Thursday, September 24, 2009

LDAP Change log number


I was inactive on this blog for quite some time but I will try to post on this once again.

In this blog I am trying to put some light on the LDAP change log numbers and how they work.

until now I was under impression that LDAP change log number always start with 1 and increase in sequence. It does increase in sequence but if an LDAP environment has a limit to keep change log only for last N number of days then LDAP first changelog number is not 1 but something else.

Now if you have to check what is the first and last change log number in your directory then how would you do it programatically?

Below is the code which can be used to get the lastchangelognumber. Similarly one can get the firstchangelognumber from the directory.

import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingEnumeration;

public class ReadingLDAPChangeLog {

* @param args

static String RETURN_ATTRIBUTES[] = { "changes"};
static String RETURN_ATTRIBUTES_CHANGELOG[] = { "lastchangenumber"};

public static DirContext makeLDAPConnection (String Hostname, String Port, String BaseDN, String BindDN, String Password)
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://" + Hostname + ":" + Port + "/" + BaseDN);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, BindDN);
env.put(Context.SECURITY_CREDENTIALS, Password);
env.put(Context.BATCHSIZE, "100");
DirContext ctx = new InitialDirContext(env);
return ctx;
catch (Exception e)
System.out.println("Unable to connect to LDAP server.");
System.out.println("Please check connection parameters set in");
return null;

public static void main(String[] args) throws Exception {
//String SEARCH_FILTER = "(&(changenumber >= 550)(changenumber <= 580))";

String SEARCH_FILTER = "(objectclass = top)";

DirContext ctx_changelog = makeLDAPConnection("localhost","389","","cn=admin","*******");

SearchControls constraints_changelog = new SearchControls();

NamingEnumeration results_changelog ="", SEARCH_FILTER, constraints_changelog);

while ( results_changelog != null && results_changelog.hasMore() )

SearchResult sr = (SearchResult);
String DN = sr.getName();

Attributes attrs = ctx_changelog.getAttributes(DN, RETURN_ATTRIBUTES_CHANGELOG);

Attribute attr = attrs.get("lastchangenumber");
String lastchangenumber = (String)attr.get();




Saturday, July 5, 2008

Some Challenges in IDM project implementation

After working/talking about multiple IDM implementation I feel that there are different kinds of challenges in implementing the solution.

1) Getting the approvals/access from the end application : For example integrating with Oracle financial system one needs to have super user kind of permissions on the system for provisioning/deprovisioning. End application teams have there valid concerns for not giving that kind of access to IDM system.

2) Password policy : One of the very good feature of IDM system is to provide password synch across organization wide applications. In real world it becomes very challenging because of all systems does not have same password policy for one reason or the other.

3) Unique ID for life : If not all but most of the organizations work in the employee/consultant mode. People change there profile from employee to consultant and vice versa. It is a real challenge to find the same person in the system if S/he is returning to the organization. Organizations spreaded across globe are having this as a bigger challenge because they are working to consolidate there HR system under one umbrella to have better control over the system.

4) Missing unique ID in the applications : In the ideal world we expect end application which is getting integrated with IDM will have one or the other co-relation key to allow IDM to reconcile the accounts but it is not always true. Some times IDM teams have to request changing the end applications to have an extra field storing the co-relation key.

Tuesday, November 27, 2007

Adaptive Access Control

Few weeks back I went to attend Oracle Openworld in San Francisco and while I was on the demo grounds to see what oracle has to offer in the Identity and Access Control I met one product group which is building a "Adaptive Access Control" product.

This product builds the intelligence based on your previous access controls and compare them on next logon. This can be configured to make the metrics over a predefined period of time and freeze the statistics for next access requests.

For example if you are accessing the system between 8AM and 5PM on a daily basis and one day it gets the request at 10PM then it will deny the access.

This seems a good idea to me except for the reason that how long it takes to capture the metrics and how it handles the exceptions.

Another scenario could be that you access the system from North America reason and one day it sees the request from India then it has a valid reason to suspect the request.

Saturday, November 3, 2007

Open Source identity and Access management : VELO

Fortunately I got a chance to directly talk to Asaf Shakarchi (father of VELO) and I asked him why you named it VELO.

Asaf: It was taken by "velo binding". You can read about it in wiki.

My understanding: I then read about it in the Wiki and tried to link it with the identity and access control and realized the name is so true as the product is also trying to link and bind and control the identities.

I also asked him what is the function of remote performer and below is what I understood from his explanation

Remote performer is a kind of load balancer which can be used to delicate the responsibility of the VELO server. For example if the environment has many resources and you don't want to wait for the responses from the resource once you provision, you can use VELO remote performer. All the requests will be delegated to the remote performer and VELO server can perform other important tasks.

Remote performer is not a must for deploying VELO but it can give additional flexibility to distribute the load.

Monday, October 29, 2007

How To Break Web Software - A look at security...

I found below video on youtube and liked it. It is little longer in duration but worth watching.

Friday, October 26, 2007

Oracle database security and PCI DSS

Today I was browsing for data masking technology and products available in this space and found one good link on the oracle site.

This link explains each PCI DSS requirements in detail.

Thursday, October 25, 2007

Strong Authentication by biopassword

I watched many sci-fi movies where guys were playing around on the keyboard and trying to hack someones system by figuring out password etc. You already know that every individual has his/her own way/speed of typing on the keyboard. Biopassword has made a product on such grounds. There product captures the keystrokes and builds a pattern in which user key in the password etc. During authentication there software checks for that pattern and denies the access if the pattern does not match. I have tested the demo on there site.

You check it out by yourself and have fun.

SAML and desktop SSO

Today I was reading a post and found one good blog which i would like to share with you. PingIdentity has developed Integrated Windows Authentication toolkit to provide SSO to Google application.

If you have read my post onSAML where I discussed how Google apps are using SAML for federated authentication to there applications like gmail/gtalk used by corporates with there domain like hosted using gmail interface. In that post I have mentioned under section 1-a that if user is already authenticated then identity provider will not ask for the credentials again to the user but directly give access to the Google application like gtalk/gmail etc.

Below diagram shows my understanding of how it might be working. I am not showing anything related to pingidentity implementation for this approach but it is completely my understanding for the solution.

Microsoft GINA component can be customized to get the user credential and Microsoft has also exposed API to set the cookie for Internet explorer. Keep in mind that all things are going through the user browser so if user has a cookie to some domain (identity provider) it will be sent to the server by the browser.

Similarly Cookie can be deleted on the event of user logout. If the solution needs persistent cookie can also be set which will expire after the persistence time.