SOAP web service to work with LDAP

We are adopting a service at our school that will allow us to utilize
LDAP. The issue is that we must have a SOAP-based web service to handle
the queries. Is there a way I can do this with a Novell product. Sorry
for the vagueness, but I am not familiar with SOAP at all.
Dan

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SOAP is a way of sending data via HTTP. LDAP is, well, LDAP. Both are
application-layer protocols.

Do you have specifics from your new product’s documentation stating what
is required? SOAP and LDAP do not integrate any more than TCP and UDP
do, but wanting to do so means, to me, missing what the business
objective really is. Can you have a SOAP service that takes credentials
and then, on the backend, authenticates those credentials against a
directory via LDAP? Sure, but that’s a little weird. Most applications
just authenticate directly to LDAP rather than going through some other
interface that is just one more layer removed.

In the end something that works with SOAP a lot and knows LDAP on the
backend may be Novell (NetIQ) Access Manager, but again it depends on
what you really want to do.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPa318AAoJEF+XTK08PnB5ppgQAJ/QI/BRrqmbpz6VeZWP1FpI
zl6UeaZ6gnnED0qC0WDDAjrF7e3E++JnGJQPoL7n8TfqvCAYaD7Fp+UG3nyYa9XG
KuLwZLqqDgjuP6NmgSVr04GvYhX/5JATTVDTJ7mRXssu2ofhdFmuwqSFZRfDRzGz
Us/dmFh32/U3fmxIHzhLdyNcPsY+XrjFe6oDPTFkUpoYrrNAVajCqOCawXaF7d5V
Ap+4KGRBc6SBJ5RM5mPoYQ0pkL/ILhVMU/HcBjgLyaixnyJBrPM9jruKgQydIrsd
ZOSb+HjeFfk4pL0dpa6Rfabqi/eQJnTYJvk+Y2jEkU6fOs3uo6aBofd1c8TEz3jO
LyuLEm3savptUNH1upxIfYhnOm9FA5riK/VujrEhX2gXubJgmygNWJm74whR+nCI
4P66KiJtsfU/OeBgRBUQZ0Y1jE5zVWLrUZiKsrZMqQLAZ8gO7fgtuPSqO3NX+Cjw
+qQVphpM5C+or3vbriUB9lgnJczSe/1onAkzu8B0fcbS4YemnvPNkMLg83TlrWkw
z57AAA/eJvLcH5EwKztdyLfvhLqifyrrHKPJzW5Oest9FERMOyucemOvETR2LEYM
BBJKo863lnIFIV2enRZKprf8OmIf0BBhVu3221hH8mb8flilmsnCmOC2c08iGSMw
pCO4FkgWjwyhSBZQLVKm
=iuMh
-----END PGP SIGNATURE-----

Thanks for the response, ab! Hopefully you can help me out. The
following link points to the pdf.
http://dl.dropbox.com/u/2992210/soap.pdf
The relevant part starts at the heading that reads “Delegated
Authentication Web Service”. Maybe I should say that this is a service
that resides on the Internet and is not held on our LAN.
Please let me know your thoughts.
Dan

On 3/22/2012 3:29 PM, ab wrote:[color=blue]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SOAP is a way of sending data via HTTP. LDAP is, well, LDAP. Both are
application-layer protocols.

Do you have specifics from your new product’s documentation stating what
is required? SOAP and LDAP do not integrate any more than TCP and UDP
do, but wanting to do so means, to me, missing what the business
objective really is. Can you have a SOAP service that takes credentials
and then, on the backend, authenticates those credentials against a
directory via LDAP? Sure, but that’s a little weird. Most applications
just authenticate directly to LDAP rather than going through some other
interface that is just one more layer removed.

