This document provides sample configuration files and code listings
for the different LoginModules
and authentication
scenarios provided by SIN.
The samples are organized under the following headings:
Following is a sample JAAS configuration:
/** Login Configuration for user, group, and role information **/ ApplicationContext { com.softwareag.security.jaas.login.module.SSXLoginModule required template_section=OS; com.softwareag.security.jaas.login.XmlServerLoginModule required XMLSERVER_URL="http://localhost:53305/CentraSite/CentraSite"; };
Following is a sample log4j configuration file:
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE log4j:configuration SYSTEM "log4j.dtd"> <log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/"> <appender name="Console" class="org.apache.log4j.ConsoleAppender"> <param name="Target" value="System.out"/> <layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="%d{ABSOLUTE} [%t] %-5p %c %x - %m%n"/> </layout> </appender> <root> <priority value ="INFO" /> <appender-ref ref="Console" /> </root> <!-- Infos for the security - set level to DEBUG if needed. --> <logger name="com.softwareag.security"> <level value="DEBUG"/> </logger> </log4j:configuration>
Following is the template configuration file that is distributed with
the SSXLoginModule
.
You can overwrite all parameters in the JAAS configuration file, leaving out the prefix.
Important:
Do not overwrite the
authType
.
# OS Section # The type of the user db or service against which the authentication # will be attempted. # Possible values: os, ldap, adsi, iaf OS.authType=os # The log file name for the logging of the user DB library. The global # 'ssx_userdb_global_errors.log' file (which located in the default temp # directory) will be used if the log ability is turned on and the logging to # the specified logfile is not possible. #OS.nativeLogFile=SIN_SSX.log OS.logCallback=true # The valid value range is between 1 and 6. # If 0 or not defined than there will be no logging. #OS.nativeLogLevel=2 # The time in seconds till the user will be valid in the cache after # a successful authentication. OS.cacheTime=12 # The size of the authenticated user cache. OS.cacheSize=4 # The time in seconds till the user authentication will be denied # after the 'denyCount' is reached. OS.denyTime=4 # The number of the unsuccessful authentication after that user # gets into the deny cache. OS.denyCount=3 # Always include local groups. OS.winCheckLocalGroups=0 # Always include local groups. OS.useLogonUseron2000=1 # Impersonate the userdb accesses. OS.noImpersonation=0 # Default group to be automatically included for all requests # that return any groups # OS.defaultGroup=DefGroup # Default domain name. Use this in case the domain parameter # is not supplied. # OS.defaultDomain=MyDomain # Unix only! Explicit path of the privileged daemon process # Needs to be specified, if the executable "sagssxauthd2" # is not in the current working directory. # OS.authDaemonPath=/tmp/sagssxauthd2 #If NOT the automatic domain name should be used to compose #the canonical user id (SSXGetCanonicalUserId_A/W), #specify this part of the ID here. #OS.canonicalDomainName #When authenticating on Windows and no domain is #specified, Windows will try # - to authenticate a local user #and if this fails, Windows will try # - to authenticate the user in the currently logged in domain. #If this is automatic lookup is not desired, that is, only the #local users shall be auhtenticated, set this variable. #Valid Values: 0, 1 #Default: 0 #OS.winNoDefaultDomain= ################################################################ # LDAP Section #This is a sample properties file for the case #when authType is ldap and the user database is OpenLDAP. #Specifies the authentication type. #Is Required: Yes #Valid values: {"os", "ldap", "adsi", "iaf", "saf"} #No default value LDAP.authType=ldap #Specifies which server type will be used. #Use only when authType is ldap. #Is Required: No #Valid values: {"ActiveDirectory", "SunOneDirectory", "OpenLdap"} #Default value: "OpenLdap" LDAP.serverType=OpenLDAP #Property name that denotes a user entry. #Use only when authType is ldap. #Is Required: No #Valid values: (attribute name according to LDAP conventions) #No default value LDAP.userIdField=cn #Enumeration of LDAP objectclasses that the user entries use in #the target LDAP server. #Use only when authType is ldap. #Is Required: No #Valid values: (Comma separated list of objectclass names, # according to LDAP conventions) #Default value: # depending on serverType: # OpenLdap: # "top,person" # SunOneDirectory: # "top,person,organizationalperson, inetorgperson" # ActiveDirectory: # "top,person,organizationalPerson,user" LDAP.personObjClass=inetOrgPerson #Enumeration of LDAP objectclasses that the group entries use in #the target LDAP server. #Use only when