Authentication in Apache Lenya Using LDAP - TCS
Authentication in Apache Lenya Using LDAP - TCS
Authentication in Apache Lenya Using LDAP - TCS
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Authentication</strong> <strong>in</strong><br />
<strong>Apache</strong> <strong>Lenya</strong><br />
Us<strong>in</strong>g <strong>LDAP</strong><br />
The user authentication mechanism <strong>in</strong> <strong>Apache</strong> <strong>Lenya</strong> is<br />
carried out by specifi c components us<strong>in</strong>g certa<strong>in</strong> policy<br />
fi les. This process is, <strong>in</strong> itself, complex to understand<br />
and <strong>in</strong>clusion of <strong>LDAP</strong> authentication makes it more<br />
complex. <strong>Lenya</strong> does not have provision of user<br />
creation on <strong>LDAP</strong>, <strong>in</strong>stead it provides mapp<strong>in</strong>g of <strong>Lenya</strong><br />
user with the exist<strong>in</strong>g users on the <strong>LDAP</strong>. This mapp<strong>in</strong>g<br />
of user is one-to-one and would be cumbersome if the<br />
number of exist<strong>in</strong>g <strong>LDAP</strong> user is large. This problem can<br />
be solved through a small standalone program which<br />
would <strong>in</strong>terface <strong>LDAP</strong> server to <strong>Lenya</strong> and would copy<br />
the users to latter <strong>in</strong> s<strong>in</strong>gle execution.<br />
<strong>Authentication</strong> <strong>in</strong> <strong>Apache</strong> <strong>Lenya</strong>- Us<strong>in</strong>g <strong>LDAP</strong><br />
1<br />
TATA CONSULTANCY SERVICES
About the Author<br />
Shishir Saxena<br />
Shishir Saxena is an associate of Open Source and<br />
L<strong>in</strong>ux Practice and has more than fi ve years experience<br />
<strong>in</strong> J2EE related technologies. His expertise <strong>in</strong>cludes<br />
web tier architecture and java/XML based open source<br />
content management system. He is presently <strong>in</strong>volved<br />
with development of open source content management<br />
system related <strong>in</strong>itiatives and offer<strong>in</strong>gs. Shishir has<br />
obta<strong>in</strong>ed his eng<strong>in</strong>eer<strong>in</strong>g degree <strong>in</strong> computer science<br />
and is a java certifi ed programmer.<br />
<strong>Authentication</strong> <strong>in</strong> <strong>Apache</strong> <strong>Lenya</strong>- Us<strong>in</strong>g <strong>LDAP</strong><br />
1<br />
TATA CONSULTANCY SERVICES
Table of Contents<br />
1. Introduction 3<br />
2. Description 3<br />
3. <strong>Authentication</strong> through <strong>LDAP</strong> 5<br />
4. Conclusion 6<br />
<strong>Authentication</strong> <strong>in</strong> <strong>Apache</strong> <strong>Lenya</strong>- Us<strong>in</strong>g <strong>LDAP</strong><br />
2<br />
TATA CONSULTANCY SERVICES
Introduction<br />
Most of the organisations would require a proper authentication mechanism to be <strong>in</strong> place for authoris<strong>in</strong>g the<br />
privileged users to access the respective resources <strong>in</strong> the system. <strong>LDAP</strong> authentication is one of the popular<br />
mechanisms for the same. It is a standard application supported by various companies like Microsoft, Lotus<br />
Notes, Netscape and so forth.<br />
In <strong>Apache</strong> <strong>Lenya</strong>, the user can be authenticated based on the Access Controller component us<strong>in</strong>g specifi c user<br />
policy fi le. These users are defi ned <strong>in</strong> the context of <strong>Apache</strong> <strong>Lenya</strong> and are referred through their respective<br />
user case policy fi le. This process of authentication is complex to understand and the complexity <strong>in</strong>creases<br />
when a <strong>LDAP</strong> user needs to be authenticated to access <strong>Lenya</strong> publications. Though the authentication for<br />
this user happens at <strong>LDAP</strong> server, <strong>Lenya</strong> needs to be aware of the profi le of this user and the role to which<br />
this user is associated with<strong>in</strong> <strong>Lenya</strong> context. Hence, the user creation process regard<strong>in</strong>g <strong>LDAP</strong> users can be<br />
cumbersome, if a large number of exist<strong>in</strong>g <strong>LDAP</strong> users is required to be provided access.<br />
<strong>Lenya</strong> supported <strong>LDAP</strong> authentication was tested with Open<strong>LDAP</strong> and MS Active Directory servers.<br />
<strong>Authentication</strong> means password check<strong>in</strong>g is done through <strong>LDAP</strong>, so that the user does not need a <strong>Lenya</strong>specifi<br />
c password. Note that only authentication is done through <strong>LDAP</strong> and the <strong>Lenya</strong> adm<strong>in</strong>istrator still has<br />