In the end something that works with SOAP a lot and knows LDAP on the
backend may be Novell (NetIQ) Access Manager, but again it depends on
what you really want to do.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPa318AAoJEF+XTK08PnB5ppgQAJ/QI/BRrqmbpz6VeZWP1FpI
zl6UeaZ6gnnED0qC0WDDAjrF7e3E++JnGJQPoL7n8TfqvCAYaD7Fp+UG3nyYa9XG
KuLwZLqqDgjuP6NmgSVr04GvYhX/5JATTVDTJ7mRXssu2ofhdFmuwqSFZRfDRzGz
Us/dmFh32/U3fmxIHzhLdyNcPsY+XrjFe6oDPTFkUpoYrrNAVajCqOCawXaF7d5V
Ap+4KGRBc6SBJ5RM5mPoYQ0pkL/ILhVMU/HcBjgLyaixnyJBrPM9jruKgQydIrsd
ZOSb+HjeFfk4pL0dpa6Rfabqi/eQJnTYJvk+Y2jEkU6fOs3uo6aBofd1c8TEz3jO
LyuLEm3savptUNH1upxIfYhnOm9FA5riK/VujrEhX2gXubJgmygNWJm74whR+nCI
4P66KiJtsfU/OeBgRBUQZ0Y1jE5zVWLrUZiKsrZMqQLAZ8gO7fgtuPSqO3NX+Cjw
+qQVphpM5C+or3vbriUB9lgnJczSe/1onAkzu8B0fcbS4YemnvPNkMLg83TlrWkw
z57AAA/eJvLcH5EwKztdyLfvhLqifyrrHKPJzW5Oest9FERMOyucemOvETR2LEYM
BBJKo863lnIFIV2enRZKprf8OmIf0BBhVu3221hH8mb8flilmsnCmOC2c08iGSMw
pCO4FkgWjwyhSBZQLVKm
=iuMh
-----END PGP SIGNATURE-----[/color]

Dan,

that document describes the interface of a service your are to provide.

Typically, this involves programming that service. Apparently, the product from which that requirement comes wanted to offer you the chance to create an adapter to your own currently implemented authentication service, thus describing the interface it is going to call.

It shouldn’t be too hard to create such an adapter, a least for an experienced SOAP developer. Per your question I assume that you have an existing LDAP service containing all the necessary authentication information, so the following components are involved:

  • a security concept describing unter which conditions a user may be be reported as successfully authenticated (i.e. must be known in LDAP directory, must provide proper credentials, must be member of group xyz, IP within range, …)
  • a web server plus backend application or an application server (plus application), capable to receive and handle the SOAP request as described in the document. That server must be accessible from the application server
  • access to your LDAP directory from the backend application or application server

The “backend application” or alternatively the “application” on the application server will have to be developed to read in the request parameters as described in the referenced document, to decide authentication/authorization according to your security concept and to report back the result according to the referenced document.

I doubt that you’ll find a ready-to-run commercial application for that specific purpose.

Regards,
Jens

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well, your theory was correct. Now, how do you do this? I do not know
NAM well enough to know if it can do this type of thing really easily so
you may want to post in the NAM forum to see.

My guess is that you’ll need to do this on your own, but I would also
HIGHLY suspect that since these guys have done this before that they
have a starting application to do exactly this, probably written in one
of several languages. Assuming you can receive the SOAP envelope and
parse it properly the LDAP part is pretty easy to do depending on the
language you use (I’ve done it in PHP, Perl and Java in the past, and
there are examples for all of those online for use).

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPbI8DAAoJEF+XTK08PnB5XpkQAIPmKKCxJEenzgkU4cPR9D2g
sGrQQBnESpmkDI7CAodpwPYMDdPlXnmxQTE8NQt9Dd3VNG8ICCsnU5Uy+KPFRdCt
wfHZT4UDLG1+xBfkJTuFSQS+Nl1V8MsrcOTliqJYKpSJHwnNtsLBfTHZh92iiq/m
j7FZ1dVc2FUjerTrEr2dhmungM/Y/qEe9uhPUirGH84ceDM+/LebsFO1KcTrU4Xp
5WBMSK9fwF2l4wR0Z4xT8uOZo1gayuo8LPYje8iy26n2LpFp7dB3aeLtCG37N1u/
Mds1qBMQL/EWXoGhNSFCRygwZaxjBoc/UXSMnEL3sxRKbt9jiFgruREQ55AFwYIE
Qz3S+M4zwkefV+3aX1W04MQmKPJKxQo4oF4O3S/I5K0cCDjtVrHjZWZqaCB7jQpF
sK/V1ZxSaNBW1is9Itg+lo2+Lu8CkcD5C+hyMBZyooE1viOVoB3/IMh1MsJSb2Nu
7s3uoroZx2yPfoOw8sxi7qUpnHiY4BRoWBEml+pHL1U0Us/g6i0c3KawSRI5ipHZ
JQ37YJSBy4mThRh8NSUIBIDFwfMui/jkYbdlT3N8PRknJXQ5Ho4Bz/mhOaHyWAq0
y3DqHHu9BtnNUtUthlV2qjPJbIMxeUcqOCSx5vNmKVRWVdmHKqexmQqbbpSERUoz
mQXS2fn6hwaaOTwT4iOq
=I5Fi
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

