kkalev ldapcon2007 presentation ldapwrites

Information about kkalev ldapcon2007 presentation ldapwrites

Published on November 28, 2007

Author: Sevastian

Source: authorstream.com

Content

Moving LDAP Writes to Web Services:  Moving LDAP Writes to Web Services Kostas Kalevras National Technical University of Athens, Network Operations Center [email protected] Greek School Network National Technical University of Athens Agenda:  Agenda Greek School Network – E-School Development Environment Problems with direct LDAP writes Why move to Web Services LDAP Reads – Authentication LDAP User Management Service PHP API Conclusion Greek School Network:  Greek School Network Interconnects all Greek schools and provides Internet access Provides school and personal accounts Email, Dialup, VoIP, web pages services LDAP Service:  LDAP Service Based on Sun One Directory Server Central authentication repository for all user services Contains the Organizational Hierarchy 170,000 entries School accounts, teacher accounts Student accounts scheduled User Administration:  User Administration Central Web-based interface Written in PHP and Javascript Provides an object and form editor/creator One form is created per object type (object types are abstract types like student, teacher, adsl router, etc) LDAP tree browser and data manipulation (add, edit) forms are provided to administrators Delegated administration of entries Interface features:  Interface features Computed attributes based on other attribute values Computation formula: Any valid PHP expression or even function Attribute uniqueness Referential integrity Post operations (moving user home directories, welcome emails, etc) E-School framework:  E-School framework Services on top of the current network Provided services: Web portal (sPortal) for student parents Parents register and can check out their child’s progress and status PKI infrastructure School Administration platform Move all school operations to the electronic world (student enrollment, classroom management, grading) Central personnel and student database Interface (.NET) running on all schools communicates changes with the central database New entry sources:  New entry sources Old days: Accounts were created through the central web interface E-School: Accounts are created from more than one sources now: sPortal creates parent accounts School Administration platform creates teacher, student accounts and maintains the organizational hierarchy School accounts (official school email account) still need to be created ‘by hand’ Why Direct LDAP access is bad:  Why Direct LDAP access is bad Each service only knows it’s own little world (and attributes). sPortal for instance only needs a username/password pair and nothing more No easy way to perform post-operation tasks Apart from ACIs there’s no other control over what is written (no real constraints) Changes to the entry schema need to be integrated in ALL outside sources No way to expire an entry instead of deleting it Services code and operation are outside our administration domain Web Services to the rescue:  Web Services to the rescue Create web service functional interface around the user interface Provide functions accessible through HTTP(s)-SOAP (declarations in WSDL) Web services written in PHP nuSoap Map all abstract operations (i.e. Parent Creation) to functions in the web services User interface provides general object interaction functions in PHP (ldap add/modify/delete) All complex features are already present and configured in the user interface Example:  Example createParent() Input: Parent name, surname, username, password Check arguments, username uniqueness Log all operations Call internal object creation routine Routine handles all complex operations (like computed attributes, etc) Output: Status Code, Error Message if present Advantages:  Advantages One function backend for both the e-school services and the user interface Complete logging is available. No more looking through million lines of directory server logs Computed attributes are available Pre and Post operation tasks can be performed (calling outside scripts/web services) All operations pass through a central point. We can set any constraints on the provided values Advantages (2):  Advantages (2) Outside service need not know our schema. They call a function with the minimum set of arguments. We can change the entry schema whenever we want We can have our own expiration policy. EntryDelete() could just set active=false WSDL is clear and precise. LDAP is abstract and parties need to agree on how to perform operations. LDAP Reads:  LDAP Reads Web services could be used for complex reads too One function for every complex search operation Group Membership, LDAP browsing are perfect candidates Advantage: Schema abstraction, functional interface DSML could be used to carry back entry information Authentication:  Authentication HTTP authentication is used Credentials are mapped to LDAP entries Web Service binds with the HTTP credentials Which credentials to use? Special service user in case of synchronization mechanisms User entry for which the operation is requested (i.e. change password operation) LDAP User Management Service (LUMS):  LDAP User Management Service (LUMS) A PHP LDAP Entry Management API has been created for another project Provides: A set of basic LDAP API functions (search, add, delete, modify, rename, change password) A strong configuration language Administrator defines ldap object types and their corresponding attributes LDAP User Management Service (2):  LDAP User Management Service (2) Options available for each attribute Define as required, multivalued Set attribute type (string, binary, dn, telephone, email, etc) Define attribute value source: User inserted, constant, auto increment, function created Allow for attribute uniqueness Define extra syntax checking function Define virtual attributes which can be used to create attribute mappings Pre and Post operation functions can be defined Automatic handling of non English charsets LDAP and XML integration:  LDAP and XML integration DSML has been available for quite some time and is starting to get used XML Enabled Directory envision moving the entire LDAP protocol to XML space Looks like LDAP and XML integration will be even tighter in the near future Conclusion:  Conclusion A web service functional interface can provide significant benefits if: There are more than one entry sources Sources are heterogeneous and possibly multiplatform Sources are usually outside out administration domain and control Information synchronization is not based on human interaction A strong and configurable LDAP API is provided for use by the Web Service References:  References Greek School Network: http://www.sch.gr/ NTUA NOC: http://www.noc.ntua.gr/ LUMS: http://www.sourceforge.net/projects/lums Blog: http://kkalev.wordpress.com/ Thank you!:  Thank you!

