Using OVD Filtered Directories for LDAP Authentication
Oracle Virtual Directory (OVD) is one of the little-known or understood hero products in the Oracle suite of technology offerings [I put OEM Grid Control in the same class].
In this post I'm going to share a few thoughts on OVD, and present a few approaches for using OVD to present a restricted view of information from another directory, and how that can be used to limit access to applications that use an LDAP authentication mechanism.
When I was first learning about OVD back in early 2007, after the Oracle acquisition, it immediately grabbed my attention. Simple, easy to use, but so powerful - a swiss army knife for anyone working in the directory management space. Maybe that is the wrong analogy, because the greatness in OVD is that it doesn't try to boil the ocean - it just does one thing, but does it really well.
Simply put, it allows you to combine directory-related information from disparate sources (LDAP, AD, database etc) and present an LDAP-compliant view in real-time. And the virtual bit is real (if that makes any sense) - OVD doesn't store anything, unlike a meta-directory; it just passes through the directory requests according to the rules you setup.
The virtual nature makes OVD ideal in large enterprise situations, where control of directories may be distributed. Another group may have a directory that contains some information you want to use as part of your "directory view", but are not going to cede any ownership or agree to any changes anytime soon, like adding some new attributes. Wheel in OVD!
Likewise, affiliated companies may want to share directory information, but not handover control. And if the business relationship comes to and end, the directory owners want to know that they can turn off access in a moment, without needing worry about cached or replicated data left on the other side of the corporate divide. OVD to the rescue!
Case in Point: you need a subset of an existing directoryThe inspiration for this post is a small challenge I was involved with recently. The company was deploying a new web application - just happened to be Oracle WebCenter Wiki, but the same applies to any application that supports LDAP authentication.
The only directory available contained a mix of users - some who should be able to access the wiki, and some who shouldn't. Configuring the wiki authentication mechanism at the directory is simple - but it is an all or nothing proposition. And of course, we couldn't go change anything the directory itself.
Sounded like a job for OVD!
Here's the basic setup - OVD is deployed between our application and the main directory, like a proxy server. We want to OVD to effectively "filter" requests from the application.
Configuration of OVD is done using the OVD Manager client, which connects to the administration port of the OVD server.
Approach #1: DN MatchingIf you can define the distinction between included/excluded entries in terms of an entry's DN, then a very simple solution is to use the "DN Matching" property of the source adapter. This is fund in the Routing configuration.
Say for example, we only wanted our OVD directory to include entries that are in the ou=ITGroup or ou=Management containers. In this case, we would set the DN Matching property with a regular expression that will match on the DN string:
Approach #2: ACL RestrictionsIn practice, the DN may not provide enough information to distinguish items to include and exclude, and it is necessary to discriminate on the basis of an attribute, such as "departmentName". In this case, access control in the OVD engine may be configured to restrict the directory view based on a suitable filter.
It is important to note with this approach that ACLs can be applied to all LDAP operations, except bind.
As a result, the directory view we have created with OVD appears to only contain the filtered subset of information: we cannot browse, serach, get or modify anything else. However, if you present a fully-qualified DN and associated password, it will authenticate and bind any entry that exists in the source database.
On spec, that seems to blow the whole approach out of the water. That's what I was thinking too, until Mark Wilcox helpfully nudged me along with a neat insight...
If our requirement is to use OVD to restrict the set of users that can authenticate via an application, we only need to consider the application authentication mechanism. In most cases, the process is similar to the one illustrated below. The user enters an id or username, which is used by the application to lookup the user's DN, which is then used to bind along with the user-supplied password. If the application can't find the DN in the first place, then no bind is possible.
Of course, the acknowledged security "exposure" in this case is that a user can bypass the application and directly bind via OVD if they know their DN. However this is probably a false risk, because the user would have always had a similar capability with the source directory itself (assuming that the source directory and OVD are equally accessible to the user over the network).
Bottom line? Using ACLs to restrict the search effectively controls the set of users that the application can authenticate.
