e BUSINESS ON iSERIES LDAP Editor s Note Part one by ramhood2



L ev e r aging LDAP for iSeries e-business applications |
                                                           Your e-Business
                                                                                                  By Pat Fleming

Editor’s Note: Part one of this two-part series on
lightweight directory access protocol (LDAP)
examines some of its uses for iSeries e-business
applications. Part two will follow in a future issue.

                        ightweight Directory
                         Access Protocol (LDAP)
                         is a client/server proto-
                col for accessing a directory ser-
                vice. It was initially used as a
                front-end to X.500 but also
                can be used with stand-alone
                and other kinds of directory
                servers. Many technology com-
                panies, including IBM, Novell,
                Netscape and Microsoft* sup-
                port LDAP, which allows users
                to locate organizations, indi-
                viduals and other resources
                such as files and devices in a
                network, whether on the
                Internet or an intranet. And            client supports an API, and the     tories or implement directories
                you don’t need to know the              server processes requests. The      that are only accessible using an
                domain name, IP address or              initial LDAP client implemen-       LDAP client. Examples of prod-
                geographic whereabouts. An              tation provided a C API,            ucts providing LDAP gateway
                LDAP directory can be distrib-          which is now available on most      servers are Lotus Domino* and
                uted among many servers on a            workstations and server plat-       Novell Network Directory
                network, then replicated and            forms, including iSeries and        Services (NDS). An example
                synchronized regularly.                 Windows*. For Java* applica-        of an LDAP standalone directo-
                   The good news is that as an          tions, Sun* Microsystems            ry that can be accessed only by
                iSeries customer you can take           defined Java Naming and             an LDAP client is the IBM
                advantage of a LDAP solution            Directory Interface (JNDI), an      SecureWay Directory imple-
                that already exists on your             API for accessing directories       mentation, which is available
                iSeries today.                          using LDAP (and other proto-        on all IBM                models,
                                                        cols). Sun and IBM both pro-        Windows NT/2000 and Solaris.
                LDAP, the Internet Standard             vide implementations of JNDI.
                for Directory Access                       Directories accessed using       LDAP on iSeries
                Implemented using the client/           LDAP are usually referred to as     An IBM SecureWay Directory
                server model, LDAP runs over            LDAP directories. LDAP              implementation is supported on
                TCP/IP using non-secure or              servers can choose to provide       iSeries starting with OS/400*
                secure sockets (SSL). The               gateway access to existing direc-   V4R3. LDAP clients and an

                                                                                             iSeries e-Business Quarterly August   e1

     LDAP server are provided free with
     Directory Services. In V4R5,
     Directory Services was included with
     the base operating system. LDAP
     clients for Windows and OS/400
     provide APIs for use by both C and
     Java applications. The OS/400 client
     also provides APIs for use by all
     Integrated Language Environment
     (ILE) programming languages.
        LDAP utilities are provided for
     common administrative tasks such
     as searching or modifying the direc-
     tory and can be run from the
     OS/400 Qshell command environ-
     ment or a Windows command
     prompt. To allow mail clients to
     search for e-mail addresses of
     OS/400 users, Directory Services
     enables      System      Distribution
     Directory (SDD) information to be
     published to an LDAP directory.
        All IBM SecureWay Directory
     LDAP server implementations use          directories. Second, a Notes client
     the IBM Universal Database               can access e-mail addresses of non-     LDAP with WAS
     (UDB). When implemented on               Domino users from both an intranet      For Web-application serving, both
     iSeries, this results in an LDAP         and the Internet.                       WAS Standard Edition and
     directory that is scalable, robust and                                           Advanced Edition for iSeries support
     easy to manage. Millions of entries      LDAP with an HTTP Server                LDAP directories as a user registry for
     can be added to the directory with       For Web serving, the IBM HTTP           authentication of users to Web
     little impact on performance.            Server for iSeries supports LDAP        resources. Multiple Web and applica-
     Backup and recovery of the LDAP          in two ways. First, HTTP configu-       tion servers can be configured to
     directory is performed using stan-       ration information can be stored        share a single user registry, thus
     dard OS/400 administrative proce-        in an LDAP directory and shared         reducing management while increas-
     dures. Configuration is accom-           across HTTP server instances.           ing consistency of information.
     plished using a wizard within            Second, the HTTP server can be
     Operations Navigator (V4R3 or            configured to use an LDAP direc-        LDAP Functionality
     later) in the TCP/IP Servers folder      tory as a user registry for authenti-   A set of Internet standards defines a
     for your system. Select the Directory    cation of Web users. Both uses          consistent way to search for and
     server and select “Configure.”           of LDAP by the HTTP server pro-         manage entries in a directory. Each
                                              vide more efficient management          entry is one or more groups of
     LDAP with Domino                         of resources for e-business applica-    attributes that are associated with a
     Domino R5 provides support for           tions because server configurations     distinguished name (DN). Each
     LDAP in two ways. First, applica-        and users can be defined once           entry in a directory has a unique
     tions can use LDAP to search a           and shared within the network.          DN.         For        example            cn=Pat
     Domino server’s directory. For           The user registry also can be           F l e m i n g , o u = R o c h e s t e r, o = I B M .
     example, a Netscape mail client          shared with other applications          Because a DN is comprised of one
     could locate an e-mail address of a      enabled to use LDAP, such               or more name components, the
     Domino user by configuring a             as Domino and WebSphere*                directory is hierarchical, much like
     Domino server to search secondary        Application Server (WAS).               the file systems on Windows and