to <strong>in</strong>form <strong>Lenya</strong> which <strong>LDAP</strong> users to allow and also <strong>in</strong>form to assign <strong>Lenya</strong> roles to these users. <strong>LDAP</strong><br />
setup is handled <strong>in</strong> <strong>Lenya</strong> confi guration fi les, add<strong>in</strong>g users and assign<strong>in</strong>g them roles are handled with<strong>in</strong> the<br />
<strong>Lenya</strong> Adm<strong>in</strong> GUI.<br />
The <strong>LDAP</strong> implementation <strong>in</strong> <strong>Lenya</strong> is based on the factor that you have an exist<strong>in</strong>g <strong>LDAP</strong> directory conta<strong>in</strong><strong>in</strong>g<br />
users and passwords, but you do not want to (or are not allowed to) add anyth<strong>in</strong>g particular to <strong>Lenya</strong> with<strong>in</strong><br />
this <strong>LDAP</strong> directory, such as <strong>Lenya</strong> roles.<br />
Consequently, the <strong>Lenya</strong>-specifi c user <strong>in</strong>formation is not stored <strong>in</strong> <strong>LDAP</strong> but <strong>in</strong>stead it is stored with the<br />
same mechanism as non-<strong>LDAP</strong> users. Here <strong>Lenya</strong> delegates authorization (the check<strong>in</strong>g of the user’s<br />
password <strong>in</strong> <strong>LDAP</strong>), which means that the user does not require an additional “<strong>Lenya</strong> password”.<br />
● In the fi le ldap.properties, set security-protocol to the value ssl and set key-store to the name of your<br />
keystore fi le.<br />
● Add the <strong>LDAP</strong> server certifi cate fi le to the local keystore us<strong>in</strong>g this command:<br />
Keytool -import -keystore .keystore -file -alias<br />
<br />
This white paper <strong>in</strong>itially provides an overview of the process <strong>in</strong>volved <strong>in</strong> normal CMS and <strong>LDAP</strong> user<br />
authentication and hence the solution to solve the problem posed dur<strong>in</strong>g manual creation of large number<br />
of <strong>LDAP</strong> users to access <strong>Lenya</strong>.<br />
Description<br />
User <strong>Authentication</strong>—how it happens <strong>in</strong> <strong>Lenya</strong><br />
The user authentication and authorization is carried out by a <strong>Lenya</strong> component known as “Access Controller”.<br />
The access controller would generally comb<strong>in</strong>e an authenticator, authorizer, a policy manager and an<br />
accreditable manager. The “Authenticator” is responsible for identify<strong>in</strong>g a user. There are various types of<br />
authenticators that can be used but generally “User Authenticator” is implied, which identifi es and verifi es<br />
a user through the password. There is another authenticator known as “Anonymous Authenticator” that is<br />
be<strong>in</strong>g used for authenticat<strong>in</strong>g users called as “anonymous”. This authenticator can be further customised on<br />
the publication requirements. The “Authorizer” is used for determ<strong>in</strong><strong>in</strong>g the access for the user to <strong>in</strong>voke a<br />
certa<strong>in</strong> request. This access can be based on the user profile as well as on the group profi le to which the user<br />
belongs. A policy associates a role to a user or a group. This means that a user or a group would be able to<br />
<strong>Authentication</strong> <strong>in</strong> <strong>Apache</strong> <strong>Lenya</strong>- Us<strong>in</strong>g <strong>LDAP</strong><br />
3<br />
TATA CONSULTANCY SERVICES
perform certa<strong>in</strong> specifi c task such as edit, review or adm<strong>in</strong>ister. Hence, for a request, the “Policy Manager”<br />
determ<strong>in</strong>es the policy to be followed by the user. The “Accreditable Manager” is aga<strong>in</strong> a comb<strong>in</strong>ation of “User<br />
Manager”, “Group Manager” and “Role Manager”. While the “Group Manager” and the “Role Manager”<br />
manage the groups and the roles respectively, the “User Manager” associates the user with its respective<br />
profi le ma<strong>in</strong>ta<strong>in</strong>ed <strong>in</strong> a fi le. The “User Manager” also determ<strong>in</strong>es the type of the user, whether the user is<br />
a normal CMS user or whether the user is a <strong>LDAP</strong> user. All these components should be put together to<br />
understand the authentication process be<strong>in</strong>g followed for a request.<br />
Figure 1 User <strong>Authentication</strong><br />
When there is a request for a URL and if the user is logg<strong>in</strong>g for the fi rst time or the session has expired, the<br />
log<strong>in</strong> screen is produced to take the username and the password as <strong>in</strong>put else the user name is retrieved<br />
from the current context. For the fi rst case, the “Authenticator” would authenticate and the “User Manager”<br />
would use respective fi les to provide the credentials to authenticate the user. If the user already exists <strong>in</strong> the<br />
