Fuse ESB Enterprise - Security Guide - JAAS LDAP Login Module

JAAS LDAP Login Module

Overview

The JAAS LDAP login module enables you to store user data in an LDAP database. To manage the stored user data, use a standard LDAP client tool. The jaas:* console commands are not supported.

For more details about using LDAP with Fuse ESB Enterprise, see LDAP Authentication Tutorial.

Supported credentials

The JAAS LDAP Login Module authenticates username/password credentials, returning the list of roles associated with the authenticated user.

Implementation classes

The following classes implement the JAAS LDAP Login Module:

org.apache.karaf.jaas.modules.ldap.LDAPLoginModule: Implements the JAAS login module.

	Note
	There is no backing engine factory for the LDAP Login Module, which means that this module cannot be managed using the `jaas:*` console commands.

Options

The JAAS LDAP login module supports the following options:

connection.url: The LDAP connection URL—for example, ldap://hostname.
connection.username: Admin username to connect to the LDAP server. This parameter is optional: if it is not provided, the LDAP connection will be anonymous.
connection.password: Admin password to connect to the LDAP server. Used only if the connection.username is also specified.
user.base.dn: The LDAP base DN used to look up roles—for example, ou=role,dc=apache,dc=org.
user.filter: The LDAP filter used to look up a user's role—for example, (member:=uid=%u).
user.search.subtree: If true, the user lookup is recursive (SUBTREE). If false, the user lookup is performed only at the first level (ONELEVEL).
role.base.dn: The LDAP base DN used to look up roles—for example, ou=role,dc=apache,dc=org.
role.filter: The LDAP filter used to look up a user's role—for example, (member:=uid=%u).
role.name.attribute: The LDAP role attribute containing the role value used by Apache Karaf—for example, cn.
role.search.subtree: If true, the role lookup is recursive (SUBTREE). If false, the role lookup is performed only at the first level (ONELEVEL).
authentication: Define the authentication back-end used on the LDAP server. The default is simple.
initial.context.factory: Define the initial context factory used to connect to the LDAP server. The default is com.sun.jndi.ldap.LdapCtxFactory.
ssl: If true or if the protocol on the connection.url is ldaps, an SSL connection will be used.
ssl.provider: Specifies the SSL provider.
ssl.protocol: The protocol version to use—for example, SSL or TLS.
ssl.algorithm: The algorithm to use for the KeyManagerFactory and the TrustManagerFactory—for example, PKIX.
ssl.keystore: The ID of the keystore that stores the LDAP client's own X.509 certificate (required only if SSL client authentication is enabled on the LDAP server). The keystore must be deployed using a jaas:keystore element (see Sample Blueprint configuration).
ssl.keyalias: The keystore alias of the LDAP client's own X.509 certificate (required only if there is more than one certificate stored in the keystore specified by ssl.keystore).
ssl.truststore: The ID of the keystore that stores trusted CA certificates, which are used to verify the LDAP server's certificate (the LDAP server's certificate chain must be signed by one of the certificates in the truststore). The keystore must be deployed using a jaas:keystore element.

Sample Blueprint configuration

The following Blueprint configuration shows how to define a new karaf realm using the LDAP login module, where the default karaf realm is overridden by setting the rank attribute to 2:

<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
           xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
           xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.1.0"
           xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">

    <!-- Allow usage of System properties, for example the karaf.home property -->
    <ext:property-placeholder placeholder-prefix="${" placeholder-suffix="}"/>

    <jaas:config name="karaf" rank="2">
        <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
                     flags="required">
            connection.url = ldaps://localhost:10636
            user.base.dn = ou=users,ou=system
            user.filter = (uid=%u)
            user.search.subtree = true
            role.base.dn = ou=groups,ou=system
            role.filter = (uniqueMember=uid=%u)
            role.name.attribute = cn
            role.search.subtree = true
            authentication = simple
            ssl.protocol=SSL
            ssl.truststore=ks
            ssl.algorithm=PKIX
        </jaas:module>
    </jaas:config>

    <jaas:keystore name="ks"
               path="file:///${karaf.home}/etc/trusted.ks"
               keystorePassword="secret" />

</blueprint>

Comments powered by Disqus