After several months of on-and-off development, earlier this week I finally released Json2Ldap, the most recent addition to my products line of useful web app components.
The software has good potentials to become a success, I believe.
The idea for it was conceived in the waning days of summer 2009 when I was working on MyTransactionCenter. The web application had to connect to an LDAP directory to authenticate users, retrieve employee attributes and query organisational settings such as group memberships and policies. The typical approach in such situations is to program the web server application to handle the necessary LDAP requests and then pass the processed results to the browser for display. This is the established method for working with back-end directories, but I didn't like it, for it was out of place with the MyTransactionCenter architectural principle -- to serve as a flexible aggregator of web content and web services provided by the transaction company ecosystem. This is what modern Ajax/Web 2.0 apps essentially do -- combining various content and services to produce useful and original mashups.
The intuitive solution? I needed LDAP to "become" a web service, accessible from any JavaScript application running in a browser. This is how the idea of the Json2Ldap gateway was born.
The LDAP gateway accepts requests for LDAP operations which are JSON messages received via HTTP POST. JSON + XMLHttpRequest, after all, is the lingua franca in the Ajax/Web 2.0 universe. But instead of devising my own ad-hoc JSON schema, as most people do, I decided to use the JSON-RPC 2.0 protocol, which by that time had stabilised towards becoming a standard and I already had a base Java implementation for it. JSON RPC is a simple protocol for remote procedure calls (RPC), with some XML-RPC heritage, but otherwise is a lot more natural to work with from within JavaScript.
Version 1.0 of the Json2Ldap gateway provides about 35 JSON remote procedure calls, which map closely to the standard LDAP operations. It also provides several extensions.
- Directory connection calls: ldap.connect, ldap.secureConnect, ldap.presetConnect, ldap.isConnected, ldap.close
- Directory authentication calls: ldap.bind, ldap.anonymousBind, ldap.presetBind
- Directory read operation calls: ldap.getEntry, ldap.compare, ldap.search, ldap.getRootDSE
- Directory write operation calls: ldap.add, ldap.delete, ldap.modify, ldap.modifyDN
- Extended directory operation calls: ldap.ext.passwordModify, ldap.ext.whoAmI
- Directory schema information calls: ldap.schema.getObjectClass, ldap.schema.getAttributeType, etc.
- Web service information: ws.getName, ws.getVersion, ws.getTime
The gateway software is not just about mapping JSON RPC calls to LDAP requests. That was actually the easier bit. Considerable thought was spent to ensure that the gateway provides a well managed and securable web access to the back-end directory servers. The Json2Ldap configuration allows admins to place a number of useful access restrictions and policies, such as:
- Define whitelists of LDAP servers that gateway clients may connect to
- Define LDAP connection limits per client and idle timeouts
- Require TLS/SSL for client-gateway or for gateway-directory connections
- Require all clients to authenticate at connection time using LDAP bind
- Refuse directory write requests
- Predefine "canned"
ldap.presetConnectandldap.presetBindrequests.
Json2Ldap was implemented as a lightweight Java web service and is packaged as a WAR file ready for deployment into any servlet container, such as Apache Tomcat. Moreover, you can deploy one gateway instance to serve all your web applications and back-end LDAP directories at the same time. This can save you tonnes of development, maintenance and admin time.
You can find out more about Json2Ldap on its product page. It comes with a thick reference describing the gateway configuration and available RPC requests in detail. In the next few weeks I plan to write a few specific usage examples and maybe a small demo application.
Contact me if you have any questions or wish to test the software at your company.
Engineer and programmer with 10+ years of experience, my deeper passion is designing a new kind of business organisations built upon integrity, transparency and equitable relationships.
