JNDILoginModule
description
This loginModule permits a JNDI authentication for your web application.it uses the JNDI abstraction layer to connect to a directory service like an LDAP directory. this loginmodule does NOT yet retrieve user roles from the directory. only authentication and credentials are supported for this release. most of the parameters detailed in this page comes from the JNDI Context constants detailed here: Context constants pageconnections
connections can be established either through manual configuration, or via application server JNDI lookup. for all parameters, you have to include the prefix ('preauth.' or 'auth.'). these settings apply to direct authentication and pre-authentication modes.manual configuration
- initial context factory
..... preauth.java.naming.factory.initial com.sun.jndi.ldap.LdapCtxFactory .....
- provider url
preauth.java.naming.provider.url ldap://mycompany.com:389
- authentication mode
java.naming.security.authentication none
- activate connection pooling
preauth.com.sun.jndi.ldap.connect.pool
true- define the preferred number of connections
preauth.com.sun.jndi.ldap.connect.pool.prefsize 5
- define connection timout
preauth.com.sun.jndi.ldap.connect.pool.timeout 300000
- other connection pool settings
- activate the Fast bind connection mode for Active Directory
preauth.fastBindConnection
trueapplication server JNDI lookup
connections can be retrieved via the application servers JNDI system. to specify which name must be used to grab the context, you have to use after the prefix, the jndi name.preauth.jndi myDs
use cases
different use cases are possible, depending on how to find the Distinguished Name(DN), which is the path to the user Entry. this DN will be used to :- authenticate the user
- grab its associated credentials.
direct authentication (auth mode)
authentication parameters starts with the 'auth.' prefix. the DN is known, directly from the userDN parameter and the user login. for example,auth.userDN="dc=com,dc=mycompany,ou=mysection,cn=\{0\}"pre-authentication (preauth mode)
when the user DN cannot be known, a first search should be done to know what is the DN. authentication parameters starts with the 'preauth.' prefix.- base DN
preauth.search.base.dn dc=mycompany,dc=com
- search filter
preauth.search.filter
(&(samAccountName=\{0\})(!(proxyAddresses=*)))- search scope
preauth.searchcontrols.searchscope 2
which connection use to populate the Subject (user)
usually, jGuard reuses the connection used to authenticate the user, to do a lookup on the user entry. sometimes, it can be useful to grab the informations directly from the LDAP entry found to know the user DN. to do it, you have to include this parameter:contextforcommit
truecomplete configuration example with preauth
in your jGuardAuthentication.xml file:.......
net.sf.jguard.ext.authentication.loginmodules.JNDILoginModule
REQUIRED
preauth.java.naming.factory.initial
com.sun.jndi.ldap.LdapCtxFactory
preauth.java.naming.provider.url
ldap://yourcompany.com:389
java.naming.security.authentication
none
preauth.searchcontrols.searchscope
2
preauth.search.base.dn
dc=stuff,dc=com
preauth.search.filter
(&(samAccountName={0})(!(proxyAddresses=*)))
auth.java.naming.factory.initial
com.sun.jndi.ldap.LdapCtxFactory
auth.java.naming.provider.url
ldap://yourcompany.com:389
auth.java.naming.security.authentication
simple
contextforcommit
true
.......Direct Authentication configuration example
........ net.sf.jguard.ext.authentication.loginmodules.JNDILoginModule REQUIRED auth.java.naming.factory.initial com.sun.jndi.ldap.LdapCtxFactory auth.java.naming.provider.url ldap://168.12.45.88:389 auth.java.naming.security.authentication simple auth.java.naming.security.authentication simple com.sun.jndi.ldap.connect.pool true com.sun.jndi.ldap.connect.pool.prefsize 5 contextforcommit false auth.userDN {0} ......
on 23/01/2007 at 17:47