In Practice: Oracle WebCenter WikiOracle WebCenter Wiki is thye example application, but you can think of it as any old J2EE application packaged as an EAR that supports Java SSO. By default it will use JAZN XML file-based storage for user accounts.
When deployed in OC4J, the security provider used for the Wiki application can be easily changed via the Enterprise Manager web interface.
Switching to OVD as the authentication source is a simple matter of selecting the Oracle Security Provider for 3rd Party LDAP Server and configuring it with some simple directory details:
Almost done. There are two assumptions that I think the wiki makes about the directory. Just need to make sure these are setup:
- wiki users must be members of the group called "users"
- administrators are members of the group called "oc4j-administrators"
Now you are done. The wiki authentication is being performed against the limited set of users visible through OVD.
Caveat: selecting the Oracle Security Provider for 3rd Party LDAP Server causes the site to revert to basic authentication (i.e. popup a username/password dialog instead of using a web form). Not a big deal, but you will find the "logout" feature in the wiki now fails because it assumes form-based custom authentication. So once you have people lured into your wiki, they are trapped! ;-)
Wrapping UpI've covered two techniques for restricting the set of information published via OVD: DN Mapping, and ACL Filters.
There are other approaches that I've not covered here. For one, Java or Python plug-ins (a.k.a. mappings) can achieve the same result, as well as more complex behaviours of course.
These techniques allow OVD to be used to restrict overall access control for applications that use LDAP authentication mechanisms.
Once again, hat-tip to Mark Wilcox for his help when I thought I'd hit a wall while researching this topic!
read more and comment..
|Longitude by Dava Sobel is the very readable tale of John Harrison's astonishing, life-long quest to build timepieces that were suitable for maritime use in the determination of longitude.
Self-educated and living far from the madding crowd in Barrow, his first clocks were largely wooden. Harrison's earliest surviving clock movement, dated 1713, can be found at the The Worshipful Company of Clockmakers of London.
He first set his mind to the challenge of maritime timekeeping in 1727. The Board of Longitude had been established in Britain by Act of Parliament and offered a prize of ₤20,000 for a method that could determine longitude within 30 nautical miles (56 km).
The problem of longitude had long plagued sailors, sending many crashing to their deaths on unexpected landfall, or dying from thirst and scurvy lost at sea. It was the subject of much public discourse, as global warming is for example today. It even makes a cameo in William Hogarth's engravings of A Rake's Progress (note a man scribbling a dim-witted solution to the longitude problem on the wall, centre).
The method for determining longitude by comparing local time with the time at a known origin relies on very accurate time keeping. Beyond the capabilities of clocks of the age, even on land. At sea, the combined effects of motion, temperature and gravity made the approach seemingly impossible.
Despite support from the Royal Society, the Board of Longitude was well stacked with those who favoured an astronomical approach, relying on measurements of the passage of the moon. Nevil Maskelyne proved to be Harrison's arch-nemesis and main proponent of the lunar distance method. Although the chronometer eventually won over seafarers (and King George III) through its simplicity and reliability, Nevil's Nautical Almanac became his enduring legacy and is still published today (minus the lunar distance tables).
After producing five timepieces (H-1 through H5), John Harrison was finally recognised in 1773 by Parliament to have proven his claim, although he was never to officially be awarded the full prize by the recalcitrant Board of Longitude. The National Maritime Museum of Britain has a comprehensive time Gallery which features H-1 to H-4. H-5 is at The Worshipful Company of Clockmakers of London.
It was Harrison's successors, like Thomas Earnshaw, to fully commercialise the maritime chronometer. Yet they all owe their successs to the many innovations that Harrison pioneered.
The machine used for measuring time at sea is here named a chronometer, [as] so valuable a machine deserves to be known by a name instead of a definition.
-ALEXANDER DALRYMPLE in his pamphlet 'Some Notes useful to those who have Chronometers at Sea'
read more and comment..
Desktop Keyboards Stuck in Design Limbo
Keyboards are terrific examples of how bad design can get stuck in a rut, unable to overcome inertia. Everyone says qwerty is a bad idea, yet I couldn't imagine using anything else now since it's use is so ingrained.
