You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Database (SQL) Realm Administering security realms 
LDAP Deployment Descriptor Example
<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.1">
	<environment>
		<moduleId>
			<groupId>groupName/groupId>
			<artifactId>artifactName</artifactId>
			<version>1.0</version>
		</moduleId>
		<dependencies>
			<dependency>
				<groupId>geronimo</groupId>
				<artifactId>j2ee-security</artifactId>
				<version>1.1</version>
				<type>car</type>
			</dependency>
		</dependencies>
	</environment>
	
	<gbean name="ldap-login"
		class="org.apache.geronimo.security.jaas.LoginModuleGBean">
		<attribute name="loginModuleClass">org.apache.geronimo.security.realm.providers.LDAPLoginModule</attribute>
		<attribute name="serverSide">true</attribute>
		<attribute name="options">
			initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
                        connectionURL=ldap://localhost:1389
                        connectionUsername=uid=admin,ou=system
                        connectionPassword=secret
                        connectionProtocol=
                        authentication=simple
                        userBase=ou=users,ou=system
                        userSearchMatching=uid={0}
                        userSearchSubtree=false
                        roleBase=ou=groups,ou=system
                        roleName=cn
                        roleSearchMatching=(uniqueMember={0})
                        roleSearchSubtree=false
                        userRoleName=
		</attribute>
		<attribute name="loginDomainName">ldap-realm</attribute>
	</gbean>
	
	<gbean name="ldap-realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm">
		<attribute name="realmName">ldap-realm</attribute>
		<reference name="LoginModuleConfiguration">
			<name>ldap-login</name>
		</reference>
		<reference name="ServerInfo">
			<name>ServerInfo</name>
		</reference>
		
		<reference name="LoginService">
			<name>JaasLoginService</name>
		</reference>
	</gbean>
	
	<gbean name="ldap-login" class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
		<attribute name="controlFlag">REQUIRED</attribute>
		<reference name="LoginModule">
			<name>ldap-login</name>
		</reference>
	</gbean>
</module>

LDAPLoginModule Options

Tip: The key to working with the LDAP module is: KNOW YOUR LDAP SCHEMA.

class = org.apache.geronimo.security.realm.providers.LDAPLoginModule
Options:

  • initialContextFactory - the class name of the initial context factory. Usually com.sun.jndi.ldap.LdapCtxFactory.
  • connectionURL - LDAP connection URL, such as ldap://localhost:1389 . Note that the usual LDAP port is 389.
  • connectionUsername - this is the DN used by the login module itself for authentication to the directory server.
  • connectionPassword - this is credential (password) that is used by the login module to authenticate itself to the directory server
  • connectionProtocol - security protocol to use. This value is determined by the service provider. An example would be SSL. This can be left blank.
  • authentication - security level to use. Its value is one of the following strings: "none", "simple", "strong". If this property is unspecified, the behavior is determined by the service provider.
  • userBase - the base DN for the user search.
  • userSearchMatching - filter specification how to search for the user object. RFC 2254 filters are allowed. In addition you can pass parameter to the search filter instead of the literal value. For example: this is RFC 2254 filter spec: (cn=Babs Jensen). If you want to parameterize the value of the CN attribute type, specify (cn = {0}). This integer refers to the parameter number. Parameter value is the user name. This query must return exactly one object.
  • userSearchSubtree - Defines directory search scope for the user. If set to true, directory search scope is SUBTREE, if set to false, directory search scope is ONE-LEVEL.
  • roleBase - the base DN for the group membership search.
  • roleName - LDAP attribute type that identifies group name attribute in the object returned from the group membership query. Note that group membership query is defined by the roleSearchMatching parameter. Often group name parameter is cn.
  • roleSearchMatching - filter specification how to search for the role object. RFC 2254 filters are allowed. In addition you can pass parameters to the search filter instead of the literal value. For example: (uniqueMember = {0}). This integer refers to the parameter number. This parameter is the DN of the authenticated user. Note that if role membership for the user is defined in the member-of-like attribute (see userRoleName parameter) you may not need to search for group membership with the query.
  • roleSearchSubtree - Defines directory search scope for the role. If set to true, directory search scope is SUBTREE, if set to false, directory search scope is ONE-LEVEL.
  • userRoleName - LDAP attribute type for the user group membership. Different LDAP schemas represent user group membership in different ways. Examples are: memberOf, isMemberOf, member, etc. Values of these attributes are identifiers of groups that a user is a member of. For example, if you have: memberOf: cn=admin,ou=groups,dc=foo, specify memberOf as the value for the userRoleName attribute. Be aware of the relationship between this parameter and group membership query. Sometimes (often) they will return the same data.
    Database (SQL) Realm Administering security realms 
  • No labels