Version 9.8
 —  Reference Guide to SIN  —

Samples

This document provides sample configuration files and code listings for the different LoginModules and authentication scenarios provided by SIN.

The samples are organized under the following headings:


JAAS Configuration

Following is a sample JAAS configuration:

/** Login Configuration for user, group, and role information **/
ApplicationContext {
   com.softwareag.security.jaas.login.module.SSXLoginModule required
   	template_section=OS;
   com.softwareag.security.jaas.login.XmlServerLoginModule required
    XMLSERVER_URL="http://localhost:53305/CentraSite/CentraSite";
};

Top of page

log4j Configuration File

Following is a sample log4j configuration file:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">

<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/">

  <appender name="Console" class="org.apache.log4j.ConsoleAppender"> 
    <param name="Target" value="System.out"/> 
    <layout class="org.apache.log4j.PatternLayout"> 
      <param name="ConversionPattern" value="%d{ABSOLUTE} [%t] %-5p %c %x - %m%n"/> 
    </layout> 
  </appender> 

  <root> 
    <priority value ="INFO" /> 
    <appender-ref ref="Console" /> 
  </root>
  
  <!-- Infos for the security - set level to DEBUG if needed. -->
  <logger name="com.softwareag.security">
    <level value="DEBUG"/> 
  </logger>
  
  
</log4j:configuration>

Top of page

SSXLoginModule Configuration Template

Following is the template configuration file that is distributed with the SSXLoginModule.

You can overwrite all parameters in the JAAS configuration file, leaving out the prefix.

Important:
Do not overwrite the authType.

# OS Section

# The type of the user db or service against which the authentication
# will be attempted.
# Possible values: os, ldap, adsi, iaf
OS.authType=os

# The log file name for the logging of the user DB library. The global 
# 'ssx_userdb_global_errors.log' file (which located in the default temp
# directory) will be used if the log ability is turned on and the logging to
# the specified logfile is not possible.
#OS.nativeLogFile=SIN_SSX.log
OS.logCallback=true

# The valid value range is between 1 and 6.
# If 0 or not defined than there will be no logging.
#OS.nativeLogLevel=2

# The time in seconds till the user will be valid in the cache after
# a successful authentication.
OS.cacheTime=12

# The size of the authenticated user cache.
OS.cacheSize=4

# The time in seconds till the user authentication will be denied
# after the 'denyCount' is reached.
OS.denyTime=4

# The number of the unsuccessful authentication after that user
# gets into the deny cache.
OS.denyCount=3

# Always include local groups.
OS.winCheckLocalGroups=0

# Always include local groups.
OS.useLogonUseron2000=1

# Impersonate the userdb accesses.
OS.noImpersonation=0

# Default group to be automatically included for all requests
# that return any groups
# OS.defaultGroup=DefGroup

# Default domain name. Use this in case the domain parameter
# is not supplied.
# OS.defaultDomain=MyDomain

# Unix only! Explicit path of the privileged daemon process
# Needs to be specified, if the executable "sagssxauthd2" 
# is not in the current working directory.
# OS.authDaemonPath=/tmp/sagssxauthd2

#If NOT the automatic domain name should be used to compose
#the canonical user id (SSXGetCanonicalUserId_A/W),
#specify this part of the ID here.
#OS.canonicalDomainName

#When authenticating on Windows and no domain is
#specified, Windows will try
# - to authenticate a local user 
#and if this fails, Windows will try
# - to authenticate the user in the currently logged in domain.
#If this is automatic lookup is not desired, that is, only the 
#local users shall be auhtenticated, set this variable.
#Valid Values: 0, 1
#Default: 0
#OS.winNoDefaultDomain=

################################################################
# LDAP Section

#This is a sample properties file for the case
#when authType is ldap and the user database is OpenLDAP.

#Specifies the authentication type.

#Is Required: Yes
#Valid values: {"os", "ldap", "adsi", "iaf", "saf"}
#No default value
LDAP.authType=ldap

#Specifies which server type will be used.
#Use only when authType is ldap.

#Is Required: No
#Valid values: {"ActiveDirectory", "SunOneDirectory", "OpenLdap"}
#Default value: "OpenLdap"
LDAP.serverType=OpenLDAP

#Property name that denotes a user entry.
#Use only when authType is ldap.

