NOVELL: DeveloperNet University: SSL Integration

> developer > dnu > courses > Web Services

LDAP Service Provider

Reader Rating

from ratings

This section discusses how to enable authentication against a Directory Services using: LDAP Service Provider for JNDI.

LDAP Service Provider for JNDI provides access to eDirectory and other directories using LDAP (Lightweight Directory Access Protocol), an Internet standard for accessing directory information. JNDI (Java Naming and Directory Interface) provides a consistent interface across multiple services through the use of service providers.

LDAP Service Provider for JNDI is LDAP v3-compliant and includes support for the virtual list views and server-side sorting controls available on eDirectoryeDirectory. Because it uses LDAP, it has no dependencies on the Novell Client software.

Dependencies

LDAP Service Provider for JNDI requires a Sun Microsystems Java 2 SDK, Standard Edition, version 1.2 (http://java.sun.com/products/jdk/1.2/) for the platform you are developing on and a Java Virtual Machine (JVM) for the application's target platform. If your target platform is the NetWare server, a JVM v1.1 is included in this component. Download it from: http://developer.novell.com.

JNDI

JNDI (Java Naming and Directory Interface) is an industry-wide, open interface that gives developers a common interface for navigating the many naming systems that exist in the computing world today. JNDI greatly simplifies the code needed to browse directory services such as NDS, X.500, and LDAP.

JNDI information can be found at http://java.sun.com/products/jndi. JNDI is owned by JavaSoft and is distributed by Java licensees. JNDI is part of the JavaSoft Enterprise API. The LDAP Service Provider for JNDI uses JNDI 1.2.

LDAP

LDAP (Lightweight Directory Access Protocol) is becoming an Internet standard for accessing directory information, allowing LDAP-enabled applications to access multiple directories. LDAP v3 supports such features as secure connections through SSL or SASL, entry management, schema management, and LDAP extensions and controls for expanding LDAP's functionality.

The LDAP Service Provider for JNDI is compliant with LDAP v3 and supports SSL connections.

Documentation

We've enabled Start menu documentation entries. After you have installed the documentation, use the "NDK Documents" entry on your Start menu to quickly locate and access NDK documentation.

To read or print the documentation, you need Adobe Acrobat Reader, a free download from http://www.adobe.com.

The documents in this download were created as standalone files; therefore, links between files in this download and links to files in other downloads will not resolve.

The download includes the following files:

ldap_enu.pdf (LDAP and eDirectory) which is placed in the [install location]\doc\ldapover directory.
ldapprov.pdf (LDAP Service Provider for JNDI) which is placed in the [install location]\doc\ldapjndi directory.
dsov_enu.pdf and schm_enu.pdf which are placed in the [install location]\doc\ndslib directory

Dependencies

The LDAP Service Provider for JNDI requires a JDK 1.2 for the platform you are developing on, Java Secure Socket Extension (JSSE), and a JVM for the application's target platform.

If your application requires secure connections, it also requires Novell SSL for Java.

If your application requires obtaining effective rights, you need the LDAP server and the extensions that are available in the next release of eDirectory. To obtain a copy of eDirectory 8.5, see Novell's developer product site: http://developer.novell.com.

If you used an early beta version of eDirectory 8.5, be aware that the OIDs for the effective rights extensions changed for beta 5 and the final release. The getEffectivePrivilegesRequest extension now has 2.16.840.1.113719.1.27.100.33 as its OID, and the getEffectivePrivilegesResponse extension has 2.16.840.1.113719.1.27.100.34 as its OID.

List of Files

There are five files in the download:

jndi.jar (c:\novell\ndk\ndssdk\java\jndi1.2\jndi\lib\)
ldap.jar (c:\novell\ndk\ndssdk\java\jndi1.2\ldap\lib\)
ldapbp.jar (c:\novell\ndk\ndssdk\java\jndi1.2\ldap\lib\)
providerutil.jar (c:\novell\ndk\ndssdk\java\jndi1.2\ldap\lib\)
novbp.jar c:\novell\ndk\ndssdk\java\novbp\lib\

SSL Integration

The LDAP Service Provider for JDNI does not support mutual authentication, but it supports server-side authentication.

In server-side authentication, the client receives a certificate from the server and can then use the certificate to ensure that authentication takes places to a trusted host.

For this type of authentication to succeed, the LDAP server must have a certificate to use with SSL, the Java client must have a place to store the certificate, and the LDAP service provider must be set to use SSL.

Setting Up the LDAP Server

The LDAP server must be configured to use SSL. For instructions, see the product documentation that came with your version of eDirectory or see the documentation at http://www.novell.com/documentation/lg/ndsse/ndsseenu/data/a2iiifa.html.

Setting Up the KeyStore for the Java Client

The Java client must have a KeyStore for storing root certificates. The following steps explain how to use the KeyTool in JDK 1.2 to create a KeyStore with a certificate.