e2   August iSeries e-Business Quarterly
iSeries. Each name component con-          directory entries are owned by the
sists of an attribute name, for exam-      user creating the entry and can be
ple cn (commonName), and an                searched by everyone. To help ease
attribute value, such as “Pat              administration, security properties
Fleming.” Directory entries can be         can be configured to automatically
placed below other directory               propagate down in the directory
entries, thus creating containers          hierarchy. If you elect to do this, you
much like a folder contains files in       can set the security properties at one
Windows. The hierarchical struc-           point or level of the directory tree
turing of entries into a tree is impor-    and all directory entries lower in the
tant for organizing data from multi-       directory hierarchy will share the
ple organizations and applications.        same security properties. You won’t
The LDAP directory tree can easily         have to set the security of each new
be searched and secured.                   directory entry, unless it requires a
   LDAP implementations provide a          different set of security properties.
common set of utilities for searching      Both users and groups of users are
and managing LDAP directories.             supported. Operations Navigator
The following is an example of the         provides administration of the
search utility as performed from the       LDAP directory security.
Qshell environment. (Note: This
example also works from Windows            More to Come
or UNIX* systems) To search the            Part two of this series will examine
LDAP directory located on                  more of the details behind using
“myhost.ibm.com” for all entries of        LDAP with your iSeries and its
type “person” starting at “o=IBM” in       applications including the use of
the directories hierarchy:                 extensible markup language (XML)
                                           with LDAP directories.
ldapsearch -h myhost.ibm.com -b o=IBM

objectclass=person                         Pat Fleming is senior software engi-
                                           neer for the iSeries in Rochester,
  From an LDAP-enabled Web                 Minn. He is currently an IBM
browser, such as Netscape                  WebSphere Application Server for
Communicator, this same search             iSeries architect. Prior to that, he was
could be performed by specifying           an OS/400 Directory Services
the following URL:                         (LDAP) architect. He can be reached
                                           at flemingp@us.ibm.co


                                           For Further Information
  With V4R5, it’s possible to use          • iSeries 400 Directory Services (LDAP):
the Directory Management Tool                www.ibm.com/eserver/ iseries/ldap
(DMT) to manage an LDAP direc-             • IBM HTTP Server for iSeries:
tory. DMT provides a user-friendly           www.ibm.com/servers/eserver/
method for users and administrators          iseries/software/http
to navigate, browse and update an          • IBM WebSphere Application Server for
LDAP directory. IBM LDAP direc-              iSeries:www.ibm.com/servers/eserver/
tory implementations use a common
security model for authentication          • Domino Server for AS/400:
and authorization based on access            domino
control lists (ACLs). By default,

                                                                                      iSeries e-Business Quarterly August   e3

To top