LdapLoginModule

LdapLoginModule

 

An implementation of LoginModule that authenticates against an LDAP server

using JNDI, based on the configuration properties.

 

The LoginModule options include whatever options your LDAP JNDI provider supports. Examples of standard property names are:

 

  • Context.INITIAL_CONTEXT_FACTORY = "java.naming.factory.initial"

  • Context.SECURITY_PROTOCOL = "java.naming.security.protocol"

  • Context.PROVIDER_URL = "java.naming.provider.url"

  • Context.SECURITY_AUTHENTICATION = "java.naming.security.authentication"

 

 

The Context.SECURITY_PRINCIPAL is set to the distinguished name of the user

as obtained by the callback handler and the Context.SECURITY_CREDENTIALS

property is either set to the String password or Object credential depending

on the useObjectCredential option.

 

Additional module properties include

  • principalDNPrefix, principalDNSuffix : A prefix and suffix to add to the username when forming the user distiguished name. This is useful if you prompt a user for a username and you don't want them to have to enter the fully distinguished name. Using this property and principalDNSuffix the userDN will be formed as:

 

String userDN = principalDNPrefix + username + principalDNSuffix;

 

  • useObjectCredential : indicates that the credential should be obtained as an opaque Object using the org.jboss.security.plugins.ObjectCallback type of Callback rather than as a char{FOOTNOTE DEF  } password using a JAAS PasswordCallback.

  • rolesCtxDN : The fixed distinguished name to the context to search for user roles.

  • userRolesCtxDNAttributeName: The name of an attribute in the user object that contains the distinguished name to the context to search for user roles. This differs from rolesCtxDN in that the context to search for a user's roles can be unique for each user.

  • roleAttributeName : The name of the attribute that contains the user roles

  • uidAttributeName : The name of the attribute that in the object containing the user roles that corresponds to the userid. This is used to locate the user roles.

  • matchOnUserDN : A flag indicating if the search for user roles should match on the user's fully distinguished name. If false just the username is used as the match value. If true, the userDN is used as the match value.

  • allowEmptyPasswords : A flag indicating if empty(length==0) passwords should be passed to the ldap server. An empty password is treated as an anonymous login by some ldap servers and this may not be a desirable feature. Set this to false to reject empty passwords, true to have the ldap server validate the empty password. The default is true.

 

  • roleAttributeIsDN : A flag indicating whether the user's role attribute contains the fully distinguished name of a role object, or the users's role attribute contains the role name. If false, the role name is taken from the value of the user's role attribute. If true, the role attribute represents the distinguished name of a role object.  The role name is taken from the value of the roleNameAttributeId` attribute of the corresponding object.  In certain directory schemas (e.g., Microsoft Active Directory), role (group)attributes in the user object are stored as DNs to role objects instead of as simple names, in which case, this property should be set to true. The default value of this property is false.

 

 

  • roleNameAttributeID : The name of the attribute of the role object which corresponds to the name of the role.  If the `roleAttributeIsDN` property is set to true, this property is used to find the role object's name attribute. If the `roleAttributeIsDN` property is set to false, this property is ignored.

 

A sample login config:

 

 

testLdap {
    org.jboss.security.auth.spi.LdapLoginModule required
      java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
      java.naming.provider.url="ldap://ldaphost.jboss.org:1389/"
      java.naming.security.authentication=simple
      principalDNPrefix=uid=
      uidAttributeID=userid
      roleAttributeID=roleName
      principalDNSuffix=,ou=People,o=jboss.org
      rolesCtxDN=cn=JBossSX Tests,ou=Roles,o=jboss.org
};

testLdap2 {
    org.jboss.security.auth.spi.LdapLoginModule required
      java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
      java.naming.provider.url="ldap://ldaphost.jboss.org:1389/"
      java.naming.security.authentication=simple
      principalDNPrefix=uid=
      uidAttributeID=userid
      roleAttributeID=roleName
      principalDNSuffix=,ou=People,o=jboss.org
      userRolesCtxDNAttributeName=ou=Roles,dc=user1,dc=com
};

testLdapToActiveDirectory {
   org.jboss.security.auth.spi.LdapLoginModule required
     java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
     java.naming.provider.url="ldap://ldaphost.jboss.org:1389/"
     java.naming.security.authentication=simple
     rolesCtxDN=cn=Users,dc=ldaphost,dc=jboss,dc=org
     uidAttributeID=userPrincipalName
     roleAttributeID=memberOf
     roleAttributeIsDN=true
     roleNameAttributeID=name
};