Download and install Novell SSL for Java (http://developer.novell.com/ndk/graveyard.htm).
Make sure the following files are in your CLASSPATH:

      ssl_sdk1.2.jar
      nssl1.2_exp.jar

To the JDK1.2\jre\lib\security\java.security file, add the following:

      security.provider.1=com.novell.service.security. 
      net.ssl.SSLProvider

From ConsoleOne or NWAdmin32, create and export a trusted root certificate (a .der file). In this example, the certificate file is named ssl.der.
Use the KeyTool from JDK 1.2 to create a KeyStore file. If c:\test\ssl.der is the certificate filename and c:\test\sslkey.keystore is the KeyStore filename, the command would be as follows:

      keytool -import -file c:\test\ssl.der -keystore
      c:\test\sslkey.keystore -alias
      "type=r.name=sslkey"

This command prompts you for a password to use with

      the KeyStore file.

Create an ssl.properties file and include the following lines:

      ssl.keystore = sslkey.keystore
      ssl.keystore.password =

Replace with the password for the KeyStore file.

Place the ssl.properties file in one of the following locations:

      User home
      User directory
      java.home

Enabling the LDAP Service Provider for SSL Connections

To integrate Novell's SSL solution with the LDAP service provider, complete the following steps.

Download and install JSSE from Sun (http://java.sun.com/products/jsse).
Make sure the following jar files are in the CLASSPATH.

      jsse.jar
      jnet.jar

Make sure the novbp.jar file is in the CLASSPATH. This file contains the LDAP secure socket factory.
Add the following to the properties object:

      "java.naming.factory.initial","com.sun.jndi.ldap.L
         dapCtxFactory"
      "java.naming.provider.url",
         "ldap://137.65.214.155:636"
      "java.naming.security.protocol", "ssl"
      "java.naming.ldap.factory.socket","com.novell.
         service.ndssdk.jndi.ldap.ssl.LdapSecure
         SocketFactory"
      "java.naming.security.authentication","simple"
      "java.naming.security.principal","cn=admin,
         o=novell"
      "java.naming.security.credentials","secret"

The IP address in line 3 needs to be modified to match your LDAP server. The socket number, 636, is the default port for SSL. Your server can be configured to use a different socket.

The last two lines set up the user and password for authentication. These need to be modified to match a user on your LDAP server.

// Sample code file: Env.java
/*******************************************************************************
*
* Copyright (c) 1999 Novell, Inc. All Rights Reserved.
*
* THIS WORK IS SUBJECT TO U.S. AND INTERNATIONAL COPYRIGHT LAWS AND
* TREATIES. USE AND REDISTRIBUTION OF THIS WORK IS SUBJECT TO THE LICENSE
* AGREEMENT ACCOMPANYING THE SOFTWARE DEVELOPMENT KIT (SDK) THAT CONTAINS
* THIS WORK. PURSUANT TO THE SDK LICENSE AGREEMENT, NOVELL HEREBY GRANTS TO
* DEVELOPER A ROYALTY-FREE, NON-EXCLUSIVE LICENSE TO INCLUDE NOVELL'S SAMPLE
* CODE IN ITS PRODUCT. NOVELL GRANTS DEVELOPER WORLDWIDE DISTRIBUTION RIGHTS
* TO MARKET, DISTRIBUTE, OR SELL NOVELL'S SAMPLE CODE AS A COMPONENT OF
* DEVELOPER'S PRODUCTS. NOVELL SHALL HAVE NO OBLIGATIONS TO DEVELOPER OR
* DEVELOPER'S CUSTOMERS WITH RESPECT TO THIS CODE.
*
* $name:     Env.java             
* $version:   1.0
* $description: This file contains configuration parameters required to run
*        the JNDI sample programs. Customers should modify this file
*        appropriately for their installation.
******************************************************************************/
   
public class Env 
{       
/*
* Host name and port number of LDAP server
*/ 
public static String MY_SERVICE = "ldap://Acme.com:389";
public static String MY_SSL_SERVICE = "ldap://Acme.com:636";
   
/**
* The server could also be specified by an IP address. For 
* example:
* public static String MY_SERVICE = "ldap://123.45.67.89:389"
* public static String MY_SSL_SERVICE = "ldap://123.45.67.89:636"
*/
   
/*
* Login DN of the administrator
*/
public static String MGR_DN = "cn=admin, o=Acme";
   
/*
* Password for administrator DN.
*/
public static String MGR_PW = "secret";
   
/*
* Subtree to search
*/ 
public static String MY_SEARCHBASE = "ou=Sales,o=Acme";
   
/*
* Subtree to modify
*/ 
public static String MY_MODBASE = "ou=Sales,o=Acme";
   
/*
* Filter to use when searching. 
*/
public static String MY_FILTER = "(objectclass=*)";
   
/*
* Entry to retrieve
*/  
public static String ENTRYDN = "cn=James Smith, ou=Sales, o=Acme";
   
/**
* Do not change the following parameters 
*/
   
/*
* Initial context implementation to use.
*/
public static String INITCTX = "com.sun.jndi.ldap.LdapCtxFactory";
   
/*
* Communication protocol.
*/
public static String SSLPROTOCOL = "ssl";
   
/*
* Simple authentication.
*/
public static String SIMPLE = "simple";
   
};