Apache Directory Server
Apache Directory Server
Apache Directory Server
10-MCA-17
INTRODUCTION
A Web server is a server that is responsible for accepting HTTP requests from web clients and serving them HTTP responses, usually in the form of web pages containing static (text, images etc) and dynamic (scripts) content. The Apache Web server has been the most popular and widely used Web server for the last decade. It is used by approximately 50% of all websites. Apache is cross-platform, lightweight, robust, and used in small companies as well as large corporations. Apache is also free and open-source. The Apache Web server has almost endless possibilities, due to its great modularity, which allows it to be integrated with numerous other applications. One of the most popular bundles is the LAMP Web server application stack, which includes the Apache Web server alongside MySQL, PHP, Perl, and Python. The Apache Web server is developed by the Apache Software Foundation. ApacheDS 1.5 is an embeddable, extendable, standards compliant, modern LDAP server written entirely in Java, and available under the Apache Software License. Other network protocols like Kerberos and NTP are supported as well (and even more may be added), but basically ApacheDS is an LDAP server. Embeddable means that it is possible to configure, start and stop ApacheDS from other Java components, especially application servers, and the server runs within the same VM. The solution has already been successfully embedded in Apache Geronimo, JBoss, and others. The fact that the server is embeddable is quite interesting, nevertheless you also have the deployment option to run the server standalone, for instance as a Windows service. Perhaps you know this situation from other LDAP servers open source (like OpenLDAP) as well as commercial ones (like Sun Java System Directory Server). Extendable means that the modern architecture of the solution provides many extension points. Write your own partitions to store directory data, interceptors to add functionality, etc. by implementing certain interfaces and plugging them in using Spring. Standard compliant means that ApacheDS 1.5 adheres to all RFCs relevant to LDAPv3. Modern means that ApacheDS aims modernize the LDAP territory, as well as it favors standards compliance. New rich integration tier constructs like LDAP Stored Procedures and Triggers are being built on top of existing standards. Entirely written in Java means that the software compiles and runs on a huge number of hardware and software platforms. Native installers are available for Windows, MacOS and Solaris (both SPARC and intel platform), but in fact the set of possible targets is by far more extensive.
ARCHITECTURAL OVERVIEW
BACKGROUND
Directories and directory services Generally speaking, a directory is a collection or list of data. Real world examples are telephone books (public or within organizations), church/land registers and listings of works (e.g. the Koechel-index, which lists all compositions of Mozart). All these examples have the purpose to preserve information and to make it available on demand to whom it may concern. A directory service is a solution which offers users access to the information stored in the directory. A directory assistance (call center agent) is a good real world example for such a service. Within information technologies, such services are normally provided by software components. Directory services provide access to the content of a directory via a well-defined interface. If a network is used, an appropriate protocol has to be defined. LDAP (see below) is such a protocol. The real world examples mentioned above may be stored in such a directory, although other types of storage systems can be more appropriate (this depends on circumstance/requirements). At first sight directories compete thereby as data storage with the established relational data bases. However in the most large enterprises and organizations both directory services and relational databases are actually used. LDAP the Lightweight Directory Access Protocol The comprehensive standard X.500, finalized in 1988, builds the foundation for many of today's directory solutions. Within this standard, the client accesses the server via the Directory Access Protocol (DAP), which is OSI protocol stack based. With the Internet boom in the nineties, the accessibility of directories via TCP/IP became more and more important. Hence a TCP/IP-based access method, which in functionality was a subset of DAP, was standardized in 1993: the Lightweight Directory Access Protocol (LDAP). First LDAP implementations were gateway solutions, they mediated between LDAP clients and X.500 servers. In 1995 the University of Michigan presented the first native LDAP server; in the meantime the work is continued by the OpenLDAP project. 1996 Netscape followed with the first commercial LDAP server (Netscape Directory Server, foundation of several later LDAP servers).