authType is ldap. #Is Required: No #Valid values: (Comma separated list of objectclass names, # according to LDAP conventions) #Default value: # depending on serverType: # OpenLdap: # "top,groupOfUniqueNames" # SunOneDirectory: # "top,groupofuniquenames" # ActiveDirectory: # "top,group" LDAP.groupObjClass=groupOfUniqueNames #Property name that denotes a group entry. #Use only when authType is ldap. #Is Required: No #Valid values: (attribute name according to LDAP conventions) #Default value: cn LDAP.groupIdField=cn #Property name of a user entry that points to the group that #the user is member of. #Use only when authType is ldap. #Is Required: No #Valid values: (attribute name according to LDAP conventions) #Default value: # depending on serverType: # OpenLdap: # "ou" # SunOneDirectory: # NULL # ActiveDirectory: # "memberOf" LDAP.personGrpAttr=ou #Property name of a group entry that points to users (members) #Use only when authType is ldap. #Is Required: No #Valid values: (attribute name according to LDAP conventions) #Default value: # depending on serverType: # OpenLdap: # "uniqueMember" # SunOneDirectory: # "uniqueMember" # ActiveDirectory: # "member" LDAP.groupPrsAttr=uniqueMember #Seconds how long auth. user remains in cache. #Is Required: No #Valid values: # 0 - No cache # Min: 1, Max: No limit #Default value: 180 LDAP.cacheTime=12 #Specify the max. number of cached users that have been successfully #authenticated. When the cache overflows, the oldest entry is removed. #Is Required: No #Valid values: # 0 - No cache # Min: 1, Max: No limit #Default value: 300 LDAP.cacheSize=4 #Time (in seconds) how long to ignore any further authentication #requests for a particular User-Id. #Is Required: No #Valid values: # Min: 1, Max: No limit #Default value: 100 LDAP.denyTime=4 #Number of invalid logon attempts. #Is Required: No #Valid values: # Min: 1, Max: No limit #Default value: 3 LDAP.denyCount=3 #Specifies an output file for logging. #Is Required: No #Valid values: (Valid log file path) #No default value LDAP.logCallback=true #Specifies the log level. #Is Required: No #Valid values: # 0 - No logging # Min: 1 # Max: 6 #No default value #LDAP.nativeLogLevel=6 #Default group to be automatically included for all requests #that return any groups #Is Required: No # LDAP.defaultGroup=DefGroup #BaseBindDN where to find the users. #Is Required: Yes #and should contain the most detailed DN to find the users # LDAP.personBindDn=ou=User,o=Org,dc=mycom,dc=com #BaseBindDN where to find the groups. #Is Required: Yes #and should contain the most detailed DN to find the groups # LDAP.groupBindDn=ou=Groups,o=Org,dc=mycom,dc=com #Attribute name of the password. #Required when changeing the password #Is Required: Not always #Default value: # depending on serverType: # OpenLdap: # "userPassword" # SunOneDirectory: # "userPassword" # ActiveDirectory: # "unicodePwd" # LDAP.passwdField=userPassword #Allow to pass a complete BaseBindDN #via the domain parameter. #Is Required: No #Valid values: 0, 1 # LDAP.allowdomainasbasebinddn=0 #Allow to specify which fields to search for as properties #of a user entry #Is Required: No #Valid values: string, for example: "cn,sn,description" # LDAP.personPropAttr #Allow to specify which fields to search for as properties #of a group entry #Is Required: No #Valid values: string, for example: "cn,description" # LDAP.groupPropAttr #Allow to use the special secure authentication using SASL, #providing the directory supports this mechanism. #Is Required: No #Valid values: 0, 1 (default: 0) # LDAP.ldapSaslBind #Allow to switch from a non-secure connection to a TLS connection, #providing the directory supports this mechanism. #of a group entry #Is Required: No #Valid values: 0, 1 (default: 0) # LDAP.ldapStartTls #By default, the first "dc=" occurrence within the distinguished name #name string denotes the domain name. #If additional abbreviations want to be defined, one can use #the following 2 parameter. #Example: Short="RnD;Admins;board" # with Long="ou=Rnd,ou=user,dc=mycom,dc=com;ou=Administrators,dc=mycom,dc=com;ou=VIP,dc=mycom,dc-com" #LDAP.ldapDomainShort #LDAP.ldapDomainLong #If NOT the automatic domain name should be used to compose #the canonical user id (SSXGetCanonicalUserId_A/W), #specify this part of the ID here. #LDAP.canonicalDomainName #Three algorithms are supported to find the groups of a user: #"ru", recurse up: take the group pointer from the user entry # and continue to search up for all groups # found #"rd", recurse down: search for all groups that have the # user as member (no recursion) #"cp", computed property: use a special field in the user # entry to find all groups # --> computedGroupProp retuired #Default: "ru" #LDAP.resolveGroups #If resolveGroup is set to "cp", this parameter must provide #the field name to look for in the user entry that denotes #the