error messages

Looking up attributes for user cn=admin,o=novell, resource my_web_server...

ConnectToOAC failed: could not connect to OAC server: Error 0

SendMessageToOAC failed: could not connect to OAC server

No attributes returned for user cn=admin,o=novell, resource my_web_server

Looking up attributes for user cn=admin,o=novell, resource my_web_server...

ConnectToOAC failed: could not connect to OAC server: Error 0

SendMessageToOAC failed: could not connect to OAC server

No attributes returned for user cn=admin,o=novell, resource my_web_server

Looking up attributes for user cn=admin,o=novell, resource my_web_server...

Received attributes for user cn=admin,o=novell, resource my_web_server: "Name=ad min&email=ncashell%40novell.com&ICHAIN_UID=admin&ICHAIN_PWD=admin"


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell