One of the requisites to start using Lift at my work, was to use LDAP authentification.
So i wrote a little module lift-ldap for that and a sample app, it was damn simple !

To use the module,

• 1. lift-ldap requirements in maven pom.xml

  
  <dependency>
      <groupId>net.liftweb</groupId>
      <artifactId>lift-ldap</artifactId>
      <version>1.0.0</version>
  </dependency>
  

• 2. Create the user object in src/scala/com/sample/model/User.scala

  
  package com.sample.model
  
  import scala.util.matching.{Regex}
  import scala.xml.{NodeSeq}
  
  // lift ldap
  import net.liftweb.ldap.{LDAPProtoUser, MetaLDAPProtoUser, LDAPVendor, SimpleLDAPVendor}
  
  import net.liftweb.common.{Box, Full}
  import net.liftweb.http.{S, SessionVar}
  import net.liftweb.mapper.{KeyedMetaMapper}
  
  object roles extends SessionVar[List[String]](List())
  
  class User extends LDAPProtoUser[User] {
      def getSingleton = User
  
      def getRoles: List[String] = {
          return roles.get
      }
  }
  
  object User extends User with MetaLDAPProtoUser[User] {
  
      override def screenWrap = Full(
  
      )
  
      override def dbTableName = "tmp_users"
  
      override def login : NodeSeq = {
          val groupNameRx = new Regex(".*cn=(.*),ou=.*")
  
          def getGroupNameFromDn(dn: String): String = {
              val groupNameRx(groupName) = dn
              return groupName
          }
  
          def setRoles(userDn: String, ldapVendor: LDAPVendor): AnyRef = {
              // buscamos o grupo do usuario
              val filter = "(&(objectclass=groupofnames)(member=" + userDn + "))"
  
              val groups = ldapVendor.search(filter)
              groups.foreach(g => {
                  roles.set(roles.get + getGroupNameFromDn(g))
              })
          }
  
          login(setRoles _)
      }
  }
  
  

  The User object has to provide a setRoles function to the LDAPVendor (when do login),
  so we can customize the way in which we retrieve the credentials from LDAP (from a group of names or a custom object)

• 3. Initialize the LDAP configuration in Boot.scala (src/main/scala/bootstrap/liftweb/Boot.scala)

  
  We can pass a properties file to the SimpleLDAPVendor
  SimpleLDAPVendor.parameters = () =>
              SimpleLDAPVendor.parametersFromStream(
                  this.getClass().getClassLoader().getResourceAsStream("ldap.properties"))
  
  or just manually :
  SimpleLDAPVendor.parameters = () => Map("ldap.url"  -> "ldap://localhost",
                                          "ldap.base" -> "dc=company,dc=com",
                                          "ldap.userName" -> "...",
                                          "ldap.password" -> "...")
  
  

• 4. A LoginUtils class (src/main/scala/com/sample/lib/LoginUtil.scala)

  To determine when the user is logged or have some credentials

• 5. Create the security rules in Boot

  
  
      LiftRules.dispatch.prepend(NamedPF("Login Validation") {
          case Req("group_required" :: page, extension, _) if !LoginUtil.hasAuthority_?("sample_group") =>
                  LoginUtil.redirectIfLogged("/login/group_not_allowed")
          case Req("login_required" :: page , extension, _) if (!LoginUtil.isLogged) =>
                  () => Full(RedirectResponse("/user_mgt/login"))
      })
  

And that’s it

I recently had to walk a client through installing Liferay integrated with SSO and LDAP. Here’s a simple summary of how I got it setup.

I set up the following components:

Application Server:  Liferay 5.2.5 EE / Tomcat 6.0.18 (www.pojoe.ca)

CAS Server:              JA-SIG CAS Server 3.3.3 Final (sso.pojoe.ca)

LDAP Server:          Apache Directory Server 1.5.5 (ldap.pojoe.ca)

Getting Liferay setup is a topic for an entirely different post so here I’m going to assume you have an out of the box Liferay running on your application server. Go over to http://www.liferay.com/web/guest/downloads/portal and get yourself a portal if you haven’t already.

The first thing we’re going to do is install JA-SIG CAS Server 3.3.3 Final.

I drop cas-server-3.3.3-release\cas-server-3.3.3\modules\cas-server-webapp-3.3.3.war into Tomcat rename the war to cas-web and let it deploy.

You’ll need to configure Tomcat to allow for HTTPS connections.

I’ve detailed this process here in another post.

That is pretty much all you have to do to get a basic SSO server up and running.

Next you’ll want to configure Liferay to use the SSO server. This is of course, like everything else in Liferay, simple. =)

The CAS client jar should already be bundled but you can grab it here as well.

Download the CAS client from here.

In portal-ext.properties add the following lines.

##
## Company
##

#
# The portal can authenticate users based on their email address, screen
# name, or user id.
#
#company.security.auth.type=emailAddress
company.security.auth.type=screenName
#company.security.auth.type=userId

##
## CAS
##

#
# Set this to true to enable CAS single sign on. NTLM will work only if
# LDAP authentication is also enabled and the authentication is made by
# screen name. If set to true, then the property “auto.login.hooks” must
# contain a reference to the class
# com.liferay.portal.security.auth.CASAutoLogin and the filter
# com.liferay.portal.servlet.filters.sso.cas.CASFilter must be referenced
# in web.xml.
#

cas.auth.enabled=true

#
# A user may be authenticated from CAS and not yet exist in the portal. Set
# this to true to automatically import users from LDAP if they do not exist
# in the portal.
#

cas.import.from.ldap=false

#
# Set the default values for the required CAS URLs. Set either
# “cas.server.name” or “cas.service.url”. Setting “cas.server.name” allows
# deep linking. See LEP-4423.
#

cas.login.url=https://sso.pojoe.ca:8443/cas-web/login
cas.logout.url=https://sso.pojoe.ca:8443/cas-web/logout
cas.server.name=www.pojoe.ca:8080
cas.service.url=
#cas.service.url=http://localhost:8080/c/portal/login
cas.validate.url=https://sso.pojoe.ca:8443/cas-web/proxyValidate

Startup Liferay and head for the homepage. Once you are there you should go to the “Sign In” and this should direct you to the CAS SSO login page.

Login with test/test and you should land on your Liferay homepage as the authenticated omni user. Create a new user with the screen name “admin” and with the password “secret”. We’ll be using this default user later to test the LDAP integration.

The next thing we’ll do now is setup an LDAP server. We’ll use ApacheDS 1.5.5. Downloaded from here.

After downloading simply run the installer with all default options.

ApacheDS should now be running and listening on port 10389.

Stop the tomcat server and add cas-server-support-ldap-3.3.3.jar to cas-web/WEB-INF/lib if it isn’t there already.

Edit cas-web\WEB-INF\deployerConfigContext.xml as follows:

1. Add the following bean LDAP authentication:

<bean id=”contextSource”>
<property value=”true”/>
<property>
<list>
<value>ldap://ldap.pojoe.ca:10389</value>
</list>
</property>
<property value=”uid=admin,ou=system”/>
<property value=”secret”/>
<property>
<map>
<entry key=”java.naming.security.authentication” value=”simple” />
</map>
</property>
</bean>

2. Remove the demo authentication handler, org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler, from the authenticationHandlers property of the org.jasig.cas.authentication.AuthenticationManagerImpl bean.

3. Add the LDAP fast bind authentication handler:

<bean >
<property value=”uid=%u,ou=system” />
<property ref=”contextSource” />
</bean>

Start tomcat

Open a browser to the URL http://www.pojoe.ca:8080 and authenticate with the following credentials, admin/secret.

The user has signed on over SSO and authenticated with your LDAP server.

Para implementar la seguridad con LDAP en algunas aplicaciones es necesario saber la cadena BASE DN para conectarse al servidor que tenga Active Directory. La cadena tiene que hacer referencia a la unidad organizativa Users.

Aquí os explico cómo conseguir esa cadena.

La utilidad ldp.exe
El CD1 de Windows Server 2003 contiene utilidades entre las que está ldp.exe. Extraer dicha utilidad que está en el archivo SUPPORT.CAB del directorio \SUPPORT\TOOLS

Ejecutarlo y en el menú connection elegir connect.

Introducir el nombre del servidor que tiene el Active Directory. A continuación, en el menú connection elegir la opción bind.

Introducir un usuario cualquiera con su password correspondiente y el dominio. Pulsar el botón OK.

Una vez conectado, en el menú view elegir la opción tree.

Desplegar el combo y elegir el primer elemento. Suele ser el nombre del dominio. Pulsar el botón OK.

Buscais Users dentro de la lista de cadenas y será el BASE DN necesario para la implementación de la seguridad con la aplicación.

un saludo.

Playing around with Scala, a very nice jvm language!,
found Lift (web framework),
looks simple and funny !

I was looking for ldap authentication with lift,
i wasn’t able to find nothing .

So i started to play with it,
Here, I install an openldap server and some simple scala code to play with it.

• Install openldap and some sample data (using arch linux)

  
  1- sudo pacman -S openldap
  2- slappasswd -h {MD5} -s password (generates ldap password to use it later in config and user ldif file)
     {MD5}X03MO1qnZdYdgyfeuILPmQ==
  

• Generate the ldap structure in initial_structure.ldif file

  
  dn: dc=company,dc=com
  dc: company
  description: LDAP Main object
  objectClass: organization
  objectClass: dcObject
  o: company.com
  
  dn: ou=Users,dc=company,dc=com
  ou: Users
  objectClass: organizationalUnit
  
  dn: ou=Groups,dc=company,dc=com
  ou: Groups
  objectClass: top
  objectClass: organizationalUnit
  
  dn: cn=main_group,ou=Groups,dc=company,dc=com
  gidNumber: 2000
  objectClass: posixGroup
  objectClass: top
  cn: main_group
  
  dn: cn=secondary_group,ou=Groups,dc=company,dc=com
  gidNumber: 2001
  objectClass: posixGroup
  objectClass: top
  cn: secondary_group
  

• Configure ldap server in /etc/openldap/slapd.conf

  
  include         /etc/openldap/schema/core.schema
  include         /etc/openldap/schema/cosine.schema
  include         /etc/openldap/schema/courier.schema
  include         /etc/openldap/schema/inetorgperson.schema
  include         /etc/openldap/schema/nis.schema
  
  allow bind_v2
  password-hash {md5}
  
  pidfile   /var/run/slapd.pid
  argsfile  /var/run/slapd.args
  
  database        bdb
  suffix          "dc=company,dc=com"
  rootdn          "cn=admin,dc=company,dc=com"
  rootpw          {MD5}X03MO1qnZdYdgyfeuILPmQ==
  
  directory       /var/lib/openldap/openldap-data
  index   objectClass     eq
  index   uid     eq
  

• Populate initial ldap structure

  
  sudo /usr/sbin/slapadd -l initial_structure.ldif
  

• Populate user and group data, for example in file users.ldif

  
  dn: uid=sample_user_1,ou=Users,dc=company,dc=com
  objectClass: top
  objectClass: person
  objectClass: organizationalPerson
  objectClass: inetOrgPerson
  objectClass: posixAccount
  objectClass: shadowAccount
  uid: sample_user_1
  cn: Test User
  sn: User
  givenName: Test
  userPassword: {MD5}X03MO1qnZdYdgyfeuILPmQ==
  loginShell: /bin/bash
  uidNumber: 10000
  gidNumber: 2000
  homeDirectory: /home/users/test/
  

• Starts ldap server and add users.ldif

  
  sudo /etc/rc.d/sldap start
  ldapadd -x -D "cn=admin,dc=company,dc=com" -f users.ldif -W
  

• Test ldap server searching for sample_user_1 user

  
  ldapsearch -x -D "cn=admin,dc=company,dc=com" -b "dc=company,dc=com" "(&(uid=sample_user_1))" -W
  

• And now scala code

  
  import java.io.FileInputStream
  import java.util.{Hashtable, Properties}
  
  import javax.naming.Context
  import javax.naming.directory.{BasicAttributes, SearchControls}
  import javax.naming.ldap.{LdapName, InitialLdapContext}
  
  import scala.collection.jcl.{MapWrapper}
  import scala.util.logging.{Logged, ConsoleLogger}
  
  implicit def convert(javaMap: Hashtable[String, String]) = {
      Map.empty ++ new MapWrapper[String, String]() {
          def underlying = javaMap
      }
  } 
  
  type StringMap = Map[String, String]
  
  val DEFAULT_URL = "localhost"
  val DEFAULT_BASE_DN = ""
  val DEFAULT_USER = ""
  val DEFAULT_PASSWORD = ""
  
  object SimpleLDAPSearch {
      lazy val ldap: LDAPSearch = {
          if (properties() == null) {
              val p = new Properties()
              p.load(new FileInputStream(propertiesFile()))
  
              // automatically calls convert(javaMap: Hashtable[String, String])
              properties = () => p.asInstanceOf[StringMap]
          }
  
          new LDAPSearch(properties()) with ConsoleLogger
      }
  
      var properties: () => StringMap = () => null
      var propertiesFile: () => String = {
          () => "DEFAULT_PROPERTIES_FILE.properties"
      }
  }
  
  class LDAPSearch(parameters: StringMap) extends Logged {
      lazy val initialContext = getInitialContext(parameters)
  
      def search(filter: String) : List[String] = {
          log("--> LDAPSearch.search: Searching for '%s'".format(filter))
  
          var list = List[String]()
  
          val ctx = initialContext
  
          if (!ctx.isEmpty) {
              val result = ctx.get.search(parameters.getOrElse("ldap.base", DEFAULT_BASE_DN),
                                          filter,
                                          getSearchControls())
  
              while(result.hasMore()) {
                  var r = result.next()
                  list = list ::: List(r.getName)
              }
          }
  
          return list
      }
  
      def bindUser(dn: String, password: String) : Boolean = {
          log("--> LDAPSearch.bindUser: Try to bind user '%s'".format(dn))
  
          var result = false
  
          try {
              var env = new Hashtable[String, String]()
              env.put(Context.PROVIDER_URL, parameters.getOrElse("ldap.url", DEFAULT_URL))
              env.put(Context.SECURITY_AUTHENTICATION, "simple")
              env.put(Context.SECURITY_PRINCIPAL, dn + "," + parameters.get("ldap.base"))
              env.put(Context.SECURITY_CREDENTIALS, password)
              env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory")
  
              var ctx = Some(new InitialLdapContext(env, null))
  
              result = !ctx.isEmpty
              ctx.get.close
          }
          catch {
              case e: Exception => println(e)
          }
  
          log("--> LDAPSearch.bindUser: Bind successfull ? %s".format(result))
  
          return result
      }
  
      private def getInitialContext(props: StringMap) : Option[InitialLdapContext] = {
  
          log("--> LDAPSearch.getInitialContext: Get initial context from '%s'".format(props.get("ldap.url")))
  
          var env = new Hashtable[String, String]()
          env.put(Context.PROVIDER_URL, props.getOrElse("ldap.url", DEFAULT_URL))
          env.put(Context.SECURITY_AUTHENTICATION, "simple")
          env.put(Context.SECURITY_PRINCIPAL, props.getOrElse("ldap.userName", DEFAULT_USER))
          env.put(Context.SECURITY_CREDENTIALS, props.getOrElse("ldap.password", DEFAULT_PASSWORD))
          env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory")
  
          return Some(new InitialLdapContext(env, null))
      }
  
      private def getSearchControls() : SearchControls = {
          val searchAttributes = new Array[String](1)
          searchAttributes(0) = "cn"
  
          val constraints = new SearchControls()
          constraints.setSearchScope(SearchControls.SUBTREE_SCOPE)
          constraints.setReturningAttributes(searchAttributes)
          return constraints
      }
  }
  
  // SimpleLDAPSearch.propertiesFile = () => "ldap.properties"
  
  SimpleLDAPSearch.properties = () => {
      Map("ldap.url" -> "ldap://localhost",
          "ldap.userName" -> "cn=admin,dc=company,dc=com",
          "ldap.password" -> "password",
          "ldap.base" -> "dc=company,dc=com")
  }
  
  val list1 = SimpleLDAPSearch.ldap.search("(uid=sample_user_1)")
  println(SimpleLDAPSearch.ldap.bindUser(list1(0), "password"))
  

  The code is not exactly perfect,
  but shows how simple can scala be.

Here’s my favourites lines of code :

• Automatically convert types

  
  implicit def convert(javaMap: Hashtable[String, String]) = {
      Map.empty ++ new MapWrapper[String, String]() {
          def underlying = javaMap
      }
  }
  

  To automatically convert a java.util.Hashtable (java.util.Properties) into a scala Map,
  Example :

  
  val hashtable: java.util.Hastable[String, String] = new java.util.Hashtable[String, String]()
  hashtable.put("some_key", "some_value")
  
  val map = hashtable.asInstanceOf[Map[String, String]]
  

• A var that contains a method that returns the ldap properties file

  
  object SimpleLDAPSearch {
      var propertiesFile: () => String = {
          () => "DEFAULT_PROPERTIES_FILE.properties"
      }
  ..
  // The SimpleLDAPSearch singleton propertiesFile method can be override in any moment
  SimpleLDAPSearch.propertiesFile = () => "/tmp/ldap.properties"
  

In one of my older articles, I explained how Ubuntu Server has slowly made significant inroads in many enterprise data centers. Ubuntu has been the favorite distribution of many system administrators, architects and various other IT staff. It was these fans of the Linux distribution that brought Ubuntu into their data centers and slowly deployed Ubuntu into ever increasing roles. I have seen Ubuntu Server deployed in roles from simple kiosks and desktops to full blown web server and database farms. Many senior level managers do not even know that key components of their infrastructures are running on Ubuntu Server.

Most data centers use an enterprise backup platform like Symantec’s NetBackup. These platforms are often very complex and extremely expensive to operate. Without a solid comprehensive backup strategy and platform, however, you place your disaster recovery and business continuity in great risk. For those users of Ubuntu Server who do not wish to incur the expense and complexity of NetBackup and other similar platforms, Arkeia Software has released a free version of their popular enterprise backup server for Ubuntu Server. This strategic move lends Ubuntu more Enterprise Credibility while also giving Arkeia more visibility and market share within the enterprise backup market. Lest you think that this is a watered down version of the product line, Arkeia has spelled out what is available to Ubuntu Server users along with the capabilities of the platform.

From the site:

Arkeia Software provides packages specifically designed for Ubuntu distributions, both 32bit and 64-bit architectures, along with specialized agents for the protection of applications and databases running on Ubuntu, such as Oracle, MySQL, PostgreSQL, and LDAP. Ubuntu is also a supported platform for Arkeia Network Backup Disaster Recovery for Linux, which enables bare-metal restores of entire systems.

Arkeia Network Backup: Enterprise Edition for Ubuntu

Arkeia Software provides a fully-licensed, free version of Arkeia Network Backup that is available in the Ubuntu 8.04 LTS software repository. With a few clicks from within the GUI, or just a simple command using the ‘apt-get’ utility, Ubuntu users can quickly deploy a fully-featured backup server. Arkeia Network Backup: Enterprise Edition for Ubuntu offers an advanced network backup solution with the ease-of-use and deployment that Ubuntu users are accustomed to.

What’s Included

• Arkeia Network Backup Server for Ubuntu 8.04 LTS
• 2 Client Agents supporting Windows workstations and desktops, and a vast majority of Linux machines, Mac OS X and BSD computers
• 1 Drive license for disk-based (up to 250GB) or tape backups
• Support via online forums, knowledgebase, and wiki

Learn more about Arkeia Network Backup.

Arkeia and Open Source

Arkeia Software was the first professional network backup solution for Linux and has supported the open source community since 1999. Today, Arkeia continues to provide the deepest and broadest support for Linux and open source with more than 100 platforms supported. Arkeia acknowledges the work of thousands of Linux users who have donated their time and expertise towards the goal of making Linux and open source software a viable alternative.

When starting the Admin Server of our domain we encountered following error:

####<Nov 13, 2009 11:58:23 AM CET> <Critical> <WebLogicServer> <machine-name> <as> <Main Thread> <<WLS Kernel>> <> <> <12
58109903043> <BEA-000386> <Server subsystem failed. Reason: java.lang.NumberFormatException: null
java.lang.NumberFormatException: null
        at java.lang.Integer.parseInt(Integer.java:415)
        at java.lang.Integer.parseInt(Integer.java:497)
        at weblogic.ldap.EmbeddedLDAP.validateVDEDirectories(EmbeddedLDAP.java:1035)
        at weblogic.ldap.EmbeddedLDAP.start(EmbeddedLDAP.java:212)
        at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
>

The first thing we tried is restoring a backup of the ldap folder. This backup can be found at: ../domain-name/server/adminserver/data/ldap/backup/ and should be restored at ../domain-name/server/adminserver/data/ldap/ldapfiles.

When this was not working, we kept looking and stumbled upon a site that told us that this error could be caused when the volume that contains these files is running full. WebLogic will corrupt these files. And the solution is to add ‘replica.num=0′ to the ../domain-name/server/adminserver/data/ldap/config/replicas.prop file. Or just remove this file..

Source: http://ghattus.com/2008/10/number-format-exception-while-starting-weblogic-server.html

I found this article online it’s a nice summarization of Active Directory that may be useful in helping you understand AD and LDAPs in general. http://bit.ly/3cZkps

Aprofitant l’entrada de blog anterior ja poso una nova entrada de validació de la base de dades de moodle no en el servidor de ldap com estava anteriorment  sino a la base de dades del servidor de la intraweb de centre, en aquest cas creada sobre postnuke. No crec que la variació de l’aplicatiu de gestió de continguts sigui un impediment per que sigui de manera molt aproximada amb aquestes dades.

Donat que ja hem montat un servidor de ldap, per tal de centralitzar accesos de diferents sistemes operatius que tenim al centre, linux, windows i finalment les diferents aplicacions web i proxy que es podran validar dintre d’aquesta base de dades de ldap per tal de tenir una gestió centralitzada de tota la llista d’usuaris.

Partim que ja tenim un servidor de ldap, una instal·lació de moodle realitzada i anem fent els passos necessaris per determinar que l’acces només vindrà donat via base de dades de ldap.

Anem a moodle i a la part d’usuaris i autenticació revisem les opcions:

En el meu cas es suficient realitzar la següent configuració de paràmetres, el servidor de ldap com ldap://servidor.intracentre o la seva ip i la resta de paràmetres. El password serà el corresponent a la base de dades de ldap.

Obrir una nova sessió, en el meu cas en un altre navegador, per mantenir la sessió d’administrador amb Firefox i amb Google Chrome la del client, alumne de moodle

I was writing the schema introspection code for Zend_Ldap when I came around a problem with Active Directory’s MaxPageSize restriction. By default Active Directory allows only 1000 items to be returned on a single query, a number which is easily exceeded when reading an Active Directory’s classes and especially attributes from the schema tree. OK – one option would be to increase the MaxPageSize variable, but as the component should be usable on every Active Directory server I couldn’t go for that.

The second option that seemed possible makes use of the paged result sets that Active Directory returns on a query. This way led me into the world of LDAP server controls and deep into the ext/ldap source code. There is astonishingly little information on the topic of paged result sets and LDAP server controls in respect of PHP and ext/ldap. To be honest I assume that only one person really looked into this area seriously and even came up with a solution: Iñaki Arenaza (Blog, Twitter, Facebook, LinkedIn). His information provided here is the foundation of this article – the discoveries are absolutely not my work, they are all based on what Iñaki Arenaza dug out. I just wanted to bring a little light into this very specific topic (and summarize what I’ve answered on stackoverflow.com).

To make it short right from the beginning: it’s currently not possible to use paged results from an Active Directory with an unpatched PHP (ext/ldap).

Let’s take a closer look at what’s happening.

Active Directory uses a server control to accomplish server-side result paging. This control is described in RFC 2696 “LDAP Control Extension for Simple Paged Results Manipulation” . LDAP controls, which come in the flavors “server” and “client”, are extensions to the LDAP protocol to provide enhancements – result paging is one example, password policy is another one. Generally ext/ldap offers an access to LDAP control extensions via its ldap_set_option() and theLDAP_OPT_SERVER_CONTROLS and LDAP_OPT_CLIENT_CONTROLS option respectively. To setup the paged control we do need the control-oid, which is 1.2.840.113556.1.4.319, and we need to know how to encode the control-value (this is described in the RFC). The value is an octet string wrapping the BER-encoded version of the following SEQUENCE (copied from the RFC):

realSearchControlValue ::= SEQUENCE {
    size    INTEGER (0..maxInt),
                     -- requested page size from client
                     -- result set size estimate from server
    cookie  OCTET STRING
}

So we can setup the control prior to executing the LDAP desired query:

$pageSize    = 100;
$pageControl = array(
    // the control-oid
    'oid'        => '1.2.840.113556.1.4.319',
    // the operation should fail if the server is not able to support this control
    'iscritical' => true,
    // the required BER-encoded control-value
    'value'      => sprintf ("%c%c%c%c%c%c%c", 48, 5, 2, 1, $pageSize, 4, 0)
);

This allows us to send a paged query to the LDAP/AD server. But how do we know if there are more pages to follow and how do we have to send a query to get the next page of our result set?

The server responds with a result set that includes the required paging information – but PHP lacks a method to retrieve exactly this information from the result set. In fact ext/ldap provides the required function (ldap_parse_result()) but it fails to expose the required seventh and last argument serverctrlsp from the C function ldap_parse_result() in the LDAP API, which contains exactly the information we need to requery for consecutive pages. If we had this argument available in our PHP code, using paged controls would be straight forward:

$l = ldap_connect('somehost.mydomain.com');
$pageSize    = 100;
$pageControl = array(
    'oid'        => '1.2.840.113556.1.4.319',
    'iscritical' => true,
    'value'      => sprintf ("%c%c%c%c%c%c%c", 48, 5, 2, 1, $pageSize, 4, 0)

);
$controls = array($pageControl);

ldap_set_option($l, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind($l, 'CN=bind-user,OU=my-users,DC=mydomain,DC=com', 'bind-user-password');

$continue = true;
while ($continue) {
    ldap_set_option($l, LDAP_OPT_SERVER_CONTROLS, $controls);
    $sr = ldap_search($l, 'OU=some-ou,DC=mydomain,DC=com', 'cn=*', array('sAMAccountName'), null, null, null, null);
    // there's the rub
    ldap_parse_result ($l, $sr, $errcode, $matcheddn, $errmsg, $referrals, $serverctrls);
    if (isset($serverctrls)) {
        foreach ($serverctrls as $i) {
            if ($i["oid"] == '1.2.840.113556.1.4.319') {
                    $i["value"]{8}   = chr($pageSize);
                    $i["iscritical"] = true;
                    $controls        = array($i);
                    break;
            }
        }
    }

    $info = ldap_get_entries($l, $sr);
    if ($info["count"] < $pageSize) {
        $continue = false;
    }

    for ($entry = ldap_first_entry($l, $sr); $entry != false; $entry = ldap_next_entry($l, $entry)) {
        $dn = ldap_get_dn($l, $entry);
    }
}

As you see, the only option to make all this work, is to mess with the ext/ldap source code and compile your own extension. Iñaki Arenaza provides several patches that can be applied to the PHP source to make patching a lot easier. The patches can be found here (last one for PHP 5.2.10 from June 24^th 2009) and there is an accompanying blog post available. Iñaki Arenaza even opened an issue in the PHP bug tracker on September 13^th 2005 offering his help – but there has been no reaction from the developer’s side. What a great pity.

So, if you have to use paged result sets in an Active Directory environment from within a PHP application you can choose between:

• patch your ext/ldap and compile your own extension as described in this article
• raise the MaxPageSize limit in your Active Directory server
• use a completely different approach bypassing ext/ldap and make use of the appropriate COM components (ADODB) as described here (this only works on Windows machines)

It could have been so easy, if…, yes if only the PHP developers considered applying the available patch to the ext/ldap source code.

When it comes to software, I like to try all available features (even the most obscure ones) and sometimes I end up in a situation where my chances of recovery seem pretty slim. I recently managed just that by setting my OpenSSO top realm (/) to inactive…
Why would I do such thing I hear you say? Well I was trying to solve some issues related to our OpenID 2.0 extension and was experimenting with various realms, so there you have it…

The result of this great inspiration of mine is that I could not log anymore to the admin console; a tad annoying…
The solution (thanks to Shivaram!) is to edit the LDAP configuration tree and change the value of ou=services,dc=opensso,dc=java,dc=net and set it back to active. That’s it, you’re in!

Now me thinks we should change the console so as to prevent this from being possible…

I got this error when I was trying to get my drupal installation authenticate using the local ldap directory. Initially, I had thought that I was getting error because of my ldap settings. Then I enabled error reporting on my site, that is when this error was displayed to me.

This error is caused, I suppose due to the missing package php5-ldap in the system. After I installed this package using apt-get and restarted apache2, LDAP authentication wroked fine.

The story behind the project:

This project was one of my all time best results. When I was first given this project, I had no previous knowledge on Squid or Lotus Domino, yet I took up the challenge. On Day 1, I was given the whole picture of the project at the client side. They had recently migrated from their mail system to Lotus iNotes. They were using OpenLDAP to authenticate all the users for internet and mail.

Since Lotus iNotes comes with Lotus Domino LDAP for authenticating users, this created a problem for the client. Now the users must provide 2 separate authentication credentials for internet and mail. They sought my Company’s expertise to help them converge the authentication system for internet and mail using Lotus Domino LDAP.

I jumped in to analyse the problem. After a long and tiring research, understood that a lot of people had the same issue, and it seems no one has been successful in using Domino LDAP to authenticate Squid clients (except one, which was like finding a needle in a haystack). All the gained information helped me to authenticate Squid using OpenLDAP only. Armed with these information, i started the project. After trying each and every combination unsuccessfully, I started loosing hope that there could be a solution after all. But that single find (needle) was a major boost to my confidence. I was sure that there is a solution. So, after some serious discussions with my senior, I ran netcat (my savior) and captured the output that Squid was sending. Now, using the same technique I captured what ldapsearch was sending (ohhh i forgot to tell you that ldapsearch was workign perfectly fine with Domino LDAP). And LO!!! There lies the problem, a very very very simple issue. I couldnt believe it.

The issue was that Domino accepts credentials in the form of <username>space<password> while squid send the data in the form of uid=<username>,<password>. Now, with this information, i started a code review of squid_ldap_auth.c file and found the culprits hiding at various spots. I edited the necessary field (dont worry i will share it) and after remaking the file, SUCCESS!!!! Now squid clients are getting authenticated using Domino LDAP. SSL (squid-LDAP) also works perfectly fine.

Solution

1. First open the squid_ldap_auth.c file situated in squid-version/helpers/basic_auth/LDAP/
2. Find the line as shown below.
3. Now, remove “uid” so that the default value for userattr is NULL
4. Next, find the line where the credentials are bound together and sent to the port for transmission. Here you will find that the credentials are bound with “=” and “,” added to it. This is unnecessary for Lotus Domino LDAP.
5. The edited line should be as given below (without the “=” and “,”)
6. Now, the file is ready to be deployed. But, to acknowledge the hard work I have put into it, add the following lines into it as well.

Conclusion

I hope my solution has proved to be helpful for you. If by any chance you stumble upon an issue while implementing this project, feel free to get in touch with me. Together, we will drill down to the core and find the solution for the problem.

Dont forget to add my blog to your RSS.

Appendix

I am also attaching the netcat outputs, which helped me identify the issue.

1. Netcat output of Ldapsearch – Working
2. Netcat outout of Squid – Not working. But by comparing both, we can identify the issue.

One of the use cases we’re almost universally supporting across our midsize enterprise customer base here at Conformity is integration with Microsoft Active Directory (AD), and providing the ability to extend and link employee, role and organizational data with identity stores contained in leading SaaS applications such as Salesforce.com, NetSuite, Google Apps and others. With our AD connector, customers of the Conformity platform are extending capabilities today in two major areas:

• User provisioning / deprovisioning – by normalizing and synchronizing role and permissions models across AD and Conformity and through deploying our event monitoring capabilities customers can automate user provisioning, deprovisioning and change management activities.    When a new employee is onboarded and set up within AD, access and permissions to cloud services appropriate for the employee’s role are automatically provisioned via Conformity.  For example, when a new outside sales rep joins the organization, when added in AD they then can also be provisioned against Salesforce.com, Xactly and Google Apps with appropriate access and permissions.   When the sales rep changes title or role, or leaves the organization, changes in AD also then trigger appropriate changes in cloud application access and permissions.  In effect, we’re providing users a cloud provisioning extension for AD that enables IT to extend access policies and controls to the cloud.
• Chargeback models – integration of department and other organizational identifiers between AD and Conformity’s role model also streamlines our customers ability to automate extension of internal chargeback and financial management models to cloud applications.  By linking SaaS administrative siloes to AD  via Conformity, enterprises can track and manage departmental usage not just at the application level, but also within specific modules within the cloud services themselves.

In addition to dramatically reducing administrative headaches, synchronizing and normalizing identity data across AD and major cloud applications is also enabling them to streamline audit prep activities, reduce operational costs and strengthen access control and security.  More to come on this…

silverlight und wcf… das ist eigentlich ein recht umfangreichens thema. ich versuche trotzdem mal möglichst zusammenfassen meine bisherigen erfahrungen zu schildern.

wcf wurde nicht durch silverlight eingeführt und enthält deutlich mehr, als das, was silverlight in dem zusammenhang bietet. d.h. silverlight unterstützt zwar einige wcf funktionen, kann aber bei weitem nicht alles. es ist also nicht grundsätzlich möglich vorhandene services zu nutzen.

silverlight bietet die möglichkeit service calls abzusichern, allerdings nur mit UserNameOverTransport! nutzt man das, dann ist außerdem https notwendig! man muss dann also den iis benutzen, weil der development server des vs ssl garnicht unterstützt.

also fix ssl im iis aufsetzen, dafür gibts einige tutorials im netz! ein login sollte grundsätzlich mit ssl umgesetzt werden, weil die credentials, auch mit der normalen windows forms authentifizierung sonst unverschlüsselt übertragen werden und das will wohl keiner.

wird usernameovertransport benutzt, dann muss man entweder einen membershipprovider auswählen, selbst einen schreiben oder usernamepasswordvalidator implementieren, was deutlich einfacher ist, als einen membershipprovider zu implementieren. membershipprovider gibts z.b. für den sql server oder für den ldap (unten zu sehen).

zum testen benutze ich einen eigenen usernamepasswordvalidator, dessen validierungs methode einfach nur “return;” enthält. so muss man am client nix verändern und kann die security eingeschaltet lassen.


<behaviors>
<serviceBehaviors>
<behavior name="MeinProjekt.SecureServiceBehavior">
<serviceCredentials>
<!--userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="ADMembershipProvider" /-->
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MeinProjekt.CustomUserNamePasswordValidator, Zeiterfassung.Web"/>
</serviceCredentials>
<serviceAuthorization principalPermissionMode="None"/> <!-- nur unter bestimmten vorraussetzungen mit der windows forms authentication notwendig -->
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<dataContractSerializer maxItemsInObjectGraph="6553600" />
</behavior>
</serviceBehaviors>
</behaviors>