Related presentations


Other presentations created by Sevastian

ISPS
05. 11. 2007
0 views

ISPS

Love and Friendship
24. 12. 2007
0 views

Love and Friendship

The Meiji Restoration
27. 03. 2008
0 views

The Meiji Restoration

Passover Communion 2007
05. 03. 2008
0 views

Passover Communion 2007

frbr2
27. 02. 2008
0 views

frbr2

BB 3 06 presGC
07. 01. 2008
0 views

BB 3 06 presGC

Cambodia
07. 01. 2008
0 views

Cambodia

L14
05. 01. 2008
0 views

L14

GEGPresentation
04. 01. 2008
0 views

GEGPresentation

Week4b
27. 09. 2007
0 views

Week4b

The Persian Wars
07. 12. 2007
0 views

The Persian Wars

4TTExcav2
10. 12. 2007
0 views

4TTExcav2

Hooters ppt Recovered
12. 12. 2007
0 views

Hooters ppt Recovered

anzio
30. 10. 2007
0 views

anzio

Wright ppt
31. 10. 2007
0 views

Wright ppt

new sol vocab review mouse
01. 11. 2007
0 views

new sol vocab review mouse

aspects culturel sdela France
02. 11. 2007
0 views

aspects culturel sdela France

Proctor BAT Brief
05. 11. 2007
0 views

Proctor BAT Brief

Area Communication Systems
06. 11. 2007
0 views

Area Communication Systems

Chapter4
07. 11. 2007
0 views

Chapter4

laburinary 03
13. 11. 2007
0 views

laburinary 03

Volkswagen Aids Care Program
16. 11. 2007
0 views

Volkswagen Aids Care Program

eurotb slides balkans
21. 11. 2007
0 views

eurotb slides balkans

Baseline project Summer 2007
04. 12. 2007
0 views

Baseline project Summer 2007

PressPack
23. 11. 2007
0 views

PressPack

Kids Help Phone Presentation
23. 12. 2007
0 views

Kids Help Phone Presentation

drawinglessons
02. 01. 2008
0 views

drawinglessons

1 OpenPresentation
28. 09. 2007
0 views

1 OpenPresentation

Vasa
07. 11. 2007
0 views

Vasa

11 tg
04. 01. 2008
0 views

11 tg

paper8
26. 11. 2007
0 views

paper8

Transits of Venus Pictures Only
26. 10. 2007
0 views

Transits of Venus Pictures Only

3 ModelagemEstatistica
28. 12. 2007
0 views

3 ModelagemEstatistica

Conway 2
24. 10. 2007
0 views

Conway 2

mln
18. 12. 2007
0 views

mln

JangWoo Son
09. 10. 2007
0 views

JangWoo Son

001
31. 10. 2007
0 views

001

sunum tasarim
14. 11. 2007
0 views

sunum tasarim

Spinoffs
25. 10. 2007
0 views

Spinoffs

Joao Castro
28. 11. 2007
0 views

Joao Castro

TS107 WEEK4 2 TRANSPORT
12. 11. 2007
0 views

TS107 WEEK4 2 TRANSPORT

7 Dividing Fractions
28. 12. 2007
0 views

7 Dividing Fractions

Module 2 VOCs
08. 11. 2007
0 views

Module 2 VOCs

Internet Detective LILAC2006
13. 12. 2007
0 views

Internet Detective LILAC2006

smn presentation
06. 11. 2007
0 views

smn presentation

ULSDDowngrading
06. 11. 2007
0 views

ULSDDowngrading

maslennikov2
01. 11. 2007
0 views

maslennikov2

mobicom1
31. 10. 2007
0 views

mobicom1

SACS WorkshopJuly2007
22. 11. 2007
0 views

SACS WorkshopJuly2007