Web Services Directories

1
Web ServicesDirectories

• W3C Web Services WS 4/11/01

Scott Isaacson sisaacson_at_novell.com
2
What are Directory Services?

• Registry for the network
• Information about all entities on the network
• People, Applications, Businesses, Services,
  Devices, etc.
• Roles, Relationships, Preferences
• Configuration and Management
• Works like the old telephone directory
• Find resources by name, type, category, service
  description

3
Analogy
Standalone OS
Network
Without a Directory
Registry
Directory
With a Directory
4
Characteristics of Directory Services

• Distributed
• Global Access
• Not a single, central database
• Replicated
• Optimized for local access
• Secure
• Authentication
• Authorization
• Act in identity or role

5
Characteristics of Directory Services (cont.)

• Hierarchical
• All Services (from the Root)
• All Services local to a Department (from a
  Container)
• All Services in my group (from my Container)
• Filtered Searches
• All Services to which I have access
• All color printers
• All users logged in with cell phones

6
Why XML and directories?

• Directory Service Access Protocols
• Proprietary NDAP (Novell Directory Access
  Protocol)
• Open LDAP (Lightweight Directory Access
  Protocol)
• Emerging DSML (Directory Services Markup
  Language)
• XML is a natural fit for
• Query
• Find all Users with Surname Isaacson
• Operations
• Add User NameScott Isaacson
• Events
• Deleted User DNUsers/SIsaacson

7
Directory Services A Web Services Proposal for
DSML 2.0

• Proposal for DSML 2.0 based on DirXML research
• URL for view and download
• http//www.novell.com/products/nds/d
  irxml/dirxmldtddocs.zip
• DirXML is a tools for synchronizing directory
  information between directories that have
• Different schemas
• Different administrative tools sets
• Different access protocols (even non-LDAP!)

8
DirXML Example
Subscriber Channel Publisher Channel
1. Name Change into HR
2. Driver publishes event
DirXML
Enterpirse Directory
4. Other sources of data modifications
Note File system, Security, etc. rights all
remain intact on moves
3. DirXML syncs all directories
9
What is the proposal?

• A working DTD that defines document structure
  for
• Commands
• Events
• Rules (Optional - out of scope?)
• Schema Mapping (User vs inetOrgPerson)
• Matching (Subtree A match X and Y, Subtree B just
  match X)
• Create (Subtree A always add X)
• Placement (Place P in Subtree A, Place Q in
  Subtree B)
• Rules can be done via XSL/XSLT stylesheets

10
What is the proposal? (cont.)

• A payload (service definition) that needs a truck
  (protocol)
• XMLP
• Optional encoding for LDAP?
• Not a module, but an application
• Use XMLP core plus some extension modules
• Perhaps RPC
• Not schema or back-end protocols at this point
• IETF started with LDAP
• Moved to Extensions, LDUP, etc.

11
Two types Input vs. Output

• There are two basic types of XML documents
• Input documents
• Contain exactly one element.
• Send commands to a directory
• Send events from a directory
• Output documents
• Contain exactly one element.
• Respond to an input with status or data

12
Input/Output DTD Fragments

• move query query-schema add-association
  
• modify-association remove-association
• init-params status check-password)
• modify-association remove-association
• instance schema-def init-params)

13
Example

• Command to the directory to add a User
• src-dn"Users\Julia"
• dest-dn"cnJulia,oUsers"
• event-id"0"
• Gulia

14
Example

• Response from the directory
• Julia
  Gulia1
• event-id is like correlation id - it can be in
  the underlying protocol!

15
Events vs. Commands

• The , , , , and
  elements represent both commands and
  events.
• Commands and events have essentially the same
  syntax.
• Commands specify that an action should be
  performed.
• Events report that something happened.
• Interpretation depends on context
• Events are sent FROM the directory
• Commands are sent TO the directory
• When an events are sent, analysis based on the
  rules, yields no further action or commands that
  need to be issued

16
Events and Commands

• Events and commands that can be children of an
  element include
• Other allowed children of are not usually
  interesting except to driver writers.

17
Responses

• Events and commands that can be children of an
  element include
• Other allowed children of are not
  usually interesting except to driver writers.

18
Common Attributes

• Attributes common to many events and commands
  include
• class-name - The name of the base class of the
  object.
• dest-dn - The DN of the target object for
  commands.
• dest-entry-id - The entry id of the target object
  for commands.
• event-id - An identifier used to tag the results
  of an event or command.
• src-dn - The DN of the source object for events.
• src-entry-id - The entry id of the source object
  for events.
• timestamp - Reserved for use by the DirXML
  engine.

19
Common Elements

• Content elements that are common to many events
  and commands include

20

• associated disabled migrate pending
  manual"
• state (Assoc-State) IMPLIED
• The content of an element is a
  unique key provided by the application
  identifying the source object of an event or the
  target object of a command.
• The key is used to associate objects in the
  directory with an object in another application
• The state attribute is used internally for
  control purposes.

21

• state counter dn interval octet time
  structured"
• type (Attr-type) IMPLIED
• association-ref CDATA IMPLIED
• naming (Boolean) "false"
• timestamp CDATA IMPLIED

22
(cont.)

