Authenticating REST/Mobile clients using LDAP and OERealm PUG Challenge Americas - 2014 Michael Jacobs Senior Software Architect 6.6.2014

Authenticating REST/Mobile clients using LDAP and OERealm

PUG Challenge Americas - 2014

Michael JacobsSenior Software Architect6.6.2014

© 2014 Progress Software Corporation. All rights reserved.2

Agenda

Configurable REST application authentication process

LDAP authentication

OERealm authentication

When things don’t work as you expect


Configurable REST application authentication process


Configurable REST Authentication Process

Which authentication model (i.e. process) is configured in WEB-INF/web.xml

Common authentication model template policies in WEB-INF/appSecurity…

Plug-in user account system modules

Each template allows configuration of

• User account system connection

• User [http] session control

• URI access controls (Role Based Authorization)

• CORS configuration for Java Script clients

• AppServer [Client-Principal] SSO ( for 11.2+ AppServers )


LDAP Authentication


LDAP Essentials

[LDAP] Directory Services widely used for single point of administration

LDAP (Lightweight Directory Access Protocol) is a wire protocol and client API

Most commonly recognized as a Single Point of Authentication (SPA)

A Directory Service ( example: OpenLDAP, Windows Active Directory, Apache DS)

• A hierarchical store of schema defined objects and object attributes

• No two production sites will have the same hierarchy ( of users & groups )


Key Directory Service Terms and Concepts

Distinguished Name ( DN )

• The path to a specific data object

• Root DN: the name of the object hierarchy's root data object example: dc=acme,dc=com

• Fully qualified DN: full path to the object from the root DN to the objectexample: dn=ldapserver1,ou=IT,dc=acme,dc=com

• Relative DN: example: dn=ldapserver (child object of: ou=IT,dc=acme,dc=com)

Search root: the fully qualified DN of the data object at which to begin a decending search for one or more data objects


Key Directory Service Terms and Concepts (cont)

Directory Services require logging in to search information

Security policies prevent read/write of another user’s password attribute

Passwords are stored as salted one-way hashes

To test a user account’s password for login

1. You have to login with a fully qualified DN that has search privileges

2. Search to find the user’s account and retrieve its fully qualified DN

3. Logout

4. Login using the user account’s fully qualified DN and password

5. Retrieve user attributes - primarily the Groups (i.e. Role) they are a member of

6. Logout


Required Information From Directory Service Admin

1. The network address and port(s) of the Directory Service: “foo.com” 389

2. The ROOT DN of the directory service “dc=foo, dc=com”

3. The DN & password of an account with ‘query’ privilege: “uid=admin, ou=ds admins, ou=IT, dc=foo, dc=com”

4. The LDAP DN of the object where the user object search will start“ou=users, ou=employees, dc=foo, dc=com”


Required Information From Directory Service Admin

5. The LDAP user account object’s attribute name that holds the user’s login ID “uid” ( or that non-standard active directory thing… )

6. The LDAP DN of the object where the search for LDAP user groups (roles) will start“ou=groups,dc=foo,dc=com”

7. The LDAP group object’s attribute name whose value will be the role name inserted into the user’s login token“uniqueMember”

8. The LDAP Group attribute holding the Role/Group name “cn”


You Configure the Spring Security LDAP Server

LDAP Directory access

<ldap-server id="PrimayLDAP”

url="ldap://localhost:389/dc=acwd45,dc=com"

manager-dn="uid=dsclient,ou=users,dc=acwd45,dc=com"

manager-password=”password" />

#1 host & port

#2 directory root

#3 User DN used for queries


You Configure Spring Security LDAP Authentication Manager

Authentication Provider

<authentication-manager id="RestApplicationtAuth" >

<ldap-authentication-provider

server-ref="PrimayLDAP"

group-role-attribute="cn"

role-prefix="ROLE_"

group-search-filter="(member={0})"

group-search-base=""

user-search-base=""

user-search-filter="(uid={0})" />

</authentication-manager>

#4 user search RDN

#5 user login-id attribute

#6 group search RDN

#7 group attribute of user DN

#8 group attribute usedas ROLE name


Now, The Live Stuff…


OERealm Authentication


OERealm Overview

A write-your-own User Account System running in a state-free AppServer

OERealm [client] user account system plug-in

Current OERealm clients: OEBPM, REST service, (Rollbase under construction)

Current OpenEdge 11.3+ client support: Java & .NET OpenClient

authnprocess

clientapplication

code app data

ServiceInterface

BusinessLogicService

Interface

IdentityManagement

System

account data

OERealmlocal

accountsLDAP OERealm

client

AppServerAppServer client

OE written

Developer written

configuration


OERealm OOABL Interface Overview

Get a list of user accounts

Get a list of user account attribute (i.e. field) names

Query a list of user account names

Lookup a user account *

• Get user account properties (such as Roles, expiration, … ) *

• Remove a user account’s attribute value

• Set a user account’s attribute value

• Verify a single user account’s password *

* Required


Development Process Overview

Design for extensibility – focus on security

Implement the OERealm interface (there are now requirements…)

• Provision user accounts (if not already in your application)

• Code minimum OERealm class methods

• Code the optional OERealm SSO Client-Principal validation

• Consider if multi-tenancy ( i.e. multiple domains ) will be required

Optional: Create a sealed Client-Principal for SSO to the AppServer OERealm class

Optional: Create a new OERealm keystore with the OE Domain(s) Access-Code

Deploy OERealm class(es) to AppServer

Configure OERealm in the remote authentication process

Test and debug


Now, The Live Stuff…


Deployment Site Considerations

Supply AppServer SSO defaults

• REST security templates (appSecurity-xxxx) configuration

– Default OE Domain and access code ( can be the blank domain )

• AppServer defined default OE Domain and access code for AppServer SSO validation

Supply OERealm class SSO defaults

• Sealed Client-Principal for SSO to OERealm AppServer class

• AppServer defined OE Domain and access code

Instructions for changing AppServer SSO Domain and access code

Instructions for changing OERealm class SSO Client-Principal


When Things Don’t Work as You Expect


Service Logging Will Be Your Friend

The REST service logging configuration found in:

<web-app-name>/WEB-INF/classes/log4j.properties

The REST service’s log file is found in:

<web-app-name>/WEB-INF/adapters/log/xxxx.log

Change the security (Java class) logging to DEBUG

LOTS of logging will be made – log file size will be an issue

Documents

Authenticating REST/Mobile clients using LDAP and OERealm PUG Challenge Americas - 2014 Michael Jacobs Senior Software Architect 6.6.2014