LDAP (Lightweight Directory Access Protocol) is an industry standard protocol used by PAS for OpenEdge to access and administer user account information maintained by a Directory Service vendor. Virtually all Directory Service vendor implementations, including Microsoft's Active Directory (AD), support a remote client interface through LDAP. As a result, it is common to refer to any vendor implementation of a Directory Service using the generic term LDAP.
LDAP support is a feature of Spring Security, which is the primary security framework in PAS for OpenEdge.
The Spring Security Framework in PAS for OpenEdge
The Spring Security framework has a single responsibility: to identify the client that is making an HTTP request, and to authorize that client’s access to the web application’s resources before a single line of application code executes. (Spring Security frees web application developers from writing, maintaining, and testing the access security in their application code.)
The Spring Security framework implements three processes that execute on each and every HTTP client request:
Authentication — Verifies a client's identity from login credentials. If credentials are valid, it passes a verified security token that includes the roles granted to the client to the authorization process.
Authorization — Grants or denies the client’s HTTP request based on the roles passed to it by the authentication process in a security token. The authorization process invokes the user account login process if the client is attempting access a protected URL resource but is not logged in.
User account validation — Verifies the existence of the user account, the validity of the password, and the state of the user account. Returns user roles if validation is successful.
These processes function to ensure that no back doors exist that allow unauthenticated or authorized users to access protected URL resources.
PAS for OpenEdge extends, but does not replace, these Spring Security processes. The primary extension to Spring Security is the production of security tokens that are ABL client principal objects. ABL client principals are created by the user login process and passed to the ABL business applications where they can be used for application level authorization or for OpenEdge database access.
Spring Security’s LDAP configurations
Spring Security’s LDAP implementation provides a typical user authentication process that uses a Directory Service. That authentication process may be simple, using many of Spring Security’s built-in defaults, or it can be complex, configured to work correctly with a variety of enterprise configurations. The PAS for OpenEdge defaults are supplied with a simple configuration in mind, where the amount of required, site-specific installation information is minimized.
The LDAP user account validation process
Before you attempt to configure Spring Security's LDAP implementation, you should have an idea of how the LDAP authentication process works, as described in the following sequence:
1. Initialize an LDAP network connection to the Directory Service's root DN.
The assumptions are that the connection has no privileges to view and that there are no information changes required for in the Directory Service.
2. Bind to the Directory Service via an LDAP login, which includes the Distinguished Name (DN) and password of a user account.
The login user account should have query permission to locate the existence of a user account in the Directory Service.
3. Query the Directory Service to find the user account object that matches the user login.
4. Return the full DN of the user's account.
5. Unbind (logout) from the user account on the Directory Service.
6. Bind (login) again to the Directory Service using the full DN plus the password supplied by the user.
If the bind fails, the user login fails and the process exits at this point.
7. Obtain the user account properties and add them to a Spring Security token (an ABL client-principal in OpenEdge).
The number and types of properties varies by configuration.
8. Obtain the LDAP group information for the user account, convert group names to Spring Security roles, and add the roles to the Spring Security token.
Because Spring Security authorization is role-based, at least one LDAP group must be found by the query.
9. Unbind (logout) from the user account on the Directory Service.
10. Pass the Spring Security token back to the user account login process.
Spring Security's LDAP support
In the Spring Security Framework, the LDAP authentication implementation is built on the Java JNDI (Java Naming and Directory Interface) API which is included in the JRE and JDK distributions. More detailed information may be found online in the Spring Security documentation on LDAP authenticator support, and in the Oracle/IBM Java documentation for JNDI services.
The LDAP authentication process is supported by a set of Spring beans. The following table lists the Spring beans that support LDAP:
Bean ID
Description
ldapAuthProvider
Executes the LDAP user authentication process using all of the other bean classes.
Establishes network connections to a LDAP compliant Directory Service. Also defines the LDAP URLs and initial user account the ldapBindAuthenticator uses to locate the user account.
Performs the actual search for the Directory Service account being authenticated. Contains information of where to start the search and what user object attribute to use in the query.
Queries the Directory Service to locate the groups the user is a member of. Contains information about where to begin searching and which object attributes to use in the query.