[Exist-development] LDAP configuration in the security tag in conf.xml

[Loren C. <lor...@gm...>]

Hello folks,

I am working on getting the LDAP security configuration to be easier to setup of eXist.  I am planning on adding a parameter tag within the security tag.  It would be something like the following:

        <security class="org.exist.security.ldap.SecurityManagerImpl">
            <param name="AuthLDAPUrl">ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org?uid?sub?(objectclass=posixAccount)</param>
            <param name="AuthLDAPBindDN">cn=admin,dc=exist-db,dc=org</param>
            <param name="AuthLDAPBindPassword">1234</param>
            <param name="AuthLDAPGroupAttributeIsDN">off</param>
            <param name="AuthLDAPGroupAttribute">memberUid</param>
            <param name="Require">valid-user</param>
        </security>

This will centralize the properties for connecting to the LDAP server into conf.xml and no longer require the Java properties.  It also implements the BIND that will have the passwords verified against LDAP.
This would allow the Require to be valid-user, ldap-user, ldap-group, ldap-attribute or ldap-dn.  This would allow the limitation of the access to eXist to a subset of the users within and LDAP server.  A corporate wide LDAP server can contain users that should not have access to eXist.

I am looking at this configuration and also the one that I am recommending for the Jetty LoginModule configuration.  Those entries would be something like:

        <security class="org.exist.security.ldap.SecurityManagerImpl">
            <param name="debug">true</param>
            <param name="useLdaps">false</param>
            <param name="contextFactory">com.sun.jndi.ldap.LdapCtxFactory</param>
            <param name="hostname">127.0.0.1</param>
            <param name="port">389</param>
            <param name="bindDn">cn=admin,dc=exist-db,dc=org</param>
            <param name="bindPassword">1234</param>
            <param name="authenticationMethod">simple</param>
            <param name="forceBindingLogin">true</param>
            <param name="userBaseDn">ou=Users,dc=exist-db,dc=org</param>
            <param name="userRdnAttribute">uid</param>
            <param name="userIdAttribute">uid</param>
            <param name="userPasswordAttribute">userPassword</param>
            <param name="userObjectClass">posixAccount</param>
            <param name="roleBaseDn">ou=Groups,dc=exist-db,dc=org</param>
            <param name="roleNameAttribute">cn</param>
            <param name="roleMemberAttribute">memberUid</param>
            <param name="roleObjectClass">posixGroup</param>
        </security>

I am using the following configuration in  tools/jetty/etc/login.conf:

eXistDB {
org.eclipse.jetty.plus.jaas.spi.LdapLoginModule REQUIRED
    debug="true"
    useLdaps="false"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    hostname="127.0.0.1"
    port="389"
    bindDn="cn=admin,dc=exist-db,dc=org"
    bindPassword="1234"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="ou=Users,dc=exist-db,dc=org"
    userRdnAttribute="uid"
    userIdAttribute="uid"
    userPasswordAttribute="userPassword"
    userObjectClass="posixAccount"
    roleBaseDn="ou=Groups,dc=exist-db,dc=org"
    roleNameAttribute="cn"
    roleMemberAttribute="memberUid"
    roleObjectClass="posixGroup";
};

I need to implement a Credential subclass that will be something similar to the Password class, but be implemented for LDAP.

Loren