user groups #Default: None #LDAP.computedGroupProp= #If the LDAP connection is protected by SSL/TLS, this #parameter must be set. #Valid Values: 0, 1 #Default: 0 #LDAP.ldapSSLConnection=1 ################################################################ # ADSI Section #Specifies the authentication type. #Is Required: Yes #Valid values: {"os", "ldap", "adsi", "iaf", "saf"} #No default value ADSI.authType=adsi #Specifies the name of the AD Forest. #Is Required: No, but should be specified #Example: "dc=mycom,dc=com" (with a possible domain called "dc=eur,dc=mycom,dc=com") #No default value #ADSI.adsiForestDn #Seconds how long auth. user remains in cache. #Is Required: No #Valid values: # 0 - No cache # Min: 1, Max: No limit #Default value: 180 ADSI.cacheTime=12 #Specify the max. number of cached users that have been successfully #authenticated. When the cache overflows, the oldest entry is removed. #Is Required: No #Valid values: # 0 - No cache # Min: 1, Max: No limit #Default value: 300 ADSI.cacheSize=4 #Time (in seconds) how long to ignore any further authentication #requests for a particular User-Id. #Is Required: No #Valid values: # Min: 1, Max: No limit #Default value: 100 ADSI.denyTime=4 #Number of invalid logon attempts. #Is Required: No #Valid values: # Min: 1, Max: No limit #Default value: 3 ADSI.denyCount=3 #Specifies an output file for logging. #Is Required: No #Valid values: (Valid log file path) #No default value #ADSI.nativeLogFile=SIN_SSX.log ADSI.logCallback=true #Specifies the log level. #Is Required: No #Valid values: # 0 - No logging # Min: 1 # Max: 6 #No default value #ADSI.nativeLogLevel=6 #In case the scope for the node to access users needs to be limited, #one can specify a particular subtree: #Example: "ou=user,ou=Rnd,dc=mycom,dc=com" #ADSI.adsiPersonBindDn #In case the scope for the node to access groups needs to be limited, #one can specify a particular subtree: #Example: "ou=groups,ou=Rnd,dc=mycom,dc=com" #ADSI.adsiGroupBindDn #By default, the first "dc=" occurrence within the distinguished name #name string denotes the domain name. #If additional abbreviations want to be defined, one can use #the following 2 parameter. #Example: Short="RnD;Admins;board" # with Dn="ou=Rnd,ou=user,dc=mycom,dc=com;ou=Administrators,dc=mycom,dc=com;ou=VIP,dc=mycom,dc-com" #ADSI.adsiDomainShort #ADSI.adsiDomainDn #If NOT the automatic domain name should be used to compose #the canonical user id (SSXGetCanonicalUserId_A/W), #specify this part of the ID here. #ADSI.canonicalDomainName #Three algorithms are supported to find the groups of a user: #"ru", recurse up: take the group pointer from the user entry # and continue to search up for all groups # found #"rd", recurse down: search for all groups that have the # user as member (no recursion) #"cp", computed property: use a special field in the user # entry to find all groups # --> computedGroupProp retuired #Default: "ru" #ADSI.resolveGroups #If resolveGroup is set to "cp", this parameter must provide #the field name to look for in the user entry that denotes #the user groups #Default: None #ADSI.computedGroupProp= ################################################################ # IAF Section #Specifies the authentication type. #Is Required: Yes #Valid values: {"os", "ldap", "adsi", "iaf", "saf"} #No default value IAF.authType=iaf #Seconds how long auth. user remains in cache. #Is Required: No #Valid values: # 0 - No cache # Min: 1, Max: No limit #Default value: 180 IAF.cacheTime=12 #Specify the max. number of cached users that have been successfully #authenticated. When the cache overflows, the oldest entry is removed. #Is Required: No #Valid values: # 0 - No cache # Min: 1, Max: No limit #Default value: 300 IAF.cacheSize=4 #Time (in seconds) how long to ignore any further authentication #requests for a particular User-Id. #Is Required: No #Valid values: # Min: 1, Max: No limit #Default value: 100 IAF.denyTime=4 #Number of invalid logon attempts. #Is Required: No #Valid values: # Min: 1, Max: No limit #Default value: 3 IAF.denyCount=3 #Specifies an output file for logging. #Is Required: No #Valid values: (Valid log file path) #No default value #IAF.nativeLogFile=SIN_SSX.log IAF.logCallback=true #Specifies the log level. #Is Required: No #Valid values: # 0 - No logging # Min: 1 # Max: 6 #No default value IAF.nativeLogLevel=6 #Specify the local code page to be used #for converting strings from the #IAF wire protocol (UTF8) to a local string #Default: Unix, Win: ISO-8859-1, mainframe: IBM-037 #IAF.localCodePage= #Specify the local code page to be used #for converting strings from the #IAF wire protocol (UTF8) to a local string #Default: Unix, Win: sagssxtomcrypt, mainframe: SSXCTC #IAF.cryptLib= #Directory where to load dynamically the libraries: # - broker[32][.dll|.so|.sl] # - sagssxtomcrypt | SSXCTC (s. IAF.cryptLib) #IAF.homeDir=