context, the authentication part is skipped. The “User Manager” would provide the group <strong>in</strong>formation for the<br />
user <strong>in</strong> the context; hence, the “Authorizer” would associate if the user or his respective group has access<br />
to the respective URL. The association <strong>in</strong>formation would be retrieved through the policy fi le provided by<br />
“Policy Manager” for the respective request. If the users are not authorised for the request then they would<br />
be provided with the log<strong>in</strong> page else they would be provided with the requested page as the response.<br />
<strong>Authentication</strong> <strong>in</strong> <strong>Apache</strong> <strong>Lenya</strong>- Us<strong>in</strong>g <strong>LDAP</strong><br />
4<br />
TATA CONSULTANCY SERVICES
<strong>Authentication</strong> through <strong>LDAP</strong><br />
We have already seen that the “User Manager” determ<strong>in</strong>es whether a user should be authenticated through<br />
fi le authentication or through <strong>LDAP</strong> authentication. If the user is required to be authenticated through <strong>LDAP</strong>,<br />
Authenticator would use the <strong>LDAP</strong> properties to connect to the respective <strong>LDAP</strong> server. The properties file<br />
would conta<strong>in</strong> the respective credentials for the <strong>LDAP</strong> server, though <strong>Lenya</strong> requires some basic <strong>in</strong>formation<br />
to always be present <strong>in</strong> the fi le. This <strong>in</strong>formation <strong>in</strong>cludes the provider URL (both IP and port number), the<br />
base doma<strong>in</strong> name and security authentication mechanism (anonymous, simple or MD5). There are certa<strong>in</strong><br />
fi elds that are mandatory to be present <strong>in</strong> the fi le but can rema<strong>in</strong> unfi lled. This <strong>in</strong>cludes the directory manager<br />
name along with the password (it can rema<strong>in</strong> unfi lled for anonymous b<strong>in</strong>d<strong>in</strong>g), user branch (can rema<strong>in</strong><br />
unfi lled if the user needs to be searched <strong>in</strong> all the sub-trees) and the security protocol (can rema<strong>in</strong> unfi lled if<br />
secured authentication is not required).<br />
This property fi le is not only used dur<strong>in</strong>g user authentication but also dur<strong>in</strong>g user creation. In the next<br />
section, we would see how <strong>LDAP</strong> users are be<strong>in</strong>g created <strong>in</strong> <strong>Lenya</strong> and what its problems are.<br />
<strong>LDAP</strong> User Creation—the Problem and the Solution<br />
The users for a publication are created through the adm<strong>in</strong>istrator <strong>in</strong>terface provided by <strong>Lenya</strong>. The same<br />
<strong>in</strong>terface is also used for creat<strong>in</strong>g various groups and for associat<strong>in</strong>g the users to these groups. There are two<br />
types of users that can be created through the <strong>in</strong>terface, one is normal user whose password is ma<strong>in</strong>ta<strong>in</strong>ed<br />
<strong>in</strong> their respective user profi le fi le and the other type of user is <strong>LDAP</strong> user. The <strong>LDAP</strong> user creation does<br />
not imply that <strong>Lenya</strong> would be able to create a new user <strong>in</strong> <strong>LDAP</strong> server. Instead, the application would be<br />
mapp<strong>in</strong>g this new <strong>Lenya</strong> user name to the user name already exist<strong>in</strong>g <strong>in</strong> <strong>LDAP</strong> server. Thus, for creat<strong>in</strong>g<br />
such a user, the “username” fi eld needs to be pre-determ<strong>in</strong>ed from the <strong>LDAP</strong> server. <strong>Lenya</strong> would be us<strong>in</strong>g<br />
the <strong>LDAP</strong> properties fi le to connect to the <strong>LDAP</strong> server and search the respective fi eld. The “<strong>Lenya</strong> user<br />
name—<strong>LDAP</strong> user name” mapp<strong>in</strong>g would be stored <strong>in</strong> the user profi le fi le that would hence be used by “User<br />
Manager” for authentication. Thus, to create a user who already exists with <strong>LDAP</strong>, a <strong>Lenya</strong> user is required<br />
to be mapped and placed <strong>in</strong> the user profi le.<br />
Consider a scenario where the number of exist<strong>in</strong>g <strong>LDAP</strong> user is large and all of these users are required<br />
to be associated with certa<strong>in</strong> group. It would be a cumbersome process if these users are created through<br />
the <strong>in</strong>terface. Also, connect<strong>in</strong>g to <strong>LDAP</strong> server each time for a s<strong>in</strong>gle user creation would further delay the<br />
