Thursday, January 30, 2014

LDAP connector for WSO2 ESB

As we were working on our intern project : "Infra portal", we had to connect to WSO2 user store LDAP (Lightweight Directory Access Protocol) directory in several ways like authenticating users, getting user list in a particular group, adding new entries (users in our case), editing entries and deleting them. Currently these operations can be done using javax.naming.* packages in java. However because most of our developments are done in jaggery, we had to write a java client for each property and integrate it with jaggery server. Then we could invoke its methods inside jaggery. But when time goes on, it was really painful to write methods to each operation that is required in the application in a single java class. It became too large and most of them were repetitions of previous methods with small changes, which is not suitable. 

So we decided to search for a better solution and finally we decided it is better to write a LDAP connector for WSO2 ESB. Main reasons for writing a LDAP connector were

  1. Connecting through an ESB connector makes most of the integrations with external LDAP directories become easy
  2. Loosely coupled interface between LDAP and client
  3. Others who are willing to use LDAP in their products can re-use this easily
  4. Language independent (Data exchange is done using REST or SOAP)


In our connector there are basic four functions implemented and one special function

Basic functions

  • Add new entry
  • Delete an entry
  • Update an entry
  • Search for an entry


Special Functions

  • Authenticate user


Before using any operation it is required to provide admin authenticate details to ESB. For that there is an Init operation.

<ldap.init xmlns="http://ws.apache.org/ns/synapse">
      <providerUrl>ldap://192.168.1.164:389/</providerUrl>
      <securityPrincipal>cn=admin,dc=wso2,dc=com</securityPrincipal>
      <securityCredentials>comadmin</securityCredentials>
   </ldap.init>
   
This signs in as the admin of LDAP directory which can perform any operation on LDAP Directory.
It is better to put this in a local entry and refer it in other operations with configKey

Add new entry

<ldap.addEntry configKey="LdapConfig">
    <objectClass>inetOrgPerson</objectClass>
    <dn>uid=dimuthuu2,ou=staff,dc=wso2,dc=com</dn>
    <attributes>cn=Dimuthu2Upeksha,mail=dimuthuu2wso2.com,userPassword=123,sn=Dimuthu2</attributes>
</ldap.addEntry

To add a new entry there are 3 parameters. 
1. Object class - This is a mandatory parameter. This defines the objectClass of the new entry
2. dn - Distinguished name of the new entry
3. attributes - Other attributes you need to add in to the entry


Delete an entry

<ldap.deleteEntry configKey="LdapConfig">
    <dn>uid=dimuthuu2,ou=staff,dc=wso2,dc=com</dn>
</ldap.deleteEntry>

Update an entry

<ldap.addEntry configKey="LdapConfig">
    <dn>uid=dimuthuu2,ou=staff,dc=wso2,dc=com</dn>
    <attributes>cn=Dimuthu2Upeksha,mail=dimuthuu2wso2.com,userPassword=123,sn=Dimuthu2</attributes>
</ldap.addEntry

1. dn - Distinguished name of the entry that is needed to update attributes
2. attributes- Key value pairs of attributes that are needed to be changed

Search for an entry

This searches a particular entry of a set of entries for given keywords.

<ldap.searchEntry configKey="LdapConfig">
            <objectClass>inetOrgPerson</objectClass>
            <filters>uid=dimuthuu</filters>
            <dn>ou=staff,dc=wso2,dc=com</dn>
            <attributes>uid,mail</attributes>
</ldap.searchEntry>

1. objectClass - type of entry that is needed to be searched
2. filters - keywords to search. Above case: search entries with uid with "dimuthuu"
3. dn - Distinguished name of the scope which searching should be applied.
4. attributes -  Attributes of the entry that should be included in the search result.


Authenticate

LDAP authentication is one of the major requirement in most LDAP based applications. To simplify this authentication mechanism, there is a special operation. For your given username and password it tells whether authentication succeeded or not.

<ldap.authenticate configKey="LdapConfig">
            <dn>uid=dimuthuu,ou=staff,dc=wso2,dc=com</dn>
            <password>1234</password>
</ldap.authenticate>

1. dn : Distinguished name of user
2. password: password of the user

-----------------------------------------
Special thanks should go to WSO2 ESB team including Dushan ayya and Isuru ayya for giving us a great help when we were in trouble.

If you think that this should be improved or I'm missing something here, please do comment below. Thanks
Posted by at

6 comments:

  1. JorgeFebruary 3, 2014 at 5:36 AM

    nice work, where I can find the source code of this connector?

    ReplyDelete
    Replies
    1. 常樸April 9, 2014 at 8:46 PM

      I need the connector source code too.

      Delete
    2. Dimiuthu UpekshaJuly 6, 2014 at 2:32 AM

      https://github.com/DImuthuUpe/esb-connectors/tree/master/ldap

      Delete
  2. AnonymousMarch 2, 2015 at 3:36 AM

    nice work, It would be more useful if you can add more description on starting a new LDAP server using Apache DS

    ReplyDelete
  3. cchathuraApril 19, 2018 at 2:28 AM

    would it be possible to update binary attribute value ( like profile image) in AD via wso2 ldap connector ?

    ReplyDelete
  4. rjoshiSeptember 16, 2021 at 10:53 PM

    I tried as per the wso2 documentation and other references but just getting HTTP status code 202 - accepted without any response.

    ReplyDelete

Subscribe to: Post Comments (Atom)