This document provides sample configuration files and code listings
for the different LoginModules and authentication
scenarios provided by SIN.
The samples are organized under the following headings:
Following is a sample JAAS configuration:
/** Login Configuration for user, group, and role information **/
ApplicationContext {
com.softwareag.security.jaas.login.module.SSXLoginModule required
template_section=OS;
com.softwareag.security.jaas.login.XmlServerLoginModule required
XMLSERVER_URL="http://localhost:53305/CentraSite/CentraSite";
};
Following is a sample log4j configuration file:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/">
<appender name="Console" class="org.apache.log4j.ConsoleAppender">
<param name="Target" value="System.out"/>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d{ABSOLUTE} [%t] %-5p %c %x - %m%n"/>
</layout>
</appender>
<root>
<priority value ="INFO" />
<appender-ref ref="Console" />
</root>
<!-- Infos for the security - set level to DEBUG if needed. -->
<logger name="com.softwareag.security">
<level value="DEBUG"/>
</logger>
</log4j:configuration>
Following is the template configuration file that is distributed with
the SSXLoginModule.
You can overwrite all parameters in the JAAS configuration file, leaving out the prefix.
Important:
Do not overwrite the
authType.
# OS Section
# The type of the user db or service against which the authentication
# will be attempted.
# Possible values: os, ldap, adsi, iaf
OS.authType=os
# The log file name for the logging of the user DB library. The global
# 'ssx_userdb_global_errors.log' file (which located in the default temp
# directory) will be used if the log ability is turned on and the logging to
# the specified logfile is not possible.
#OS.nativeLogFile=SIN_SSX.log
OS.logCallback=true
# The valid value range is between 1 and 6.
# If 0 or not defined than there will be no logging.
#OS.nativeLogLevel=2
# The time in seconds till the user will be valid in the cache after
# a successful authentication.
OS.cacheTime=12
# The size of the authenticated user cache.
OS.cacheSize=4
# The time in seconds till the user authentication will be denied
# after the 'denyCount' is reached.
OS.denyTime=4
# The number of the unsuccessful authentication after that user
# gets into the deny cache.
OS.denyCount=3
# Always include local groups.
OS.winCheckLocalGroups=0
# Always include local groups.
OS.useLogonUseron2000=1
# Impersonate the userdb accesses.
OS.noImpersonation=0
# Default group to be automatically included for all requests
# that return any groups
# OS.defaultGroup=DefGroup
# Default domain name. Use this in case the domain parameter
# is not supplied.
# OS.defaultDomain=MyDomain
# Unix only! Explicit path of the privileged daemon process
# Needs to be specified, if the executable "sagssxauthd2"
# is not in the current working directory.
# OS.authDaemonPath=/tmp/sagssxauthd2
#If NOT the automatic domain name should be used to compose
#the canonical user id (SSXGetCanonicalUserId_A/W),
#specify this part of the ID here.
#OS.canonicalDomainName
#When authenticating on Windows and no domain is
#specified, Windows will try
# - to authenticate a local user
#and if this fails, Windows will try
# - to authenticate the user in the currently logged in domain.
#If this is automatic lookup is not desired, that is, only the
#local users shall be auhtenticated, set this variable.
#Valid Values: 0, 1
#Default: 0
#OS.winNoDefaultDomain=
################################################################
# LDAP Section
#This is a sample properties file for the case
#when authType is ldap and the user database is OpenLDAP.
#Specifies the authentication type.
#Is Required: Yes
#Valid values: {"os", "ldap", "adsi", "iaf", "saf"}
#No default value
LDAP.authType=ldap
#Specifies which server type will be used.
#Use only when authType is ldap.
#Is Required: No
#Valid values: {"ActiveDirectory", "SunOneDirectory", "OpenLdap"}
#Default value: "OpenLdap"
LDAP.serverType=OpenLDAP
#Property name that denotes a user entry.
#Use only when authType is ldap.
#Is Required: No
#Valid values: (attribute name according to LDAP conventions)
#No default value
LDAP.userIdField=cn
#Enumeration of LDAP objectclasses that the user entries use in
#the target LDAP server.
#Use only when authType is ldap.
#Is Required: No
#Valid values: (Comma separated list of objectclass names,
# according to LDAP conventions)
#Default value:
# depending on serverType:
# OpenLdap:
# "top,person"
# SunOneDirectory:
# "top,person,organizationalperson, inetorgperson"
# ActiveDirectory:
# "top,person,organizationalPerson,user"
LDAP.personObjClass=inetOrgPerson
#Enumeration of LDAP objectclasses that the group entries use in
#the target LDAP server.
#Use only when authType is ldap.
#Is Required: No
#Valid values: (Comma separated list of objectclass names,
# according to LDAP conventions)
#Default value:
# depending on serverType:
# OpenLdap:
# "top,groupOfUniqueNames"
# SunOneDirectory:
# "top,groupofuniquenames"
# ActiveDirectory:
# "top,group"
LDAP.groupObjClass=groupOfUniqueNames
#Property name that denotes a group entry.
#Use only when authType is ldap.
