Hi Charles,
I am really impressed by your work on JGuard. Recently, I was trying to implement authentication using LDAP. I wanted to know how to write out the authentication.xml file. In particular, what i should fill for the following elements:
1)<authenticationManager>
2)<authenticationManagerOptions>
Presently, JGuardAuthentication.xml file looks as follows:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE configuration SYSTEM "jGuardAuthentication_1.00.dtd">
<configuration>
<!-
2) I put authentication manger and
authentication manger myself
->
<authentication>
<!- 'local' or 'jvm' ->
<!-
things that will change: 1)authenticationAmanger tag 2)direct changes
->
<scope>local</scope>
<!-
boolean option('true' or 'false'), to activate the authorization
debug mode
->
<debug>true</debug>
<includeOldConfig>false</includeOldConfig>
<!- java.security.auth.login.config ->
<includeConfigFromJavaParam>false</includeConfigFromJavaParam>
<includePolicyFromJavaParam>false</includePolicyFromJavaParam>
<!- <digestAlgorithm>MD5</digestAlgorithm> ->
<!- <salt>qsd846sdq6ds4</salt> ->
Hi,
thanks for your support.
one diffculty about implementing AuthenticationManager and its related LoginModule, is to bind them.
to not reinvent the wheel, LDAPloginModule must use an LDAPAuthenticationManager to authenticate the user.
i think the UserLoginmodule abstract class, which must be inherited by new loginModule providing identity to users, must be refined to express this relationship.
in the current implementation (JNDILoginModule), there is no authenticationManager linked to manager an LDAP backend.
so, a JNDIAuthenticationmanager, or LDAPAuthenticationManager (depending on the API chosen to interact with the datastore), should be called by the related loginModule to avoid duplicated code.
hope it helps,
Charles.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
oups,
sorry, my first answer is not very accurate (i remind badly that you would create an authenticationManager implementation for LDPA, but not).
about your configuration:
all seems ok.
maybe can you check that your LDAP directory receive a connection ?
have you put net.sf.jguard logger to debug?
hope it helps,
Charles.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I feel that the part of the configuration I have highlighted above has some problem with it. It would be great if you could let me know what the problem is and how should I fill the tags. Basically, can you pls pls pls fill the tags below:
HI,
you've pointed the issue:
there is no JNDIAuthenticationManager implementation.
but you can create a basic one, by extracting the code from JNDILoginModule to this new class.
the JNDILoginModule will call JNDIauthenticaitonMAnager to authenticate the user.
you only have to implement read methods at a minimum to make it works.
hope it helps,
Charles.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Charles,
I am really impressed by your work on JGuard. Recently, I was trying to implement authentication using LDAP. I wanted to know how to write out the authentication.xml file. In particular, what i should fill for the following elements:
1)<authenticationManager>
2)<authenticationManagerOptions>
Presently, JGuardAuthentication.xml file looks as follows:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE configuration SYSTEM "jGuardAuthentication_1.00.dtd">
<configuration>
<!-
2) I put authentication manger and
authentication manger myself
->
<authentication>
<!- 'local' or 'jvm' ->
<!-
things that will change: 1)authenticationAmanger tag 2)direct changes
->
<scope>local</scope>
<!-
boolean option('true' or 'false'), to activate the authorization
debug mode
->
<debug>true</debug>
<includeOldConfig>false</includeOldConfig>
<!- java.security.auth.login.config ->
<includeConfigFromJavaParam>false</includeConfigFromJavaParam>
<includePolicyFromJavaParam>false</includePolicyFromJavaParam>
<!- <digestAlgorithm>MD5</digestAlgorithm> ->
<!- <salt>qsd846sdq6ds4</salt> ->
