Overview

The PAC-LDAP authorization module enables Caching Proxy to access a Lightweight Directory Access Protocol (LDAP) server when performing authorization or authentication routines. The module consists of two component sets: a pair of shared libraries that add LDAP functionality to Caching Proxy API and a Policy Authentication Control (PAC) daemon. A ServerInit directive within the ibmproxy.conf file instructs the shared library to initialize one or more PAC daemons when Caching Proxy starts up. The shared libraries read a paccp.conf file to determine the number and characteristics of the PAC daemons. During initialization, the daemon reads the pac.conf file for configuration directives and the pacpolicy.conf for policy information. Then, either an Authentication directive within the ibmproxy.conf file instructs the proxy server to call the shared library whenever authentication is required, or an Authorization directive usurps Caching Proxy workflow during standard HTTP request processing.

Authentication

The process of authentication determines if a supplied set of credentials - user name and password - are valid. This process includes verifying that a user is in the registry and that the supplied password matches the password stored in the registry. These are the actions performed by using the PAC-LDAP module during the authentication step.

When the PAC-LDAP authorization module is enabled for authentication, it becomes the default repository from which user IDs, passwords, and groups are retrieved. As an HTTP request passes through Caching Proxy workflow, each Protect directive compares the requested URL to its request template. If a match occurs, the Protect directive invokes a protection schema, which includes the server ID, the type of authentication to use, masking rules to apply to the requesting client, and the locations of the passwords and groups files. If the passwords file is not defined, then the user ID and password are retrieved via the PAC-LDAP authorization module. Type 0, 1, 2, and 3 policies define authentication schemes. If authentication passes, the request is served; otherwise, Caching Proxy returns a 401 error to the client.

Authorization

The process of authorization determines if a user has the necessary permission to access a protected resource. When the PAC-LDAP module is used, this includes applying authorization rules residing in the pacpolicy.conf file for the HTTP request.

When the PAC-LDAP authorization module is enabled for authorization, authorization rules within the pacpolicy.conf file are applied to the HTTP request. As the HTTP request passes through Caching Proxy workflow, each Protect directive compares the requested URL to its request template. If a match occurs, the Protect directive invokes a protection schema. In this case, the protection schema is the authorization routine usurped by the PAC-LDAP authorization module. The Authorization directive compares the requested URL to its request template, and, if a match occurs, the PAC-LDAP authorization module is invoked. Type 4 policies defined within the pacpolicy.conf file further refine the authentication required for various URL requests.

Lightweight Directory Access Protocol (LDAP)

LDAP provides interactive access to X.500 directories with a minimal consumption of system resources. The IANA has assigned TCP port 389 and UDP port 389 to LDAP. For more information, refer to RFC 1777, which defines LDAP.

Examples of supported LDAP clients are: the IBM Tivoli LDAP client and the IBM SecureWay LDAP client.