#Is Required: No
#Valid values: (attribute name according to LDAP conventions)
#Default value: cn
LDAP.groupIdField=cn
#Property name of a user entry that points to the group that
#the user is member of.
#Use only when authType is ldap.
#Is Required: No
#Valid values: (attribute name according to LDAP conventions)
#Default value:
# depending on serverType:
# OpenLdap:
# "ou"
# SunOneDirectory:
# NULL
# ActiveDirectory:
# "memberOf"
LDAP.personGrpAttr=ou
#Property name of a group entry that points to users (members)
#Use only when authType is ldap.
#Is Required: No
#Valid values: (attribute name according to LDAP conventions)
#Default value:
# depending on serverType:
# OpenLdap:
# "uniqueMember"
# SunOneDirectory:
# "uniqueMember"
# ActiveDirectory:
# "member"
LDAP.groupPrsAttr=uniqueMember
#Seconds how long auth. user remains in cache.
#Is Required: No
#Valid values:
# 0 - No cache
# Min: 1, Max: No limit
#Default value: 180
LDAP.cacheTime=12
#Specify the max. number of cached users that have been successfully
#authenticated. When the cache overflows, the oldest entry is removed.
#Is Required: No
#Valid values:
# 0 - No cache
# Min: 1, Max: No limit
#Default value: 300
LDAP.cacheSize=4
#Time (in seconds) how long to ignore any further authentication
#requests for a particular User-Id.
#Is Required: No
#Valid values:
# Min: 1, Max: No limit
#Default value: 100
LDAP.denyTime=4
#Number of invalid logon attempts.
#Is Required: No
#Valid values:
# Min: 1, Max: No limit
#Default value: 3
LDAP.denyCount=3
#Specifies an output file for logging.
#Is Required: No
#Valid values: (Valid log file path)
#No default value
LDAP.logCallback=true
#Specifies the log level.
#Is Required: No
#Valid values:
# 0 - No logging
# Min: 1
# Max: 6
#No default value
#LDAP.nativeLogLevel=6
#Default group to be automatically included for all requests
#that return any groups
#Is Required: No
# LDAP.defaultGroup=DefGroup
#BaseBindDN where to find the users.
#Is Required: Yes
#and should contain the most detailed DN to find the users
# LDAP.personBindDn=ou=User,o=Org,dc=mycom,dc=com
#BaseBindDN where to find the groups.
#Is Required: Yes
#and should contain the most detailed DN to find the groups
# LDAP.groupBindDn=ou=Groups,o=Org,dc=mycom,dc=com
#Attribute name of the password.
#Required when changeing the password
#Is Required: Not always
#Default value:
# depending on serverType:
# OpenLdap:
# "userPassword"
# SunOneDirectory:
# "userPassword"
# ActiveDirectory:
# "unicodePwd"
# LDAP.passwdField=userPassword
#Allow to pass a complete BaseBindDN
#via the domain parameter.
#Is Required: No
#Valid values: 0, 1
# LDAP.allowdomainasbasebinddn=0
#Allow to specify which fields to search for as properties
#of a user entry
#Is Required: No
#Valid values: string, for example: "cn,sn,description"
# LDAP.personPropAttr
#Allow to specify which fields to search for as properties
#of a group entry
#Is Required: No
#Valid values: string, for example: "cn,description"
# LDAP.groupPropAttr
#Allow to use the special secure authentication using SASL,
#providing the directory supports this mechanism.
#Is Required: No
#Valid values: 0, 1 (default: 0)
# LDAP.ldapSaslBind
#Allow to switch from a non-secure connection to a TLS connection,
#providing the directory supports this mechanism.
#of a group entry
#Is Required: No
#Valid values: 0, 1 (default: 0)
# LDAP.ldapStartTls
#By default, the first "dc=" occurrence within the distinguished name
#name string denotes the domain name.
#If additional abbreviations want to be defined, one can use
#the following 2 parameter.
#Example: Short="RnD;Admins;board"
# with Long="ou=Rnd,ou=user,dc=mycom,dc=com;ou=Administrators,dc=mycom,dc=com;ou=VIP,dc=mycom,dc-com"
#LDAP.ldapDomainShort
#LDAP.ldapDomainLong
#If NOT the automatic domain name should be used to compose
#the canonical user id (SSXGetCanonicalUserId_A/W),
#specify this part of the ID here.
#LDAP.canonicalDomainName
#Three algorithms are supported to find the groups of a user:
#"ru", recurse up: take the group pointer from the user entry
# and continue to search up for all groups
# found
#"rd", recurse down: search for all groups that have the
# user as member (no recursion)
#"cp", computed property: use a special field in the user
# entry to find all groups
# --> computedGroupProp retuired
#Default: "ru"
#LDAP.resolveGroups
#If resolveGroup is set to "cp", this parameter must provide
#the field name to look for in the user entry that denotes
#the user groups
#Default: None
#LDAP.computedGroupProp=
#If the LDAP connection is protected by SSL/TLS, this
#parameter must be set.
#Valid Values: 0, 1
#Default: 0
#LDAP.ldapSSLConnection=1
################################################################
# ADSI Section
#Specifies the authentication type.
