java:ldapextloginmodule
Differences
This shows you the differences between two versions of the page.
Previous revision | |||
— | java:ldapextloginmodule [2022/12/02 22:02] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== LdapExtLoginModule ====== | ||
+ | |||
+ | |||
+ | [[http:// | ||
+ | |||
+ | The org.jboss.security.auth.spi.LdapExtLoginModule, | ||
+ | is an alternate ldap login module implementation that uses searches for | ||
+ | locating both the user to bind as for authentication as well as the | ||
+ | associated roles. | ||
+ | |||
+ | The roles query will recursively follow distinguished names (DNs) | ||
+ | to navigate a hierarchical role structure. The LoginModule options include | ||
+ | whatever options your LDAP JNDI provider supports. | ||
+ | |||
+ | Examples of standard property names are: | ||
+ | |||
+ | Context.INITIAL_CONTEXT_FACTORY = " | ||
+ | Context.SECURITY_PROTOCOL = " | ||
+ | Context.PROVIDER_URL = " | ||
+ | Context.SECURITY_AUTHENTICATION = " | ||
+ | |||
+ | The authentication happens in 2 steps: | ||
+ | |||
+ | # An initial bind to the ldap server is done using the __bindDN__ and __bindCredential__ options. | ||
+ | |||
+ | The __bindDN__ is some user with the ability to search both | ||
+ | the __baseDN__ and __rolesCtxDN__ trees for the user and roles. | ||
+ | |||
+ | The user DN to authenticate against is queried using the filter | ||
+ | specified by the __baseFilter__ attribute (see the __baseFilter__ | ||
+ | option description for its syntax). | ||
+ | |||
+ | # The resulting user DN is then authenticated by binding to ldap | ||
+ | server using the user DN as the InitialLdapContext environment | ||
+ | Context.SECURITY_PRINCIPAL. | ||
+ | |||
+ | The Context.SECURITY_CREDENTIALS property is either set to the String | ||
+ | password obtained by the callback handler. If this is successful, the associated | ||
+ | user roles are queried using the __rolesCtxDN__, | ||
+ | __roleAttributeIsDN__, | ||
+ | |||
+ | The full module properties include: | ||
+ | |||
+ | __baseCtxDN__ : The fixed DN of the context to start the user search from. | ||
+ | |||
+ | __bindDN__ : The DN used to bind against the ldap server for the user and roles queries. | ||
+ | This is some DN with read/search permissions on the baseCtxDN and rolesCtxDN values. | ||
+ | |||
+ | __bindCredential__ : The password for the bindDN. This can be encrypted if the | ||
+ | jaasSecurityDomain is specified. | ||
+ | |||
+ | __jaasSecurityDomain__ : The JMX ObjectName of the JaasSecurityDomain to use to | ||
+ | decrypt the java.naming.security.principal. The encrypted form of the password | ||
+ | is that returned by the JaasSecurityDomain# | ||
+ | The org.jboss.security.plugins.PBEUtils can also be used to generate the encrypted form. | ||
+ | |||
+ | __baseFilter__ : A search filter used to locate the context of the user to authenticate. | ||
+ | |||
+ | The input username/ | ||
+ | substituted into the filter anywhere a " | ||
+ | behavior comes from the standard __DirContext.search(Name, | ||
+ | SearchControls cons)__ method. An common example search filter is " | ||
+ | |||
+ | __rolesCtxDN__ : The fixed DN of the context to search for user roles. | ||
+ | Consider that this is not the Distinguished Name of where the actual roles are; | ||
+ | rather, this is the DN of where the objects containing the user roles are | ||
+ | (e.g. for active directory, this is the DN where the user account is) | ||
+ | |||
+ | __roleFilter__ : A search filter used to locate the roles associated with the | ||
+ | authenticated user. The input username/ | ||
+ | callback will be substituted into the filter anywhere a " | ||
+ | |||
+ | The authenticated userDN will be substituted into the filter anywhere a " | ||
+ | An example search filter that matches on the input username is: " | ||
+ | An alternative that matches on the authenticated userDN is: " | ||
+ | |||
+ | __roleAttributeIsDN__ : A flag indicating whether the user's role attribute contains | ||
+ | the fully distinguished name of a role object, or the users' | ||
+ | the role name. If false, the role name is taken from the value of the user's role | ||
+ | attribute. If true, the role attribute represents the distinguished name of a role object. | ||
+ | The role name is taken from the value of the roleNameAttributeId` attribute of the | ||
+ | corresponding object. | ||
+ | |||
+ | In certain directory schemas (e.g., Microsoft Active Directory), role (group)attributes | ||
+ | in the user object are stored as DNs to role objects instead of as simple names, | ||
+ | in which case, this property should be set to true. The default value of this | ||
+ | property is false. | ||
+ | |||
+ | __roleNameAttributeID__ : The name of the attribute of the role object which corresponds | ||
+ | to the name of the role. If the __roleAttributeIsDN__ property is set to true, this | ||
+ | property is used to find the role object' | ||
+ | property is set to false, this property is ignored. | ||
+ | |||
+ | __roleRecursion__ : How deep the role search will go below a given matching context. | ||
+ | Disable with 0, which is the default. __searchTimeLimit__ : The timeout in milliseconds | ||
+ | for the user/role searches. Defaults to 10000 (10 seconds). | ||
+ | |||
+ | __searchScope__ : Sets the search scope to one of the strings. The default is | ||
+ | SUBTREE_SCOPE. | ||
+ | |||
+ | OBJECT_SCOPE : only search the named roles context. \\ | ||
+ | ONELEVEL_SCOPE : search directly under the named roles context. \\ | ||
+ | SUBTREE_SCOPE : If the roles context is not a DirContext, search only the object. \\ | ||
+ | If the roles context is a DirContext, search the subtree rooted at the | ||
+ | named object, including the named object itself | ||
+ | |||
+ | __allowEmptyPasswords__ : A flag indicating if empty(length==0) passwords should be | ||
+ | passed to the ldap server. An empty password is treated as an anonymous login | ||
+ | by some ldap servers and this may not be a desirable feature. Set this to false to | ||
+ | reject empty passwords, true to have the ldap server validate the empty password. | ||
+ | The default is true. | ||
+ | |||