But another aspect of keyboard design that has me really grumpy is the whole numeric keypad appendage on desktop keyboards. It is a holdover from the days when users were "data entry clerks". But we are stuck with it (Microsoft only have two keyboard models without it, while ALL Logitech models are saddled with this cancer Postscript: Dean Chu corrected me here; Logitech's diNovo models don't have the numeric keyboard).
This started to really annoy me of late, because I've been switching between a laptop during the day, and a desktop at night.
Working with a desktop keyboard again was feeling really strange and difficult, but after some reflection I realised the problem. My right-hand is used to shifting all the time between jkl; and the mouse. On the laptop, this is a subtle and effortless gesture. On the desktop, its like playing table tennis.
The fact that virtually all laptop designs eschew the separate numeric keypad should be proof that it is evolutionary dead wood.
So this is my grumpy call for all keyboard manufacturers to wake up their snoozing product managers/designers and actually innovate for once. Fix this ergonomic nightmare! At least give us some choice ... integrate it with function keys like laptops; use separate USB numeric keypads; even consider sticking it on the left-hand side of the keyboard.
And for all those poor souls who really are still data entry clerks, I'm sure there will be no-brand outfits from China knocking out standard 102-key designs for years to come.
Is it just me? Did I get up on the wrong side of the bed today, or do others feel this way too?
Postscript 9-Feb-2009 ... hat tip to mqt for linking Trevor Blackwell's solution: just chop it off! If you gotta take a bandsaw to a product to make it fit-for-use, then something's wrong, right?!!
read more and comment..
Appcelerator - bringing down the wall between RIA and SOA?
I wonder if the Appcelerator guys have finally cracked the RIA and SOA dichotomy? I first came across them on Coté's RIA Weekly #008 RedMonk Radio podcast.
I've presented my views before on what I see as the three megatrends in IT:
- Web 2.0 - or more generally, RIA
- Grid - although today I'd probably update this to be "Cloud Computing"
But the distinction between RIA and SOA has always felt forced; unrelated working metaphors, owing more to the historical segregation of the communities addressing each than strict architectural principles.
While industry lines have been drawn very clearly around these two domains (take OpenSOA v. OpenAJAX for example), there have been many attempts to nibble away at the distinction. AJAX toolkits like SAJAX and SWATO strive to make calling back-end resources more convenient. And frameworks like ADF approach the problem from the other end, by "hiding" AJAX rendering in their server-side, SOA-aware paradigm.
So what has Appcelerator got to do with this?
From what I understand so far, the key is that they have unified the event/messaging model both within the browser and the "SOA-sphere", and done so in a very elegant way. There are three parts to their solution:
- Web Expression Language
- RIA Widget Framework
- RIA Message Broker
All components in an Appcelerator application communicate via simple lightweight messages using the RIA Message Broker. On the server-side, Appcelerator provides a set of SOA Integration Points that enable service creation in Java, PHP, Ruby, .NET, Python and Perl.
The end result is a very clean, lightweight and seemless development approach. HTML attributes define behaviour: what messages to send, and what to do when a message is received. And the real magic: when you send a message, you do not know or care if it handled by another HTML element on the same page, or a SOAP Web Service somewhere out on the net.
Here's how straight-forward it gets. An example of an input button messaging a calendar widget to show itself..
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:app="http://www.appcelerator.org">
<app:calendar title="Pick a Date" on="l:show.calendar then execute" inputId="mydate">
<input type="text" id="mydate" value="click me" on="focus then l:show.calendar"/>
Or an input button sending a message...
<input type="button" value="submit" on="click then r:login.request"/>
.. that is handled by a Java service:
public class LoginService
@Service(request = "login.request", response = "login.response")
protected void processLogin (Message request, Message response)
// get request data
String username = request.getData().getString("username");
String password = request.getData().getString("password");
User user = userDAO.login(username,password);
// format response
if (user != null)
Appcelerator looks like one to definitely watch closely and investigate further..
read more and comment..