APACHE DS FEATURES
Designed as an LDAP and X.500 platform; plugable components and subsystems make ApacheDS extremely modular and ideal for experiments with various aspects of the LDAP protocol. The server's frontend is completely separable from its backend and vice-versa making it very flexible for implementing virtual directories, proxy servers and gateways to X.500 directories. Several backends can be implemented and plugged into the server's partition nexus. The server supports a BTree based partition out of the box but any backing store can be used to implement a partition as long as it conforms to interfaces. The server exposes aspects of administration via a special system backend. LDAP can be used to manage these concerns through the system naming context at ou=system. Both the backend subsystem and the frontend are separable and independently embeddable. The server contains a server side JNDI LDAP provider as the facade for the entire backend subsystem. JNDI operations are directly translated by this provider into operations against the nexus and the target partitions storing server entries. The server's networking code, MINA (Multipurpose Infrastructure for Network Applications) was designed for pluggable protocol providers, of all sorts and not just LDAP. MINA gives ApacheDS the ability to handle large amounts of concurrency. The server uses the Twix tools and APIs for ASN.1 BER encoding and decoding. These tools are designed for a very small encoding and decoding footprint as well as for use in non-blocking servers. The chunking nature of the BER codec makes the server very efficient while handling encoding and decoding making it more resistant to DoS attacks. LDAP Stored Procedures and Triggers are scheduled for the next major version of ApacheDS. LDAPv3 compatible certified by the OpenGroup
APACHE DS TOOLS
Import: A command to import data into a server Dump: Simple tool used to dump the contents of a jdbm based partition Diagnostic: A command to send an extened request which launches a diagnostic UI on the server's console Disconnect Notification: Responds to unsolicited notifications by launching an external process Graceful Shutdown: A command used to send a graceful disconnect to established clients while allowing them time to complete operations already in progress Capacity Test: A command which will generate bogus user entries and add them under a base DN. It will output a table of values mapping the capacity of the partition to the time it took to add an entry to it. Index: A command which adds attribute indices to an existing partition
Launching a command a pretty easy job. Just type the following command
java -jar apacheds-tools.jar <command> [options]
Dynamic Schema (1.5.0+) LDAP Stored Procedures and LDAP Triggers (1.5.0+) SASL/StartTLS (1.5.1+) Multi-Master Replication, RFC 4533 (1.5.?) Dynamic configuration (1.5.?)
public class SimpleJndiExample { public static void main(String[] args) throws NamingException { Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://zanzibar:10389/o=sevenSeas"); env.put(Context.SECURITY_PRINCIPAL, "uid=admin,ou=system"); env.put(Context.SECURITY_CREDENTIALS, "secret"); env.put(Context.SECURITY_AUTHENTICATION, "simple"); InitialDirContext ctx = new InitialDirContext(env); Attributes attrs = ctx.getAttributes(""); NamingEnumeration enm = attrs.getAll(); while (enm.hasMore()) { System.out.println(enm.next()); } } }
OUTPUT:
$ java SimpleJndiExample objectClass: organization, top description: Contains Apache Directory Tutorial example data o: sevenSeas $
AUTHENTICATION
Authentication is the process of determining whether someone (or something) in fact is what he/she/it asserts to be. Within ApacheDS you will likely want to authenticate clients in order to check whether they are allowed to read, add or manipulate certain data stored within the directory. The latter, i.e. whether an authenticated client is permitted to do something, is deduced during authorization. Quite often, the process of authentication is delegated to a directory service by other software components. Because in doing so, authentication data (e.g. username, password) and authorization data (e.g. group relationships) are stored and managed centrally in the directory, and all connected software solutions benefit from it. The integration sections of this guide provide examples for Apache Tomcat, Apache HTTP servers, and others. ApacheDS 1.5 supports simple authentication and anonymous binds while storing passwords within userPassword attributes in user entries. Passwords can be stored in clear text or one-way encrypted with a hash algorithm like MD5 or SHA1. Since version 1.5.1, SASL mechanisms are supported as well.
A common task when developing a web application is user authentication and authorization - parts of the application should only be seen by the users which you want to see them. Three things are required for realizing this, a mechanism for authentication which checks the credentials provided by the user in the login form. A mechanism for authorization which decides about user privileges and a data store where user information & credentials are stored. A perfect choice for the data store is ApcheDS. LDAP is a widely adopted standard so you can reuse your user data also for other systems.
APACHE HTTP SERVER
The Apache HTTP Server contains modules, that allow the authentication of users against an LDAP directory server. These modules vary between the different versions of the HTTP Server. For Apache HTTP 2.0.41 and above, an experimental module called mod_auth_ldap exists. For Apache HTTP 2.1 and above there is a module mod_authnz_ldap, which is no longer experimental, but a regular modul.