• The type attribute is used to determine how to
  interpret the content
• "octet" values will contain base64-encoded binary
  data.
• "structured" values will consist of one or more
  elements.
• All other value types use a simple string
  representation of the value.
• Looking for a standard for encoding
• Should be extensible

23

• name CDATA REQUIRED
• association-ref CDATA IMPLIED
• elements are used to separate the
  individual fields of structure- or list-based
  attribute values.
• The name attribute depends on the attribute
  syntax being represented.
• The association-ref attribute is used in
  conjunction with components that are referential.

24
Example

• Example elements
• "string"
• Fred
• "octet"
• RM8FFyP21kirzwqLjrQ6ge
• "structured"
• All Attributes
  Rights
• n"\TREE\O\Admin
• 2

25

• A element
• Is used to return the status of processing a
  command or event.
• The absence of a element in the return
  document is considered to be an implicit success
  status.
• More than one element can be returned as
  a result of a given event or command.

26
DTD Fragment

• success retry"
• level (Status-Level) REQUIRED
• event-id CDATA IMPLIED

27
Example

• Operation
  vetoed by Placement Rule
• ERR_NO_ACCESSstatus

28
Example

• When user "Julia" is added to an application the
  driver reports the following event
• event-id"0"
• JG0U812
• type"string"Gulia

29
Example

• If the Surname attribute value of user "Julia" is
  changed from "Gulia" to "Imbruglia" in the
  application the driver will report the following
  event
• event-id"0"
• JG0U812
• 
  
• Gulia
• Imbruglia

30
Example

• If user "Julia" is renamed to "JImbruglia" in an
  application the driver reports the following
  event
• class-name"User"
• src-dn"Users\JImbruglia"
• old-src-dn"Users\Julia" event-id"0"
• JG0U812
• JImbruglia

31
Example

• If user "JImbruglia" is moved from the "Users"
  container to the "Admins" container the driver
  reports the following event
• class-name"User"
• src-dn"Admins\JImbruglia"
• old-src-dn"Users\JImbruglia"
• event-id"0"
• JG0U812
• Admins

32
Content

• Content unique to elements
• Base object (can be a container or subtree)
• Root of a hierarchical namespace
• All objects for a flat namespace.
• Zero or more elements limit scope
• Multiple elements is OR.
• Zero or more elements limit scope
• Multiple elements is AND.
• Zero or more elements specify return
  value(s)
• If no elements are present then all
• If only a single element with no
  attr-name then none
• A single element indicates that
  information about the object's parent container
  is to be returned

33
Example 1

• Search the subtree rooted at "\TREE\Novell" for
  objects of class "User" with a Surname value of
  "Jones" don't read any attributes
• dest-dn"\TREE\Novell" scope"subtree"
• Jones

34
Example 2

• Read the object of class "User" whose foreign key
  value is "1011" read the Surname, CN, Given
  Name, and Telephone Number attribute values
• scope"entry"
• 1011

35
Example 3

• Return the current state of all objects

36

• Zero or more elements are contained in
  the response to a query.

37
DTD Fragment

• attr)
• src-dn CDATA IMPLIED
• src-entry-id CDATA IMPLIED
• class-name CDATA REQUIRED
• event-id CDATA IMPLIED
• attr-name CDATA REQUIRED

38
Content

• Content unique to elements
• Zero or more elements indicate the current
  state of attribute(s) of the object.
• Zero or one element contains a reference
  to the parent object.

39
Example

• 1012
• Jones
• Samuel
• Samuel
• 555-1212
• 555-1764

40
Example

• If user "JImbruglia" is deleted the driver
  reports the following event
• a" event-id"0"
• JG0U812

41
Some Practical Applications

• Zero Day Start
• Employee joins the company
• Fills out an employment contract on the web
• All of the following services are enabled,
  automatcially
• Payroll
• Phone
• Facilities Access
• Information Access
• Benefits Enrollment
• Group Memberships
• Training
• Etc.

42
Some Practical Applications (cont.)

• Single Sign On (Authentication Services)
• Authenticate to the network
• No need to re-authenticate to each service/web
  site
• Secret Store No admin access
• End User Human retains control if information
  access
• Buying patterns
• Information Access
• Coming Soon
• LDAP over SSL requests
• Potential
• XML for credentials (attributes, content)

43
Login Experience Before
Application Server
Directory
Client Workstation
44
Login Experience After
Application Server
Directory
Client Workstation
45
Some Practical Applications (cont.)

• iChain Authorization Broker
• Single point of authentication management
• Areas of Interest
• Security Services WG in OASIS
• AuthML and S2ML SAML
• Liaison to DSML
• Common syntax and semantics for
• Rights
• Privileges
• Transformable
• XSLT

46
Todays Typical Environment
47
iChain Solution
48
Summary Web Services Directory

• Look up MUST be access controlled
• Some interfaces only available in house
• Other interfaces only available to friends and
  partners
• Other interfaces are public
• Look up MUST be on
• Individual Identity
• Assumed Role
• Delegated Role
• Service Descriptions MUST be robust
• Hosted Services
• Run Time documentation Compile Time doc
  formalized semantics

49
Summary Web Services Directory (cont.)

• Example Problem - Big Government
• Walk in the door, look at the sign
• One line to get a form (Am I in the right
  line?)
• Another line to process/approve the form
• Another to pay
• Sorry, go back, you cant do that here
• Solution
• Access Controls Cant go any farther than
  allowed
• Single data source Go all the way to the 7th
  floor only to find out the office is moved -
  forgot to update the sign
• Services that aggregate services Help desk -
  they know the sequences of lines and windows.