my presentation
TRANSCRIPT
![Page 1: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/1.jpg)
11stst LDAP Conference 2007, Köln Germany 6-7 September 2007 LDAP Conference 2007, Köln Germany 6-7 September 2007
Moving LDAP Writes to Moving LDAP Writes to Web ServicesWeb Services
Kostas KalevrasNational Technical University of Athens, Network Operations Center
Greek School Network
National Technical University of Athens
![Page 2: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/2.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
AgendaAgenda
Greek School Network – E-School Development Environment
Problems with direct LDAP writes Why move to Web Services LDAP Reads – Authentication LDAP User Management Service PHP API Conclusion
![Page 3: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/3.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
Greek School NetworkGreek School Network
Interconnects all Greek schools and provides Internet access
Provides school and personal accounts Email, Dialup, VoIP, web pages services
![Page 4: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/4.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
LDAP ServiceLDAP Service
Based on Sun One Directory Server Central authentication repository for all user
services Contains the Organizational Hierarchy 170,000 entries School accounts, teacher accounts Student accounts scheduled
![Page 5: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/5.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
User AdministrationUser Administration
Central Web-based interface Written in PHP and Javascript Provides an object and form editor/creator One form is created per object type (object
types are abstract types like student, teacher, adsl router, etc)
LDAP tree browser and data manipulation (add, edit) forms are provided to administrators
Delegated administration of entries
![Page 6: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/6.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
Interface featuresInterface features
Computed attributes based on other attribute values
Computation formula: Any valid PHP expression or even function
Attribute uniqueness Referential integrity Post operations (moving user home directories,
welcome emails, etc)
![Page 7: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/7.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
E-School frameworkE-School framework
Services on top of the current network Provided services:
Web portal (sPortal) for student parents Parents register and can check out their child’s progress and
status
PKI infrastructureSchool Administration platform
Move all school operations to the electronic world (student enrollment, classroom management, grading)
Central personnel and student database Interface (.NET) running on all schools communicates
changes with the central database
![Page 8: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/8.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
New entry sourcesNew entry sources
Old days: Accounts were created through the central web interface
E-School: Accounts are created from more than one sources now:sPortal creates parent accountsSchool Administration platform creates teacher,
student accounts and maintains the organizational hierarchy
School accounts (official school email account) still need to be created ‘by hand’
![Page 9: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/9.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
Why Direct LDAP access is badWhy Direct LDAP access is bad
Each service only knows it’s own little world (and attributes). sPortal for instance only needs a username/password pair and nothing more
No easy way to perform post-operation tasks Apart from ACIs there’s no other control over
what is written (no real constraints) Changes to the entry schema need to be
integrated in ALL outside sources No way to expire an entry instead of deleting it Services code and operation are outside our
administration domain
![Page 10: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/10.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
Web Services to the rescueWeb Services to the rescue
Create web service functional interface around the user interface
Provide functions accessible through HTTP(s)-SOAP (declarations in WSDL)
Web services written in PHP nuSoap Map all abstract operations (i.e. Parent Creation) to
functions in the web services User interface provides general object interaction
functions in PHP (ldap add/modify/delete) All complex features are already present and configured
in the user interface
![Page 11: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/11.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
ExampleExample
createParent() Input: Parent name, surname, username,
password Check arguments, username uniqueness Log all operations Call internal object creation routine Routine handles all complex operations (like
computed attributes, etc) Output: Status Code, Error Message if present
![Page 12: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/12.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
AdvantagesAdvantages
One function backend for both the e-school services and the user interface
Complete logging is available. No more looking through million lines of directory server logs
Computed attributes are available Pre and Post operation tasks can be performed
(calling outside scripts/web services) All operations pass through a central point. We
can set any constraints on the provided values
![Page 13: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/13.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
Advantages (2)Advantages (2)
Outside service need not know our schema. They call a function with the minimum set of arguments. We can change the entry schema whenever we want
We can have our own expiration policy. EntryDelete() could just set active=false
WSDL is clear and precise. LDAP is abstract and parties need to agree on how to perform operations.
![Page 14: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/14.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
LDAP ReadsLDAP Reads
Web services could be used for complex reads too
One function for every complex search operation
Group Membership, LDAP browsing are perfect candidates
Advantage: Schema abstraction, functional interface
DSML could be used to carry back entry information
![Page 15: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/15.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
AuthenticationAuthentication
HTTP authentication is used Credentials are mapped to LDAP entries Web Service binds with the HTTP credentials Which credentials to use?
Special service user in case of synchronization mechanisms
User entry for which the operation is requested (i.e. change password operation)
![Page 16: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/16.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
LDAP User Management Service LDAP User Management Service (LUMS)(LUMS) A PHP LDAP Entry Management API has been
created for another project Provides:
A set of basic LDAP API functions (search, add, delete, modify, rename, change password)
A strong configuration language
Administrator defines ldap object types and their corresponding attributes
![Page 17: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/17.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
LDAP User Management Service (2)LDAP User Management Service (2)
Options available for each attributeDefine as required, multivaluedSet attribute type (string, binary, dn, telephone, email,
etc)Define attribute value source: User inserted,
constant, auto increment, function createdAllow for attribute uniquenessDefine extra syntax checking functionDefine virtual attributes which can be used to create
attribute mappings Pre and Post operation functions can be defined Automatic handling of non English charsets
![Page 18: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/18.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
LDAP and XML integrationLDAP and XML integration
DSML has been available for quite some time and is starting to get used
XML Enabled Directory envision moving the entire LDAP protocol to XML space
Looks like LDAP and XML integration will be even tighter in the near future
![Page 19: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/19.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
ConclusionConclusion
A web service functional interface can provide significant benefits if:There are more than one entry sourcesSources are heterogeneous and possibly
multiplatformSources are usually outside out administration
domain and control Information synchronization is not based on human
interactionA strong and configurable LDAP API is provided for
use by the Web Service
![Page 20: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/20.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
ReferencesReferences
Greek School Network: http://www.sch.gr/ NTUA NOC: http://www.noc.ntua.gr/ LUMS: http://www.sourceforge.net/projects/lums Blog: http://kkalev.wordpress.com/
![Page 21: my presentation](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e85111a28aba30b8b470e/html5/thumbnails/21.jpg)
NOC - NTUANOC - NTUA11stst LDAP Conference LDAP Conference Köln, 7.09.2007Köln, 7.09.2007
Thank you!Thank you!