Software AG Infrasructure 10.7 | Setting Up Security | Predefined Login Modules | LDAPLoginModule
 
LDAPLoginModule
Use the LDAPLoginModule to authenticate users against an external directory. You can define your JAAS configuration to access information from an external directory if your site uses one of these external directories for user and group information:
*Lightweight Directory Access Protocol (LDAP)
*Active Directory acting as an LDAP server
*JAAS Configuration Properties
The following table outlines the JAAS configuration parameters for all LDAP connections.
Parameter
Description
enabled
Optional. Whether to load the JAAS configuration. Valid values are true (default) or false.
This parameter relates to dynamic configuration and should be set in the dynamic configuration property file. It should not be set in the JAAS configuration, and will have no effect if it is set there.
alias
Optional. Alias of the LDAP configuration entry. If not specified, it is set to match the url parameter. A valid value is any string of characters. The default is empty.
url
Required. URL to the LDAP server. If you want to use an SSL connection to the LDAP server, the URL should start with ldaps, and you should provide truststore and/or keystore parameters. The expected format is: ldap://host:port" or ldaps://host:port. If the URL points to IPv6 IP (not domain name), it must be enclosed in square brackets (for example, alias=ldap://[::1]:389).
domain
Optional. String. Domain name to use for authentication. Applicable if the domain concept is activated for the LDAPLoginModule.
This parameter relates only to JAAS and should be set in the jaas.config file as a property of the LDAPLoginModule. It should not be set in the dynamic configuration property file, and will have no effect if it is set there.
applyDomain
Optional. Whether to apply domain when returning group information for the user. Valid values are true or false (default).
This parameter relates only to JAAS and should be set in the jaas.config file as a property of the LDAPLoginModule. It should not be set in the dynamic configuration property file, and will have no effect if it is set there.
prin
Required if noPrinIsAnonymous is set to false; otherwise, do not specify this parameter. Distinguished name (DN) of the technical user that connects to the LDAP server if anonymous access to the LDAP server is not allowed.
noPrinIs Anonymous
Optional. When prin is not defined, specifies what credentials are used for LDAP server authentication. Valid values are:
*true (default). The connection to the LDAP server is done anonymously.
*false. The real user credentials of the user that connects to the LDAP server are also used for LDAP authentication. The LDAPLoginModule will need the complete DN for the user or activation of the useaf, dnprefix, dnsuffix parameters to be able to construct a proper user DN.
cred
Required if noPrinIsAnonymous is set to false; otherwise, do not specify this parameter. Password of the technical user that connects to the LDAP server. You use it with the prin parameter. A valid value is any string of characters.
credHandle
Can use instead of cred. Handles passman storage for technical user passwords. When a login is successful, cred is placed in passman.
timeout
Maximum time in milliseconds to spend for an LDAP operation. Default is 5000.
useaf
Optional. Boolean. Whether to use affixes (dnprefix and dnsuffix). Use the affixes for an easier construction of user DNs with less errors. Valid values are true or false (default).
dnprefix
Optional. String. Prefix to attach to the user name when performing operations on the LDAP server. To use this parameter, set useaf to true. A valid value is any string of characters.
dnsuffix
Optional. String. Suffix to attach to the user name when performing operations on the LDAP server. To use this parameter, set useaf to true. A valid value is any string of characters.
usecaching
Optional. Boolean. Whether the LDAP framework caches users and/or groups. Valid values are true (default) or false.
poolmin
Minimum number of objects to keep in the cache.
poolmax
Maximum number of objects to keep in the cache.
mattr
Optional. The LDAPLoginModule uses this parameter when performing member-search operations. The meaning of this parameter depends on the value of memberinfoingroups. If memberinfoingroups is set to true, the mattr parameter points from a group to the users that are members of this group. If memberinfoingroups is set to false, the mattr parameter points from a user entry to the groups that the user is a member of. A valid value is any string of characters. Default is memberOf.
memberinfoin groups
Optional. Boolean. Whether the login module searches users in a group or groups in a user. You can use it only if the mattr parameter is applied to users or groups. Valid values are true or false (default).
createGroups
Optional. Boolean. Whether to extract the groups of the logged-in user from the LDAP server. Valid values are true (default) or false.
This parameter relates only to JAAS and should be set in the jaas.config file as a property of the LDAPLoginModule. It should not be set in the dynamic configuration property file, and will have no effect if it is set there.
createGroup Properties
Whether group properties should be populated to SagGroupPrincipal. Valid values are true or false (default).
This parameter relates only to JAAS and should be set in the jaas.config file as a property of the LDAPLoginModule. It should not be set in the dynamic configuration property file, and will have no effect if it is set there.
createUser Properties
Whether user properties should be populated to SagUserPrincipal. Valid values are true or false (default).
This parameter relates only to JAAS and should be set in the jaas.config file as a property of the LDAPLoginModule. It should not be set in the dynamic configuration property file, and will have no effect if it is set there.
uidprop
Optional. LDAP user name attribute. Default is CN.
gidprop
Optional. LDAP group attribute. A valid value is any string of characters. Default is CN.
grourootdn
Optional. Location from which to start searches for groups. A valid value is any string of characters.
groupobjclass
Optional. Specifies that the found object is a group. The login module uses this parameter when searching for groups. Default is group.
userrootdn
Optional. Location to search for users. A valid value is any string of characters.
personobjclass
Optional. Specifies that the found object is a person. The login module uses this parameter when searching for users. Default is person.
truststoreUrl
URL of the truststore to use if an SSL connection is required.
truststore Password
Password for the truststore if an SSL connection is required.
truststoreType
Type of truststore to use if an SSL connection is required.
keystoreUrl
URL of the keystore to use if an SSL connection is required.
keystore Password
Password for the keystore if an SSL connection is required.
keystoreType
Type of keystore to use if an SSL connection is required.
recursive SearchDepth
Amount of time to try when resolving nested groups (that is, a group that is a member of another group). The default is 0, which means no nested groups are resolved.
useFQDNFor Auth
Optional. Whether to try to log in with the complete name. This is supported only by Microsoft AD. Usually LDAP login module uses the user name or the complete DN of the user to log in. Valid values are true or false (default). If set to true, the LDAPLoginModule tries to login with DOMAIN\user_name and password.
This parameter relates only to JAAS and should be set in the jaas.config file as a property of the LDAPLoginModule. It should not be set in the dynamic configuration property file, and will have no effect if it is set there.
The following sample outlines the corresponding configuration included in a login context of a JAAS configuration file.
ExampleRealm {
com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule sufficient alias="name1";
com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule sufficient
alias="name2";
com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule sufficient;
com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule required
alias="name3"
url="ldap://localhost:389"
prin="CN=sectest,OU=user,dc=example,dc=org"
cred="******"
useaf="true"
dnprefix="CN="
dnsuffix=",OU=user,dc=example,dc=org"
usecaching="false"
mattr="roleoccupant"
memberinfoingroups=false
creategroups=true
gidprop="CN"
grouprootdn="OU=Groups,dc=example,dc=org"
groupobjclass="organizationalRole"
personobjclass="organizationalPerson";
};