exist-development

[Exist-development] LDAP configuration in the security tag in conf.xml

[Loren C. <lor...@gm...>]

Hello folks,

I am working on getting the LDAP security configuration to be easier to setup of eXist.  I am planning on adding a parameter tag within the security tag.  It would be something like the following:

        <security class="org.exist.security.ldap.SecurityManagerImpl">
            <param name="AuthLDAPUrl">ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org?uid?sub?(objectclass=posixAccount)</param>
            <param name="AuthLDAPBindDN">cn=admin,dc=exist-db,dc=org</param>
            <param name="AuthLDAPBindPassword">1234</param>
            <param name="AuthLDAPGroupAttributeIsDN">off</param>
            <param name="AuthLDAPGroupAttribute">memberUid</param>
            <param name="Require">valid-user</param>
        </security>

This will centralize the properties for connecting to the LDAP server into conf.xml and no longer require the Java properties.  It also implements the BIND that will have the passwords verified against LDAP.
This would allow the Require to be valid-user, ldap-user, ldap-group, ldap-attribute or ldap-dn.  This would allow the limitation of the access to eXist to a subset of the users within and LDAP server.  A corporate wide LDAP server can contain users that should not have access to eXist.

I am looking at this configuration and also the one that I am recommending for the Jetty LoginModule configuration.  Those entries would be something like:

        <security class="org.exist.security.ldap.SecurityManagerImpl">
            <param name="debug">true</param>
            <param name="useLdaps">false</param>
            <param name="contextFactory">com.sun.jndi.ldap.LdapCtxFactory</param>
            <param name="hostname">127.0.0.1</param>
            <param name="port">389</param>
            <param name="bindDn">cn=admin,dc=exist-db,dc=org</param>
            <param name="bindPassword">1234</param>
            <param name="authenticationMethod">simple</param>
            <param name="forceBindingLogin">true</param>
            <param name="userBaseDn">ou=Users,dc=exist-db,dc=org</param>
            <param name="userRdnAttribute">uid</param>
            <param name="userIdAttribute">uid</param>
            <param name="userPasswordAttribute">userPassword</param>
            <param name="userObjectClass">posixAccount</param>
            <param name="roleBaseDn">ou=Groups,dc=exist-db,dc=org</param>
            <param name="roleNameAttribute">cn</param>
            <param name="roleMemberAttribute">memberUid</param>
            <param name="roleObjectClass">posixGroup</param>
        </security>

I am using the following configuration in  tools/jetty/etc/login.conf:

eXistDB {
org.eclipse.jetty.plus.jaas.spi.LdapLoginModule REQUIRED
    debug="true"
    useLdaps="false"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    hostname="127.0.0.1"
    port="389"
    bindDn="cn=admin,dc=exist-db,dc=org"
    bindPassword="1234"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="ou=Users,dc=exist-db,dc=org"
    userRdnAttribute="uid"
    userIdAttribute="uid"
    userPasswordAttribute="userPassword"
    userObjectClass="posixAccount"
    roleBaseDn="ou=Groups,dc=exist-db,dc=org"
    roleNameAttribute="cn"
    roleMemberAttribute="memberUid"
    roleObjectClass="posixGroup";
};

I need to implement a Credential subclass that will be something similar to the Password class, but be implemented for LDAP.

Loren

Re: [Exist-development] LDAP configuration in the security tag in conf.xml

[Dmitriy S. <sha...@gm...>]

On Thu, 2010-06-17 at 17:59 -0500, Loren Cahlander wrote:

> org.exist.security.ldap.SecurityManagerImpl


Can it org.exist.security.ldap.RealmImpl.java? The design is quite
simple: one SecurityManager - several Realms attached to it.

http://exist.svn.sourceforge.net/viewvc/exist/branches/shabanovd/animo/src/org/exist/security/

on authentication request the method in SecurityManager will be call:

public Account authenticate(String username, Object credentials) throws
ExceptionAuthentication {
	                Account account = null;
	                for (Realm realm : realms.values()) {
	                        account = realm.authenticate(username,
credentials);
	                        if (account != null)
	                                return account;
	                }
	                throw new ExceptionAuthentication("User [" + username +
"] not found");
	        }

As you can see it will go throw all attached realms & try to get
authenticated user account.

-- 
Cheers,

Dmitriy Shabanov

Re: [Exist-development] LDAP configuration in the security tag in conf.xml

[Loren C. <lor...@gm...>]

Hello Dmitriy,

The problem that I have been encountering is org.exist.security.UserImpl.authenticate().  I think that we need to move the current UserImpl into internal and create a new UserImpl under ldap that authenticates against the LDAP server.

Loren

On Jun 17, 2010, at 10:45 PM, Dmitriy Shabanov wrote:

> On Thu, 2010-06-17 at 17:59 -0500, Loren Cahlander wrote:
>> org.exist.security.ldap.SecurityManagerImpl
> 
> Can it org.exist.security.ldap.RealmImpl.java? The design is quite simple: one SecurityManager - several Realms attached to it.
> 
> http://exist.svn.sourceforge.net/viewvc/exist/branches/shabanovd/animo/src/org/exist/security/
> 
> on authentication request the method in SecurityManager will be call:
> 
> public Account authenticate(String username, Object credentials) throws ExceptionAuthentication {
>                 Account account = null;
>                 for (Realm realm : realms.values()) {
>                         account = realm.authenticate(username, credentials);
>                         if (account != null)
>                                 return account;
>                 }
>                 throw new ExceptionAuthentication("User [" + username + "] not found");
>         }
> 
> As you can see it will go throw all attached realms & try to get authenticated user account.
> 
> -- 
> Cheers,
> 
> Dmitriy Shabanov

Re: [Exist-development] LDAP configuration in the security tag in conf.xml

[Dmitriy S. <sha...@gm...>]

On Fri, 2010-06-18 at 10:43 -0500, Loren Cahlander wrote:
> The problem that I have been encountering is
> org.exist.security.UserImpl.authenticate().  I think that we need to
> move the current UserImpl into internal and create a new UserImpl
> under ldap that authenticates against the LDAP server.

Yes, it should be:

SecurityManager have several Realm that create User on authentication,
look at openid implementation.

-- 
Cheers,

Dmitriy Shabanov

Re: [Exist-development] LDAP configuration in the security tag in conf.xml

[Dmitriy S. <sha...@gm...>]

Plus, current implementation don't use ldap authentication at all. 
Here example the way I like:
http://java.sun.com/products/jndi/tutorial/ldap/security/ldap.html

That give an option to control access per user(group) on ldap server.

-- 
Cheers,

Dmitriy Shabanov