process.<br />
This problem can be solved by writ<strong>in</strong>g a standalone program that would connect to the <strong>LDAP</strong> server once<br />
(us<strong>in</strong>g the same property fi le) and copy all the respective users from the server to specifi c <strong>Lenya</strong> placeholder<br />
already known by “User manager”. This program would be associat<strong>in</strong>g the users to a specifi c group as well<br />
and would ma<strong>in</strong>ta<strong>in</strong> the profi le of these users as desired by <strong>Lenya</strong>. If a specifi c user branch is mentioned <strong>in</strong><br />
the <strong>LDAP</strong> properties fi le then the program would pick only those users that belong to that user branch. This<br />
program can either be scheduled or can be user <strong>in</strong>itiated depend<strong>in</strong>g on the design policy.<br />
<strong>Authentication</strong> <strong>in</strong> <strong>Apache</strong> <strong>Lenya</strong>- Us<strong>in</strong>g <strong>LDAP</strong><br />
5<br />
TATA CONSULTANCY SERVICES
Conclusion<br />
We have seen the process be<strong>in</strong>g followed by <strong>Lenya</strong> for user authentication and the various components<br />
be<strong>in</strong>g <strong>in</strong>volved for the same. We have also seen the difference between authentication of a <strong>LDAP</strong> user and<br />
a normal user. We have tried to understand the problem be<strong>in</strong>g posed for large number of user creations<br />
that would be authenticated at <strong>LDAP</strong> server and hence, the solution that can cater this problem. Similarly<br />
depend<strong>in</strong>g on the requirement, the other issues related with user creation and authentication can be<br />
determ<strong>in</strong>ed and accord<strong>in</strong>gly, either the exist<strong>in</strong>g components can be customised or an additional tool can be<br />
created.<br />
<strong>Authentication</strong> <strong>in</strong> <strong>Apache</strong> <strong>Lenya</strong>- Us<strong>in</strong>g <strong>LDAP</strong><br />
6<br />
TATA CONSULTANCY SERVICES
About Open Source & L<strong>in</strong>ux Practice<br />
From understand<strong>in</strong>g bus<strong>in</strong>ess pa<strong>in</strong> areas, recommend<strong>in</strong>g and<br />
implement<strong>in</strong>g solutions to provid<strong>in</strong>g support, the OSL practice at <strong>TCS</strong><br />
helps enterprises to overcome the challenges mov<strong>in</strong>g to Open Source,<br />
achieve tangible results and optimize the Total Cost of Ownership<br />
(TCO). The OSL practice offers secure and scalable solutions, built<br />
around L<strong>in</strong>ux & Open Source, that cover Application Development, Reeng<strong>in</strong>eer<strong>in</strong>g,<br />
Migration, Product Port<strong>in</strong>g, Application Consolidation and<br />
Kernel Programm<strong>in</strong>g.<br />
About Tata Consultancy Services<br />
Tata Consultancy Services (<strong>TCS</strong>) is among the lead<strong>in</strong>g global <strong>in</strong>formation<br />
technology consult<strong>in</strong>g, services and bus<strong>in</strong>ess process outsourc<strong>in</strong>g<br />
organizations. Pioneer of the fl exible global delivery model for IT services<br />
that enables organizations to operate more effi ciently and produce more<br />
value, <strong>TCS</strong> focuses on deliver<strong>in</strong>g technology led bus<strong>in</strong>ess solutions to<br />
its <strong>in</strong>ternational customers across varied <strong>in</strong>dustries.<br />
For more <strong>in</strong>formation contact<br />
Rakhi Gupta<br />
Tata Consultancy Services Ltd.<br />
Akruti Bus<strong>in</strong>ess Port<br />
Road No 13, MIDC<br />
Andheri (East)<br />
Mumbai 400093,<br />
India<br />
Phone: 91 22 5660 6311<br />
Fax: 91 22 5660 6855<br />
Email: l<strong>in</strong>ux.practice@tcs.com<br />
Website : www.tcs.com<br />
All content / <strong>in</strong>formation present here is the exclusive property of Tata Consultancy<br />
Services Limited (<strong>TCS</strong>). The content / <strong>in</strong>formation conta<strong>in</strong>ed here is correct at the time<br />
of publish<strong>in</strong>g. No material from here may be copied, modifi ed, reproduced, republished,<br />
uploaded, transmitted, posted or distributed <strong>in</strong> any form without prior written permission<br />
from <strong>TCS</strong>. Unauthorized use of the content / <strong>in</strong>formation appear<strong>in</strong>g here may violate<br />
copyright, trademark and other applicable laws, and could result <strong>in</strong> crim<strong>in</strong>al or civil<br />
penalties.<br />
Copyright © 2004-05 Tata Consultancy Services Limited<br />
<strong>Authentication</strong> <strong>in</strong> <strong>Apache</strong> <strong>Lenya</strong>- Us<strong>in</strong>g <strong>LDAP</strong><br />
7<br />
TATA CONSULTANCY SERVICES