Submitted by Syd Nicholson on Mon, 11/27/2006 - 00:00
Forums

We have a potential customer that requires single sign on for all applications. They would like to be able to use an LDAP server to validate the user on the network in order that pages/information are constructed for that user only.

How can this be achieved using IceBreak?

Thanks
Syd

Niels Liisberg

Tue, 11/28/2006 - 00:00

Hi Syd;

Single signon ca be achived by using the LDAP api from IBM combined with the IceBreak function Logon(userid: password)

like:

 
  msg = LogOn(Userid:Password);
 if (msg <= '');
     exsr LDAPlogon;
     Initpage();
     return;
  else;
    exsr ShowLogon;
  endif; 

If your IceBreak if running as a part or WebSphere Portal, you will have a LTPA-token in the http header when the user is logged on.

like: 

 
  token = getheader('LTPA-TOKEN');
  if (token > '' );
     exsr IamLoggedon;
  else;
    exsr ShowLogon;
  endif; 

Thanks Niels,

The LDAP API is not something I am familiar with - a bit of light reading at bedtime!?

Assuming the user ID is the same as that used to sign on to the PC, do you know how we can pick up the user details for use in the LDAP API without the user needing to type them in again. Are there any server variables available for this - I am looking at the server vars and tutorials documentation for biuld 91 but can't find the required info.

Regards
Syd

IBM's EIM (Enterprise Identity Manager) provides single signon capability for the iSeries. It can authenticate against Active Directory, etc. However, the application needs to be Kerebos enabled to be able to use it. I don't know how IceBreak fits into this.

Based on arrow483's comments - is it possible to validate against active directory with IceBreak?

It is still not clear to me how the server knows who has has signed on to the PC and is using a browser.

I will need to provide this potential customer with a reply early next week.

Thanks Niels,

I assume therefore that with some JavaScript it might be possible to use these activeX controls to gain this information (IE only?)

This would be invisible - and raises some serious questions on Internet security!! - ARRGH  - the more I think about this the more I would hope that it is not possible to obtain this information in the browser.

Regards
Syd

You are right 

But in IE you can run the active-X which might be any program snippet, so from there you can retrive the profile .... we can make it for you if the customer requires it...


Niels

Frightening!!

This means that any web page, literally any web page, anywhere on the internet, can extract my network userid and password, IP address, etc. without my knowledge. They could then use that information to log on to my system remotely!!

AAAAAAGH once again

Getting panicky now. -

Regards
Syd

Hi!

It would be really usefull if a LDAP functionality was build into IceBreak. From a security point it is NOT enough to just test for 

token = getheader('LTPA-TOKEN'); 

as Niels states - and if that token is present the user has access. First of all LTPA-TOKEN can come from either WebSphere or Domino... and depending on which one controls single-sign-on it is a different type of LTPA-TOKEN!

What I think Syd is asking for is a function like

 status = ValidateSecurity('LDAP' : 'server' : 'port' : ..... ) 

that could take one or several arguments to check wether a user has access to a group or specific functionality.

LDAP integration is a must-have in every application server today!

Best regards,

John Foldager
www.izone.dk

John;
You are absolutely right. we are working on it. The syntax, however is not like yours, but it is rather build into the

Logon ( user : password ) ; 

and 

bool err = loggedon ( ) ; 

functions.

The LDAP is then configured on the server instance.

Niels

Hi Niels,

really nice to hear... but would it be possible to also retrieve a value from LDAP other than just validate username/password?

You can store values in LDAP that could be used to control access to different parts of an application. That is what I am looking for... a consistent way of doing it across different platforms and programming languages.

Best regards,

John Foldager
www.izone.dk

Hi John;

Good point.

The LDAP directory can contain a lot of stuff. You can already access it now from the IBM LDAP api, but I see your point in doing it directly in the server core for the current logged on user profile with the LTPA-token

I'll post you idea as a request request

Niels

Hi Niels!

Great! As long as we can provide you with such ideas so that you do not end up with a core product that can a whole lot of great stuff... but where it is extremely difficult to get out "on the edge" 

Best regards,

John Foldager
www.izone.dk