Authentication.xml configuration for LDAP

Shai If
2010-06-09
2013-05-08
  • Shai If
    Shai If
    2010-06-09

    Hi Charles,
    I am really impressed by your work on JGuard. Recently, I was trying to implement authentication using LDAP. I wanted to know how to write out the authentication.xml file. In particular, what i should fill for the following elements:
    1)<authenticationManager>
    2)<authenticationManagerOptions>

    Presently, JGuardAuthentication.xml file looks as follows:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE configuration SYSTEM "jGuardAuthentication_1.00.dtd">
    <configuration>
    <!-
    2) I put authentication manger and
    authentication manger myself
    ->
    <authentication>
    <!- 'local' or 'jvm' ->
    <!-
    things that will change: 1)authenticationAmanger tag 2)direct changes
    ->

    <scope>local</scope>
    <!-
    boolean option('true' or 'false'), to activate the authorization
    debug mode
    ->
    <debug>true</debug>
    <includeOldConfig>false</includeOldConfig>
    <!- java.security.auth.login.config ->
    <includeConfigFromJavaParam>false</includeConfigFromJavaParam>
    <includePolicyFromJavaParam>false</includePolicyFromJavaParam>
    <!- <digestAlgorithm>MD5</digestAlgorithm> ->
    <!- <salt>qsd846sdq6ds4</salt> ->

    <authenticationManager>net.sf.jguard.authentication.JNDIAuthenticationManager</authenticationManager>
    <authenticationManagerOptions>
    <option>
    <name>authenticationXmlFileLocation</name>
    <value>/WEB-INF/conf/jGuard/jGuardUsersPrincipals.xml
    </value>
    </option>
    </authenticationManagerOptions>

    <loginModules>
    <!- specify which loginModules are used for authentication. ->
    <loginModule>
    <name>net.sf.jguard.ext.authentication.loginmodules.JNDILoginModule</name>
    <flag>REQUIRED</flag>
    <loginModuleOptions>
    <option>
    <name>preauth.java.naming.factory.initial</name>
    <value>com.sun.jndi.ldap.LdapCtxFactory</value>
    </option>
    <option>
    <name>preauth.java.naming.provider.url</name>
    <value>ldap://192.168.200.57:389</value>
    </option>
    <option>
    <name>java.naming.security.authentication</name>
    <value>none</value>
    </option>
    <option>
    <name>preauth.searchcontrols.searchscope</name>
    <value>2</value>
    </option>
    <option>
    <name>preauth.search.base.dn</name>
    <value>DC=ad,DC=company,DC=com</value>
    </option>
    <option>
    <name>preauth.search.filter</name>
    <value>(&amp;(samAccountName={0})(!(proxyAddresses=*)))</value>
    </option>
    <option>
    <name>auth.java.naming.factory.initial</name>
    <value>com.sun.jndi.ldap.LdapCtxFactory</value>
    </option>
    <option>
    <name>auth.java.naming.provider.url</name>
    <value>ldap://192.168.200.57:389</value>
    </option>
    <option>
    <name>auth.java.naming.security.authentication</name>
    <value>simple</value>
    </option>
    <option>
    <name>contextforcommit</name>
    <value>true</value>
    </option>
    </loginModuleOptions>
    </loginModule>
    </loginModules>
    </authentication>
    </configuration>

    Though there is no runtime error, it is not actually authenticating using LDAP.

    Regards,
    Shai

     
  • Charles Lescot
    Charles Lescot
    2010-06-10

    Hi,
    thanks for your support.
    one diffculty about implementing AuthenticationManager and its related LoginModule, is to bind them.
    to not reinvent the wheel, LDAPloginModule must use an LDAPAuthenticationManager to authenticate the user.
    i think the UserLoginmodule abstract class, which must be inherited by new loginModule providing identity to users, must be refined to express this relationship.

    in the current implementation (JNDILoginModule), there is no authenticationManager linked to manager an LDAP backend.
    so, a JNDIAuthenticationmanager, or LDAPAuthenticationManager (depending on the API chosen to interact with the datastore), should be called by the related loginModule to avoid duplicated code.
    hope it helps,

    Charles. 

     
  • Charles Lescot
    Charles Lescot
    2010-06-10

    oups,
    sorry, my first answer is not very accurate (i remind badly that you would create an authenticationManager implementation for LDPA, but not).
    about your configuration:
    all seems ok.
    maybe can you check that your LDAP directory receive a connection ?
    have you put net.sf.jguard logger to debug?
    hope it helps,

    Charles.

     
  • Shai If
    Shai If
    2010-06-11

    thanks Charles! I really appreciate your help. Actually, I am primarily concerned about the following part of the configuration:

    <authenticationManager>net.sf.jguard.authentication.JNDIAuthenticationManager</authenticationManager>
    <authenticationManagerOptions>
    <option>
    <name>authenticationXmlFileLocation</name>
    <value>/WEB-INF/conf/jGuard/jGuardUsersPrincipals.xml
    </value>
    </option>

    </authenticationManagerOptions >

    When I run the code in eclipse, I get the following error:

    ClassNotFoundException DAOImpl problemnet.sf.jguard.authentication.JNDIAuthenticationManager

    I feel that the part of the configuration I have highlighted above has some problem with it. It would be great if you could let me know what the problem is and how should I fill the tags. Basically, can you pls pls pls fill the tags below:

    <authenticationManager></authenticationManager>
    <authenticationManagerOptions>
    <option>
    <name></name>
    <value></value>
    </option>

    </authenticationManagerOptions >

    Thanks once again for your help!

     
  • Charles Lescot
    Charles Lescot
    2010-06-11

    HI,
    you've pointed the issue:
    there is no JNDIAuthenticationManager implementation.
    but you can create a basic one, by extracting the code from JNDILoginModule to this new class.
    the JNDILoginModule will call JNDIauthenticaitonMAnager to authenticate the user.
    you only have to implement read methods at a minimum to make it works.

    hope it helps,

    Charles.