Give your LDAP server a JSON front-end!

LDAP gateway

After several months of on-and-off development, this week finally saw the release Json2Ldap, a new product for LDAP directory integration into web applications through a simple JSON + HTTP protocol.

The software has good potentials to become a success, I believe.

Json2Ldap was conceived last summer during the MyTransactionCenter project. The web application had to connect to an LDAP directory to authenticate users, retrieve employee attributes and query organisational settings such as group memberships and policies. The typical approach in such situations is to program the web server application to handle the necessary LDAP requests and then pass the processed results to the browser for display. This is the established method for working with back-end directories, but I didn’t like it, for it was out of place with the MyTransactionCenter architectural principle — to serve as a flexible aggregator of web content and web services provided by the Transaction Company ecosystem. That’s the essence of modern Ajax/Web 2.0 apps — combining various content and services to produce useful and original mashups.

The intuitive solution? I needed LDAP to “become” a web service, accessible from any JavaScript application running in a browser. This is how the idea of a JSON-to-LDAP gateway was born.

Json2Ldap accepts requests for LDAP operations which are JSON messages received via HTTP POST. JSON + XMLHttpRequest, after all, is the lingua franca in the Ajax/Web 2.0 universe. But instead of devising my own ad-hoc JSON schema, as most people do, I decided to use the JSON-RPC 2.0 protocol, which by that time had stabilised towards becoming a standard and I already had a base Java implementation for it. JSON RPC is a simple protocol for remote procedure calls (RPC), with some XML-RPC heritage, but otherwise is a lot more natural to work with from within JavaScript.

Version 1.0 of Json2Ldap provides about 35 JSON remote procedure calls, which map closely to the standard LDAP operations. It also provides several extensions.

  • Directory connection calls: ldap.connect, ldap.isConnected, ldap.close
  • Directory authentication calls: ldap.bind, ldap.anonymousBind, ldap.simpleBind
  • Directory read operation calls: ldap.getEntry, ldap.compare, ldap.search, ldap.getRootDSE
  • Directory write operation calls: ldap.add, ldap.delete, ldap.modify, ldap.modifyDN
  • Extended directory operation calls: ldap.ext.passwordModify, ldap.ext.whoAmI
  • Directory schema information calls: ldap.schema.getObjectClass, ldap.schema.getAttributeType, etc.
  • Web service information: ws.getName, ws.getVersion, ws.getTime

Json2Ldap is not just about mapping JSON RPC calls to LDAP requests. That was actually the easier bit. Considerable thought was spent to ensure that the gateway provides a well managed and securable web access to the back-end directory servers. The Json2Ldap configuration allows admins to place a number of useful access restrictions and policies, such as:

  • Define whitelists of LDAP servers that gateway clients may connect to
  • Define LDAP connection limits per client and idle timeouts
  • Require TLS/SSL for client-gateway or for gateway-directory connections
  • Require all clients to authenticate at connection time using LDAP bind
  • Refuse directory write requests
  • Predefine “canned” ldap.presetConnect and ldap.presetBind requests.

Json2Ldap was implemented as a lightweight Java web service and is packaged as a WAR file ready for deployment into any servlet container, such as Apache Tomcat. Moreover, you can deploy one gateway instance to serve all your web applications and back-end LDAP directories at the same time. This can save you tonnes of development, maintenance and admin time.

You can find out more about Json2Ldap on its product page. It comes with a rich reference describing configuration and available RPC requests in detail. In the next few weeks I plan to write a few specific usage examples and maybe a small demo application.

Contact me if you have any questions or wish to test the software at your company.