<authenticationManager>net.sf.jguard.authentication.JNDIAuthenticationManager</authenticationManager>
<authenticationManagerOptions>
<option>
<name>authenticationXmlFileLocation</name>
<value>/WEB-INF/conf/jGuard/jGuardUsersPrincipals.xml
</value>
</option>
</authenticationManagerOptions>
<loginModules>
<!- specify which loginModules are used for authentication. ->
<loginModule>
<name>net.sf.jguard.ext.authentication.loginmodules.JNDILoginModule</name>
<flag>REQUIRED</flag>
<loginModuleOptions>
<option>
<name>preauth.java.naming.factory.initial</name>
<value>com.sun.jndi.ldap.LdapCtxFactory</value>
</option>
<option>
<name>preauth.java.naming.provider.url</name>
<value>ldap://192.168.200.57:389</value>
</option>
<option>
<name>java.naming.security.authentication</name>
<value>none</value>
</option>
<option>
<name>preauth.searchcontrols.searchscope</name>
<value>2</value>
</option>
<option>
<name>preauth.search.base.dn</name>
<value>DC=ad,DC=company,DC=com</value>
</option>
<option>
<name>preauth.search.filter</name>
<value>(&(samAccountName={0})(!(proxyAddresses=*)))</value>
</option>
<option>
<name>auth.java.naming.factory.initial</name>
<value>com.sun.jndi.ldap.LdapCtxFactory</value>
</option>
<option>
<name>auth.java.naming.provider.url</name>
<value>ldap://192.168.200.57:389</value>
</option>
<option>
<name>auth.java.naming.security.authentication</name>
<value>simple</value>
</option>
<option>
<name>contextforcommit</name>
<value>true</value>
</option>
</loginModuleOptions>
</loginModule>
</loginModules>
</authentication>
</configuration>
Though there is no runtime error, it is not actually authenticating using LDAP.
Regards,
Shai
Hi,
thanks for your support.
one diffculty about implementing AuthenticationManager and its related LoginModule, is to bind them.
to not reinvent the wheel, LDAPloginModule must use an LDAPAuthenticationManager to authenticate the user.
i think the UserLoginmodule abstract class, which must be inherited by new loginModule providing identity to users, must be refined to express this relationship.
in the current implementation (JNDILoginModule), there is no authenticationManager linked to manager an LDAP backend.
so, a JNDIAuthenticationmanager, or LDAPAuthenticationManager (depending on the API chosen to interact with the datastore), should be called by the related loginModule to avoid duplicated code.
hope it helps,
Charles.
oups,
sorry, my first answer is not very accurate (i remind badly that you would create an authenticationManager implementation for LDPA, but not).
about your configuration:
all seems ok.
maybe can you check that your LDAP directory receive a connection ?
have you put net.sf.jguard logger to debug?
hope it helps,
Charles.
thanks Charles! I really appreciate your help. Actually, I am primarily concerned about the following part of the configuration:
<authenticationManager>net.sf.jguard.authentication.JNDIAuthenticationManager</authenticationManager>
<authenticationManagerOptions>
<option>
<name>authenticationXmlFileLocation</name>
<value>/WEB-INF/conf/jGuard/jGuardUsersPrincipals.xml
</value>
</option>
</authenticationManagerOptions >
When I run the code in eclipse, I get the following error:
ClassNotFoundException DAOImpl problemnet.sf.jguard.authentication.JNDIAuthenticationManager
I feel that the part of the configuration I have highlighted above has some problem with it. It would be great if you could let me know what the problem is and how should I fill the tags. Basically, can you pls pls pls fill the tags below:
<authenticationManager></authenticationManager>
<authenticationManagerOptions>
<option>
<name></name>
<value></value>
</option>
</authenticationManagerOptions >
Thanks once again for your help!
HI,
you've pointed the issue:
there is no JNDIAuthenticationManager implementation.
but you can create a basic one, by extracting the code from JNDILoginModule to this new class.
the JNDILoginModule will call JNDIauthenticaitonMAnager to authenticate the user.
you only have to implement read methods at a minimum to make it works.
hope it helps,
Charles.