#Is Required: Yes
#Valid values: {"os", "ldap", "adsi", "iaf", "saf"}
#No default value
ADSI.authType=adsi
#Specifies the name of the AD Forest.
#Is Required: No, but should be specified
#Example: "dc=mycom,dc=com" (with a possible domain called "dc=eur,dc=mycom,dc=com")
#No default value
#ADSI.adsiForestDn
#Seconds how long auth. user remains in cache.
#Is Required: No
#Valid values:
# 0 - No cache
# Min: 1, Max: No limit
#Default value: 180
ADSI.cacheTime=12
#Specify the max. number of cached users that have been successfully
#authenticated. When the cache overflows, the oldest entry is removed.
#Is Required: No
#Valid values:
# 0 - No cache
# Min: 1, Max: No limit
#Default value: 300
ADSI.cacheSize=4
#Time (in seconds) how long to ignore any further authentication
#requests for a particular User-Id.
#Is Required: No
#Valid values:
# Min: 1, Max: No limit
#Default value: 100
ADSI.denyTime=4
#Number of invalid logon attempts.
#Is Required: No
#Valid values:
# Min: 1, Max: No limit
#Default value: 3
ADSI.denyCount=3
#Specifies an output file for logging.
#Is Required: No
#Valid values: (Valid log file path)
#No default value
#ADSI.nativeLogFile=SIN_SSX.log
ADSI.logCallback=true
#Specifies the log level.
#Is Required: No
#Valid values:
# 0 - No logging
# Min: 1
# Max: 6
#No default value
#ADSI.nativeLogLevel=6
#In case the scope for the node to access users needs to be limited,
#one can specify a particular subtree:
#Example: "ou=user,ou=Rnd,dc=mycom,dc=com"
#ADSI.adsiPersonBindDn
#In case the scope for the node to access groups needs to be limited,
#one can specify a particular subtree:
#Example: "ou=groups,ou=Rnd,dc=mycom,dc=com"
#ADSI.adsiGroupBindDn
#By default, the first "dc=" occurrence within the distinguished name
#name string denotes the domain name.
#If additional abbreviations want to be defined, one can use
#the following 2 parameter.
#Example: Short="RnD;Admins;board"
# with Dn="ou=Rnd,ou=user,dc=mycom,dc=com;ou=Administrators,dc=mycom,dc=com;ou=VIP,dc=mycom,dc-com"
#ADSI.adsiDomainShort
#ADSI.adsiDomainDn
#If NOT the automatic domain name should be used to compose
#the canonical user id (SSXGetCanonicalUserId_A/W),
#specify this part of the ID here.
#ADSI.canonicalDomainName
#Three algorithms are supported to find the groups of a user:
#"ru", recurse up: take the group pointer from the user entry
# and continue to search up for all groups
# found
#"rd", recurse down: search for all groups that have the
# user as member (no recursion)
#"cp", computed property: use a special field in the user
# entry to find all groups
# --> computedGroupProp retuired
#Default: "ru"
#ADSI.resolveGroups
#If resolveGroup is set to "cp", this parameter must provide
#the field name to look for in the user entry that denotes
#the user groups
#Default: None
#ADSI.computedGroupProp=
################################################################
# IAF Section
#Specifies the authentication type.
#Is Required: Yes
#Valid values: {"os", "ldap", "adsi", "iaf", "saf"}
#No default value
IAF.authType=iaf
#Seconds how long auth. user remains in cache.
#Is Required: No
#Valid values:
# 0 - No cache
# Min: 1, Max: No limit
#Default value: 180
IAF.cacheTime=12
#Specify the max. number of cached users that have been successfully
#authenticated. When the cache overflows, the oldest entry is removed.
#Is Required: No
#Valid values:
# 0 - No cache
# Min: 1, Max: No limit
#Default value: 300
IAF.cacheSize=4
#Time (in seconds) how long to ignore any further authentication
#requests for a particular User-Id.
#Is Required: No
#Valid values:
# Min: 1, Max: No limit
#Default value: 100
IAF.denyTime=4
#Number of invalid logon attempts.
#Is Required: No
#Valid values:
# Min: 1, Max: No limit
#Default value: 3
IAF.denyCount=3
#Specifies an output file for logging.
#Is Required: No
#Valid values: (Valid log file path)
#No default value
#IAF.nativeLogFile=SIN_SSX.log
IAF.logCallback=true
#Specifies the log level.
#Is Required: No
#Valid values:
# 0 - No logging
# Min: 1
# Max: 6
#No default value
IAF.nativeLogLevel=6
#Specify the local code page to be used
#for converting strings from the
#IAF wire protocol (UTF8) to a local string
#Default: Unix, Win: ISO-8859-1, mainframe: IBM-037
#IAF.localCodePage=
#Specify the local code page to be used
#for converting strings from the
#IAF wire protocol (UTF8) to a local string
#Default: Unix, Win: sagssxtomcrypt, mainframe: SSXCTC
#IAF.cryptLib=
#Directory where to load dynamically the libraries:
# - broker[32][.dll|.so|.sl]
# - sagssxtomcrypt | SSXCTC (s. IAF.cryptLib)
#IAF.homeDir=