Using Ldap/ssl for Requisitepro user authentication and management

Source: Internet
Author: User
Tags ldap ldap mail attribute ldap search string ibm developerworks

According to the license agreement, this article is originally published by IBM DeveloperWorks China website, its web site is HTTP://WWW.IBM.COM/DEVELOPERWORKS/CN

using Ldap/ssl for Requisitepro user authentication and management

Level: Primary

New (niuxiaof@cn.ibm.com), software engineer, IBM China Software Development Lab

October 30, 2006 IBM Rational RequisitePro, which runs in an enterprise environment, often manages many projects. Under each project, a large number of accounts may be included, such as Administrators, general users, guest accounts, and so on. In the normal user management mode, each user of each project is a separate entity, which requires independent creation, password setting, and permission control. In the case of concurrent development and maintenance of multiple projects, this kind of decentralized and repetitive account management becomes a time-consuming task and error prone, which leaves security hidden trouble. and Requisitepro support to authenticate users with LDAP, and further support SSL, greatly reduce the workload of user management and maintenance, improve the efficiency of user management work, enhance the security of project data and user information.

1 Introduction

Requisitepro supports LDAP-mode user authentication starting with version 6.15 and, in the latest release version 7.0, adds SSL support to ensure that user authentication data between Requisitepro and LDAP servers is securely and privately delivered.

Requisitepro now supports two ways to authenticate users:

1. Use the user data information built into the Requisitepro project. In this way, the user enters a username and password to log in. Requisitepro Query the project database for validation.

2. Use the LDAP directory on the network. In this way, the user enters a user name that is part of a property value or value for a record in the LDAP directory, and enters the password to log in at the same time. Requisitepro Query the LDAP directory for authentication.

A typical application scenario is shown in the following illustration:
Figure 1. A typical application scenario



Of course, the Requisitepro project, the key file can also be placed on the Requisitepro client, when the scenario is as follows:
Figure 2. Requisitepro projects, key files can also be placed on the Requisitepro client



Currently Requisitepro supports multiple directory servers that are compliant with LDAP V3, including IBM Tivoli directory server,microsoft Active directory Server,sun Java System Directory Server,novell edirectory server,ibm Lotus Domino LDAP Server, and so on.

In addition, user validation in the LDAP/SSL approach is also supported in rational change management tool ClearQuest. The validation principle and configuration process is similar to that in Requisitepro. Refer to the online documentation for detailed configuration in ClearQuest.




Back to the top of the page


2 Overview of the LDAP user authentication process

To authenticate users in an LDAP manner, first configure the project to allow LDAP authentication, and then configure the user's authentication method. When an item is configured to use LDAP authentication, it supports both the LDAP authentication user and the Requisitepro authentication method. This allows hybrid validation to coexist in more complex application environments.

For projects configured to use LDAP authentication, Requisitepro performs the following user verification process: The LDAP user enters the user name and password on the login window of the Requisitepro project.

This user name can be the real user name of the user present in the project, or it may be an identifier for the real user, or an e-mail address. The administrator specifies this unique identity when configuring LDAP authentication for a project. Requisitepro establishes a connection to the LDAP directory based on the parameters provided by the administrator when the project is configured. Requisitepro searches the LDAP directory to find a user record that matches the user name entered. Then, based on this user record, the password entered by the user is validated. Requisitepro searches the project database to locate user records that match user records on the LDAP directory.

When you configure LDAP for a project, the administrator specifies that a field for the user record in the Requisitepro database and a property of the LDAP user record correspond to a mapping. Requisitepro is based on this mapping to find matching user records in the Requisitepro database. If Requisitepro finds a matching user record, it opens the project and gives the user appropriate access to the Requisitepro widget based on the security privileges assigned to the user.




Back to the top of the page


3 Collecting LDAP configuration information

Before configuring LDAP authentication, you need to gather some configuration information, including the LDAP directory server hostname or the IP,LDAP service port, the user DN (distinguished name), and the root DN (Base dn) from which the search begins. Requisitepro the Project administrator account and password, specify the user name for LDAP authentication, the Requisitepro user field to map, and the properties of the LDAP user. This information is obtained from the LDAP administrator and the Requisitepro administrator.




Back to the top of the page


4 Configuring LDAP Authentication

Configuring LDAP for a project most of the work is done on a command-line basis, which is divided into 3 steps, and the latter two steps require Requisitepro Project security Administrator rights: Creating an LDAP profile; referencing this configuration to allow the project to permit LDAP authentication; Assign a specific project user to authenticate in an LDAP manner.

4.1 Creating an LDAP configuration file

The LDAP configuration file is a plain text file with an. ini extension. It contains the information necessary to authenticate LDAP users, such as LDAP server connection information, LDAP directory search conditions, Ldap/requisitepro user mapping information, and so on. A configuration file is not limited to a specific project and can be used by multiple projects. You should use the appropriate operating system security permissions to restrict access to this file by other users.

The configuration file is created by the Rpsetup command line tool and its child commands. Rpsetup.exe is located in the Requisitepro/bin installation directory. For specific syntax and options for the Rpsetup tool and its subcommand, refer to Requisitepro installation and Upgrade Guide.

The creation process is as follows:

1. Use the SETLDAPINIT subcommand to specify a configuration file and provide parameters to connect to the LDAP directory. If the specified file does not exist, a file is created, and if it exists, the file with the same name will be overwritten. You can use Getldapinit to view the settings you have made. Example:


The above example creates a Ldap_cfg.ini file under the//demoserver/ldap/of a file server to ldap_server.some_corp.com as an LDAP server with a access port of 389.

2. Use the SETLDAPSEARCH subcommand to set up an LDAP search string to find a matching user record in the LDAP directory. Example:


Note that the front and rear ends of the mail section use "/" to insert quotation marks "". You can use Getldapsearch to view the settings you have made.

3. Use the SETLDAPMAP subcommand to specify the Requisitepro attribute and the LDAP attribute mapping to map an LDAP user to a Requisitepro user. Example:


This line command specifies the mapping between the Requisitepro Rp_emailaddress property and the LDAP mail attribute. The mapping relationship indicates how Requisitepro determines that the project user matches the user on the LDAP directory. For example configurations, when a program finds a user in a project where the user's mail address (rp_emailaddress) matches the mail attribute of a user record on the LDAP server, the program thinks a matching user was found in the project.

There are 3 of Requisitepro user attributes that can be used as mappings: Rp_username,rp_emailaddress,rp_fullname. You can use the Rpsetup SETRPLDAP to list the supported properties. Use the GETRPLDAPMAP subcommand to view the settings you have made.

4. Use the VERIFYCONFIG subcommand to check that the LDAP configuration information is correct. Example:


Note that the 3-step command before this step only adds to the Ldap_cfg.ini file, modifies the supplied parameters, and does not connect to the LDAP server for validation parameter settings. Until this step, the Rpsetup command-line tool uses the parameters provided in Ldap_cfg.ini to connect to the LDAP server, confirming that there are no errors in the configuration information. If an error occurs, please rerun the corresponding command line in the previous 3 steps according to the error prompt to modify it.

4.2 allow the project to use LDAP authentication

Use the SETLDAPCONFIG subcommand to specify an LDAP configuration file for the Requisitepro project, allowing the project to be authenticated by LDAP. This operation requires security administrative permissions for the project. You can use the GETLDAPCONFIG subcommand to view the configuration that is made to the project. Example:


Project users can only be designated to use LDAP authentication after they have been associated with an LDAP configuration file. As you can see from the illustration below, the LDAP authentication method of the user is prohibited until the project is associated with the LDAP profile:
Figure 3. After the project is associated with an LDAP configuration file



4.3 Assigning specific users to LDAP authentication

Requisitepro supports two methods of user authentication: LDAP authentication and Requisitepro authentication. Administrators can select some users to use LDAP authentication, while others use Requisitepro authentication. There are two ways to do this:

4.3.1 requisitepro Add user or Edit User window: Click File->project administration->security; Select User Group and user, click Add or edit; Authentication selection box.

As shown in the figure.
Figure 4. Requisitepro Add user or Edit User window



4.3.2 Use Rpsetup and Setauthenticationmode subcommand

First you need to add the required users to the Requisitepro, and then assign the user to authenticate in LDAP. Refer to a user on the diagram above, and then run the command:


You can use the GETAUTHENTICATIONMODE subcommand to view the user's current authentication method.

In this step, we have completed the configuration process of LDAP user authentication. example specifies that the login interface for an LDAP user with Rp_ EmailAddress as a mapped field will resemble the following:
Figure 5. Requisitepro Add user or Edit User window







Back to the top of the page


5 Configuring SSL to establish secure connections

SSL is a protocol that encrypts data transferred between the client and the server, which guarantees the privacy and security of data transmission. Requisitepro supports the use of SSL to encrypt the user LDAP authentication process, avoiding the interception and disclosure of user names and passwords transmitted between Requisitepro and LDAP directory servers.

SSL uses digital certificates to guarantee secure communication. These digital certificates must be stored in a KeyStore file. The Requisitepro installer automatically installs Gskit (Global security Kit), which can be used to create keystore files and to create and import digital certificates. These administrative tasks are usually done by the LDAP server administrator and the Requisitepro administrator. They also need to distribute KeyStore files to clients.

When creating KeyStore files, Gskit requires an access password to be set. To prevent this password from being exposed to the client, a password-hiding file is typically generated while creating a KeyStore file. The password-hiding file contains the encrypted KeyStore access password and is published with the KeyStore file. Requisitepro accesses the password in the password-hidden file and uses this password to access the KeyStore. This will no longer require the client to explicitly provide plaintext passwords. So the client-side files generally include keystore files, extension kdb, and corresponding password-hiding files, extension sth.

Here, to configure SSL, you first use the-z switch option in Rpsetup setldapinit, and then requisitepro the path to the KeyStore file. The-Z option indicates that you want to use SSL to connect to the LDAP server. There are 3 ways to provide KeyStore file path information: Set the path to the KeyStore file explicitly specified by using the-K parameter in the environment variable ratl_ssl_keyring rpsetup setldapinit, the default path. The default is C:/Program Files/rational/common. In this case, the KeyStore and password hidden file names must be LDAPKEY.KDB and Ldapkey.sth respectively.

At this point, the priority that Requisitepro recognizes in these three ways is also attempted from top to bottom.

Example: Rpsetup setldapinit "//demoserver/ldap/ldap_cfg.ini" "-H ldap_server.some_corp.com-p 636–z–k"//demoserver/ldap/ Keys/rpldap.kdb ' "Run this command to enable the LDAP authentication process to connect using SSL. Run Rpsetup setldapinit "//demoserver/ldap/ldap_cfg.ini" "-H ldap_server.some_corp.com-p 636–z" and add environment variables Ratl_ssl_ Keyring, set the value of the variable to the path of the KeyStore file, such as//DEMOSERVER/LDAP/KEYS/RPLDAP.KDB. Rpsetup setldapinit "//demoserver/ldap/ldap_cfg.ini" "-H ldap_server.some_corp.com-p 636–z", The KeyStore file and password hidden file are renamed LDAPKEY.KDB and Ldapkey.sth and placed under the installation path Rational/common.

Thus, when Requisitepro connects to the LDAP server, an SSL-based secure connection is established.




Back to the top of the page


6 Enterprise Environment Multi-project application

When multiple projects are being developed and maintained at the same time, these projects can be configured to use the same LDAP profile to connect to the same LDAP directory server. This is achieved by using the same LDAP configuration file for each project configuration. In this way, the independent, decentralized, repetitive user management of each project, unified to the LDAP directory server for a single, centralized management, greatly reducing the enterprise environment of the huge user management workload. Secure connectivity with SSL, which enables global teams to cross the Internet, while also guaranteeing the privacy and security of data delivery.

A typical multi-client multiple project scenario is shown in the following illustration:
Figure 6. A typical multi-client multi-Project application scenario







Back to the top of the page


8 Summary

This paper first introduces the specific configuration process of LDAP (non-SSL) user authentication in Requisitepro, then expounds how to add the support to SSL, and finally introduces the application scenario of user management using LDAP/SSL in multiple projects.

Reference 1. RequisitePro Online Help

2. RequisitePro Installation and Upgrade Guide

About the author

NEW, IBM China Software Development Center, mainly carries on the software testing work of rational products.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.