JNDILoginModule

Last modified by RaffaelloPelagalli on 2007/01/23 17:47

JNDILoginModule

description

This loginModule permits a JNDI authentication for your web application.it uses the JNDI abstraction layer to connect to a directory service like an LDAP directory.

this loginmodule does NOT yet retrieve user roles from the directory. only authentication and credentials are supported for this release.

most of the parameters detailed in this page comes from the JNDI Context constants detailed here:

Context constants page

connections

connections can be established either through manual configuration, or via application server JNDI lookup.

for all parameters, you have to include the prefix ('preauth.' or 'auth.').

these settings apply to direct authentication and pre-authentication modes.

manual configuration

  • initial context factory
.....
preauth.java.naming.factory.initial
com.sun.jndi.ldap.LdapCtxFactory
.....

  • provider url
preauth.java.naming.provider.url
ldap://mycompany.com:389

  • authentication mode
you can use none , simple or a SASL mecahnism type defined in the RFC 2195.

java.naming.security.authentication
none

  • activate connection pooling
you can sometimes activate the connection pooling of the JNDI service providers. if you use the one provided by sun, here is the configuration:
preauth.com.sun.jndi.ldap.connect.pool
true

  • define the preferred number of connections
preauth.com.sun.jndi.ldap.connect.pool.prefsize
5

  • define connection timout
preauth.com.sun.jndi.ldap.connect.pool.timeout
300000

this example defines the number of milliseconds (5 minutes in this example) that an idle connection may remain in the pool without being closed and removed from the pool.

  • other connection pool settings
other settings can be reached at the JNDI/LDAP Service provider documentation page.

  • activate the Fast bind connection mode for Active Directory
a specific LDAP control can be activated against Active Directory server. more details on it here: Active directory LDAP server fast bind mode documentation
preauth.fastBindConnection
true

application server JNDI lookup

connections can be retrieved via the application servers JNDI system. to specify which name must be used to grab the context, you have to use after the prefix, the jndi name.

preauth.jndi
myDs

use cases

different use cases are possible, depending on how to find the Distinguished Name(DN), which is the path to the user Entry.

this DN will be used to :

    • authenticate the user
    • grab its associated credentials.

direct authentication (auth mode)

authentication parameters starts with the 'auth.' prefix.

the DN is known, directly from the userDN parameter and the user login. for example,

auth.userDN="dc=com,dc=mycompany,ou=mysection,cn=\{0\}"
the {0} will be replaced by the login provided by the user.

pre-authentication (preauth mode)

when the user DN cannot be known, a first search should be done to know what is the DN. authentication parameters starts with the 'preauth.' prefix.

  • base DN
this parameter defines from which Distinguished Name (path) starts the search.

preauth.search.base.dn
dc=mycompany,dc=com

  • search filter
this parameter define the LDAP filter used to locate the DN of the user.

preauth.search.filter
(&(samAccountName=\{0\})(!(proxyAddresses=*)))

  • search scope
for object scope, use 0.

for one level scope, use 1.

for subtree scope, use 2.

preauth.searchcontrols.searchscope
2

which connection use to populate the Subject (user)

usually, jGuard reuses the connection used to authenticate the user, to do a lookup on the user entry.

sometimes, it can be useful to grab the informations directly from the LDAP entry found to know the user DN.

to do it, you have to include this parameter:

contextforcommit
true

complete configuration example with preauth

in your jGuardAuthentication.xml file:

.......
net.sf.jguard.ext.authentication.loginmodules.JNDILoginModule
REQUIRED
preauth.java.naming.factory.initial
com.sun.jndi.ldap.LdapCtxFactory
preauth.java.naming.provider.url
ldap://yourcompany.com:389
java.naming.security.authentication
none
preauth.searchcontrols.searchscope
2
preauth.search.base.dn
dc=stuff,dc=com
preauth.search.filter
(&(samAccountName={0})(!(proxyAddresses=*)))
auth.java.naming.factory.initial
com.sun.jndi.ldap.LdapCtxFactory
auth.java.naming.provider.url
ldap://yourcompany.com:389
auth.java.naming.security.authentication
simple
contextforcommit
true
.......

Direct Authentication configuration example

........
net.sf.jguard.ext.authentication.loginmodules.JNDILoginModule
REQUIRED
auth.java.naming.factory.initial
com.sun.jndi.ldap.LdapCtxFactory
auth.java.naming.provider.url
ldap://168.12.45.88:389
auth.java.naming.security.authentication
simple
auth.java.naming.security.authentication
simple
com.sun.jndi.ldap.connect.pool
true
com.sun.jndi.ldap.connect.pool.prefsize
5
contextforcommit
false
auth.userDN
{0}
......
Tags:
Created by diabolo512 on 2006/02/09 14:40

jGuard team copyright 2004-2009
3.1.1