OnDemand User Group

Support Forums => Documentation => Topic started by: lkegel on January 11, 2017, 08:47:25 AM

Title: CMOD and LDAP for authorization
Post by: lkegel on January 11, 2017, 08:47:25 AM
Hello,
We will be implementing CMOD and are planning on using LDAP integration for authentication.  However, we are curious if anyone is leveraging LDAP (AD) to handle authorization and if so how?  This doesn't appear to be native functionality of CMOD.

We have explored using ODWEK to build our own component but there doesn't appear to be CRUD APIS to support this.



Title: Re: CMOD and LDAP for authorization
Post by: Alessandro Perucchi on January 19, 2017, 01:31:50 PM
Hello,
We will be implementing CMOD and are planning on using LDAP integration for authentication.  However, we are curious if anyone is leveraging LDAP (AD) to handle authorization and if so how?  This doesn't appear to be native functionality of CMOD.

We have explored using ODWEK to build our own component but there doesn't appear to be CRUD APIS to support this.

Well apparently you haven't read at all the documentation of CMOD... since LDAP and AD with authentication is a native functionality of CMOD since at least 10-15 years.

Here are some informations for you on the subject:

http://www-01.ibm.com/support/docview.wss?uid=swg21597246 (http://www-01.ibm.com/support/docview.wss?uid=swg21597246)
http://www-01.ibm.com/support/docview.wss?uid=swg21610510 (http://www-01.ibm.com/support/docview.wss?uid=swg21610510)
https://www-304.ibm.com/support/docview.wss?uid=swg21446517 (https://www-304.ibm.com/support/docview.wss?uid=swg21446517)

Now... from what I can read between the lines with your question, and tell me if I'm wrong... you want to handle the authentication from ODWEK with LDAP.
Well you must understand the following, it is NOT the client that decide what kind of authentication is used, but the server.

When you create a connection with ODWEK, then you use the method ODServer.logon(...) you will need to provide the user and password.
Then ODServer.logon(...) will discuss with the server, and the server will check how to authenticate the user.
If the CMOD server is not define with LDAP, then it will NOT use ldap... as simple as that.
If you have setup the server with LDAP, then it will use LDAP.
But in any cases, it is NOT the task and responsibility of the client to decide which authentication to use, this is the task of the server side.

Now... maybe you want to do SSO (Single Sign On), and then you need to pass the SSO Token (Kerberos, ...) in order to validate that the token is ok.
Then, again this is NOT the task of the client to do it, you need to pass the information to the server with the help of the method ODServer.logon(...) and then because we are speaking about SSO, you will need to write a C program in CMOD to plug in the server (Security User Exit) that will do the work of validation for the client.

So, all of that to say, that before assuming, you must understand how CMOD works, and more importantly, if you want a good answer, you must explain us what is the use case you want to do. And then we will be able to give you some answers, at least we will try, to the best of our ability.

So again, what do you want to do exactly?

Regards,
Alessandro

Title: Re: CMOD and LDAP for authorization
Post by: lkegel on January 19, 2017, 02:41:23 PM
Thank you for your patience,

You are correct that I have not delved into all of the documentation. I was asking on behalf of one of our developers and subsequently lost some important information in translation.

I/We are aware of the LDAP integration capabilities with CMOD once the users and groups are manually created in CMOD. We would like to avoid the manual set-up process and synchronize our users and groups automatically into CMOD.

Our developer resource seems to recall that there was a product on the market some time ago that would do this task.  If we entertained doing this ourselves, the assumption would be that we would need to leverage ODWEK to create this utility hence why I asked about ODWEK APIS.

Sorry for the confusion and thank you again for your response.

I will forward this on and see if it sheds any more discussion on our end.
Title: Re: CMOD and LDAP for authorization
Post by: Justin Derrick on January 20, 2017, 02:59:32 AM
LDAP support in CMOD is limited to checking passwords.  There's no ability to determine access privileges for Folders (or Application Groups, etc.) through LDAP -- that's why User ID's must be created on CMOD, assigned access permissions, THEN the authentication step done through LDAP.

Once you've clarified your requirements, fill out an enhancement request on the forums, and it will be included in the next list that the User Group provides to IBM.

-JD.
Title: Re: CMOD and LDAP for authorization
Post by: Alessandro Perucchi on January 22, 2017, 08:02:44 AM
Yep, this is a very common question about cmod and ldap...

as Justin said correctly, LDAP for CMOD is used ONLY for password checking, and NOTHING else.

You must have the whole permission stuff store into CMOD. That's it, no way around it.

I said, no way around it, this is not 100% true, but I will explain it later.

So if you want to keep in sync LDAP and CMOD, then you will need to write a tool to sync what you have in LDAP with CMOD, by creating/updating/deleting user in CMOD.
I had lots of customer who had their own way to do the sync between their central permission repository (not always LDAP), and CMOD.

And I know no tools that does that, "out of the box" for you.

You can use the command "arsxml" for creating, updating, deleting the users and their rights, or you can use the ODWEK method called ODServer.xmlParse(...) which use the exact same XML as the command arsxml.


Before I said, that this was not 100% true, that you must have all the permission in CMOD. If you want, but again this is a self development work -> custom code. Then you can use the permission user exit in order to do a query to your ldap to check if your user has the right or not to do an action.
This must be coded in C/C++. And you must be aware that this is time consuming, and you will most probably get bad reaction time with CMOD compared to today.
It doesn't mean this is not possible, but in order to have it right, it will take a lot of effort from your developpers, and at the same time this will be a nice challenge for them :-P

Well I hope I could answer some of your questions.

If not, then please ask again, and as Justin said, if you have a very clear use case, on how to have some rights/permissions stored in LDAP instead of CMOD and still have good performance, then fill a enhancement requests.
Please be aware that the CMOD dev wants to keep the product as fast as possible, and everything that will not produce fast results will be strongly challenged.

Regards,
Alessandro
Title: Re: CMOD and LDAP for authorization
Post by: GWilcox on April 21, 2018, 04:32:16 PM
The new version of LDAP Sync (as of 12/1/2017) will allow synchronization, the requirement is that you'll need a newer version of CMOD, at least 10.1.0.2... See documentation here: http://www-01.ibm.com/support/docview.wss?uid=swg27050629&aid=1  :)