May 07, 2007

Safety on the Internet

I was browsing the IT stacks at the nearby bookstore, looking for Kerberos or Linux security books, when I noticed several home network security books designed to teach home users how to safely access the internet without turning their home pc into part of a botnet. I recalled my friends wrote a similar book many years ago. I thought it was a great resource. I have a signed first edition copy.

The environment has changed somewhat since that day. I know a lot more about networks and security than I did when the book first came out. The World Wide Web has also become 'wilder'. I guess you could add another W to WWW. If I could give just one piece of advice to someone who is going the internet for the first time, it would be "Don't go on the Internet".

Your home PC could be infected in minutes, disabled in days and keyloggers, phishers and trojans could have all your bank account information without your knowledge in a few weeks or less. What should you do?

Start using the internet from your office, a cybercafe or a live CD. That will educate you without exposing your home pc to any undesirables. Furthermore, these systems are usually more protected than others. But during that time, stay away from any sites which require you to provide your actual personal information. Use a dormant email account when sites ask you to register. I keep a hotmail account just for that purpose. Once you've learned the basics of the web, its time to protect your home pc. What you will need is
1. Discipline
2. Firewall
3. Anti-virus

Strictly speaking, if you have [1] you don't need [2] and [3]. But just to be safe, have all three. My personal observation is that I end up disabling my firewall, and not running anti-virus checks so effectively I'm running without [2] and [3] and so far, nothing too terrible has happened to my PC. So rather than talk about which firewalls and anti-virus to get, I'll talk about discipline. You can learn about firewalls and anti-virus from other sites. In MS Vista, those two items are already bundled in your OS.

Discipline Tip #1: Don't surf for porn
Out of 10000 sites offering free porn, only 1 actually has free porn which you can download safely. You have a better chance at winning money from a scratch ticket than actually getting free porn which doesn't screw up your computer. So just stop that. Buy/Rent a DVD from your local video store instead.

Discipline Tip #2: Don't open email from people you don't know. Even if you do know them, don't click on any links. Don't forward email to people. So you miss out on the latest novelty. I'm sure someone will explain it to you if you ask them nicely. Don't ask me why you shouldn't. The answer is terribly complicated and you won't understand it anyway.

Discipline Tip #3: If someone offers you something for nothing, and you believe them, you are being cheated.

May 03, 2007

Getting started with LDAP on Java

Your boss asked you to do some research on using LDAP with Java. Its friday morning and you're already in weekend mode. You fire up your favourite search engine (google) and what you get are complicated articles and tutorials which could take you days to go through. If this is you, read on.

To play with LDAP you need an LDAP server. Rather than waste an morning compiling and installing one from OpenLDAP, you could :
1. Use someone elses LDAP server
2. Get a trial copy of a simple LDAP server

I got a simple LDAP server to install locally because I wanted to add LDAP records and I need a user account to do that. Public LDAP servers usually will not allow you to do that.

Since you're coding with Java, you need a Java compiler. I fire up my trusty Netbeans. You can use whatever you want. We're only going to code a main method anyway.

Once the LDAP server is installed and running, there aren't any entries inside. So the first thing to do is to add the entries. If you're only interested in searching the LDAP directory, skip down a few paragraphs.

First your imports. The IDE takes care of this for me but here's the list. We're using JNDI packages and it should be in JDKs 1.4 and higher.

import java.util.Properties;
import javax.naming.*;
import javax.naming.directory.*;


The connection settings go inside a properties object.

Properties props = new Properties();
props.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
props.setProperty(Context.URL_PKG_PREFIXES, "com.sun.jndi.url");
props.setProperty(Context.REFERRAL, "ignore");
props.setProperty(Context.SECURITY_AUTHENTICATION, "simple");


Host name goes here


props.setProperty(Context.PROVIDER_URL, "ldap://localhost:389");


Username and password goes here. If you're using a public LDAP server, these may be blank or have some default value. It depends.....

props.setProperty(Context.SECURITY_PRINCIPAL, "cn=manager,dc=example,dc=com");
props.setProperty(Context.SECURITY_CREDENTIALS, "");


Note above. The username is manager. the password is blank. The string security principal describes the user being from directory context example.com. The order is important. You may need to change the dc appropriately on public servers.

When its all set up, just call the statement below to get the initial context.

ctx = new InitialDirContext(props);

This is like a pointer to a directory. With the context, you can work on the LDAP. First we create a set of attributes. Basically we're adding a record which conforms to a schema. A schema defines what fields an object can and must have. The example we will use is netwinperson. A schema is also known as an object class. The netwinperson defines a person. It has two mandatory fields cn (Common name) and sn (Surname) and a bunch of optional fields. In Java its possible to create an object which maps to this schema. We'll reserve that for future blog entries. Right now, we'll create a set of attributes which we will assign a name.

Attribute cn = new BasicAttribute("cn", "Scott");
Attribute sn = new BasicAttribute("sn", "Smith");
Attribute mail = new BasicAttribute("mail", "newuser@foo.com");


Next we must have another attribute for the object class. Attributes have names and one or more values.

Attribute oc = new BasicAttribute("objectClass");
oc.add("netwinperson");


Now we create the entry which is a collection of attributes

Attributes entry = new BasicAttributes();
entry.put(oc);
entry.put(cn);
entry.put(sn);
entry.put(mail);


Now we add the entry.

try {
ctx.bind("cn=Scott,dc=example,dc=com",null,entry);
} catch (NamingException ex) {
ex.printStackTrace();
}


Here is where we search the LDAP for the entry we just created.

SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);String filter = "cn=Scott";
String BASE_SEARCH = "dc=example,dc=com";
NamingEnumeration results = ctx.search(BASE_SEARCH, filter, constraints);


Note our search filter uses the cn attribute. We can use wildcards here. Note also the BASE_SEARCH tell us where to start searching. In this case from the root which is example.com. Our results appear in the variable results. We can check this enumeration object for any matches, but I just output what I know is there.

System.out.println(results.next().toString());


This outputs the entire entry. We can drill down to output individual entries but I'm only here to get you started.

Since we're done, we close the connection like a good programmer should.

ctx.close();

I'm no expert on LDAP. What I write here is what I found online in the course of one friday morning. But this code should get you started in less than an hour.