First, to be clear, this is NOT exactly what you want, but it does
appear to take SOAP requests and do LDAP work on the backend, so it may
be a good example since some part of that will necessarily include an
LDAP bind:

http://ldapwiki.willeke.com/wiki/SOAPDSMLClient

Jim Willeke is a Novell regular in the forums/fora, and may be able to
give you some pointers or a finished product depending on a lot of
variables outside my control. I think he’s a consultant (thus his site
with tons of neat stuff on it) and may be able to create this
application for you. Considering his skill, it’d probably take him a
day to do it.

Specifically, the SOAPDSMLClient.zip is the file with the code that
basically does what you want (plus a lot more). The SOAPDSMLClient.java
file in there has the logic; it requires some external JARs from Novell
(no biggie to add those) and you’d need to know how to deploy this in an
application server like Tomcat/JBoss/Jetty/etc., plus modify it to
receive your specific SOAP envelope. You may also need to have it find
your users in your LDAP environment, if they are not all in a single
context. Overall, this is pretty easy if you are familiar with the
technologies.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPbJOnAAoJEF+XTK08PnB5/mcP/3cUWQ+/V2aQ861OFv3U2JQR
ilpoXYox5Jsdudz/xKCVFs5FORoMH+e2bMXo7DW6TfLi2uoOU58UFrkBrHxGbjSv
mIOqai3bZLRf49GpOyDyYzADNIwLz/uUp7SBCFontYO87569HopQDPmqL7oy6+d2
Hsljxt18JyJYl4dM5Jx52rcPUnWTWtEAjhhQBjq1oB9WuQE25QUM0Wf4h2nLMHFt
P18R+ffMApsKdASWYYnx2G5jE9KbH0nLf+LBGr+rUNW1gHPLWwyDVlN3QN4wuX/L
qhgK+CCFqoraIzFweZTQSEfM12emQTDvpCogclWHfNxLvAatYnE6Jih8KJEO15R4
wE6KfNyL6naqAxRJUQWtmLwfNpvkrWxtKzEBycbjBSKW9CO26eNjznKL+LzFq9I/
fSEkz08UT9Eo67DjW2DkfPzvWiJE0m1MgZ/ityXAlVZSxhSARoNIPGT6KdYL9vJq
oO9dWVLQqPQAslZdZOlMO1HVs6FNffDfImE6N82cmqfPSo4t6NzQ/GzjI4E8bhs4
sS69k+3JMWFQcoU3vK+wfWEkv/aN8wG0dcNSRmh+oNTOrCfIlsjJNKiWurTMUx1f
N5dGxBncezE2A6aPoDuXX5MdZ8OaMvYZb70cy1NwvMRb0cJC9LI1FdsF7epEIilF
0dPa8LQPsilJyPnkQxSQ
=FVHW
-----END PGP SIGNATURE-----

Thanks to both of you for the very insightful answers. I figured it
would take some programming knowledge to get this done. At least I am
armed with the information I need.
Dan

On 3/22/2012 2:59 PM, Dan wrote:[color=blue]

We are adopting a service at our school that will allow us to utilize
LDAP. The issue is that we must have a SOAP-based web service to handle
the queries. Is there a way I can do this with a Novell product. Sorry
for the vagueness, but I am not familiar with SOAP at all.
Dan[/color]