#Is Required: No
#Valid values: (attribute name according to LDAP conventions)
#No default value
LDAP.userIdField=cn

#Enumeration of LDAP objectclasses that the user entries use in
#the target LDAP server.
#Use only when authType is ldap.

#Is Required: No
#Valid values: (Comma separated list of objectclass names,
# according to LDAP conventions)
#Default value: 
#	depending on serverType:
#	OpenLdap:
#	"top,person"
#	SunOneDirectory:
#	"top,person,organizationalperson, inetorgperson"
#	ActiveDirectory:
#	"top,person,organizationalPerson,user"
LDAP.personObjClass=inetOrgPerson

#Enumeration of LDAP objectclasses that the group entries use in
#the target LDAP server.
#Use only when authType is ldap.

#Is Required: No
#Valid values: (Comma separated list of objectclass names,
# according to LDAP conventions)
#Default value:
#   depending on serverType:
#   OpenLdap:
#   "top,groupOfUniqueNames"
#   SunOneDirectory:
#   "top,groupofuniquenames"
#   ActiveDirectory:
#   "top,group"
LDAP.groupObjClass=groupOfUniqueNames

#Property name that denotes a group entry.
#Use only when authType is ldap.

#Is Required: No
#Valid values: (attribute name according to LDAP conventions)
#Default value: cn
LDAP.groupIdField=cn

#Property name of a user entry that points to the group that
#the user is member of.
#Use only when authType is ldap.

#Is Required: No
#Valid values: (attribute name according to LDAP conventions)
#Default value:
#	depending on serverType:
#	OpenLdap:
#	"ou"
#	SunOneDirectory:
#	NULL
#	ActiveDirectory:
#	"memberOf"
LDAP.personGrpAttr=ou

#Property name of a group entry that points to users (members)
#Use only when authType is ldap.

#Is Required: No
#Valid values: (attribute name according to LDAP conventions)
#Default value:
#	depending on serverType:
#	OpenLdap:
#	"uniqueMember"
#	SunOneDirectory:
#	"uniqueMember"
#	ActiveDirectory:
#	"member"
LDAP.groupPrsAttr=uniqueMember

#Seconds how long auth. user remains in cache.

#Is Required: No
#Valid values: 
#	0 - No cache
#	Min: 1, Max: No limit
#Default value: 180
LDAP.cacheTime=12

#Specify the max. number of cached users that have been successfully
#authenticated. When the cache overflows, the oldest entry is removed.

#Is Required: No
#Valid values: 
#	0 - No cache
#	Min: 1, Max: No limit
#Default value: 300
LDAP.cacheSize=4

#Time (in seconds) how long to ignore any further authentication
#requests for a particular User-Id.

#Is Required: No
#Valid values:
#	Min: 1, Max: No limit
#Default value: 100
LDAP.denyTime=4

#Number of invalid logon attempts.

#Is Required: No
#Valid values:
#	Min: 1, Max: No limit
#Default value: 3
LDAP.denyCount=3

#Specifies an output file for logging.

#Is Required: No
#Valid values: (Valid log file path)
#No default value
LDAP.logCallback=true

#Specifies the log level.

#Is Required: No
#Valid values:
#	0 - No logging
#   Min: 1
#   Max: 6
#No default value
#LDAP.nativeLogLevel=6

#Default group to be automatically included for all requests
#that return any groups
#Is Required: No

# LDAP.defaultGroup=DefGroup

#BaseBindDN where to find the users.
#Is Required: Yes
#and should contain the most detailed DN to find the users

# LDAP.personBindDn=ou=User,o=Org,dc=mycom,dc=com

#BaseBindDN where to find the groups.
#Is Required: Yes
#and should contain the most detailed DN to find the groups

# LDAP.groupBindDn=ou=Groups,o=Org,dc=mycom,dc=com

#Attribute name of the password.
#Required when changeing the password
#Is Required: Not always
#Default value:
#	depending on serverType:
#	OpenLdap:
#	"userPassword"
#	SunOneDirectory:
#	"userPassword"
#	ActiveDirectory:
#	"unicodePwd"

# LDAP.passwdField=userPassword

#Allow to pass a complete BaseBindDN
#via the domain parameter.
#Is Required: No
#Valid values: 0, 1

# LDAP.allowdomainasbasebinddn=0

#Allow to specify which fields to search for as properties
#of a user entry
#Is Required: No
#Valid values: string, for example: "cn,sn,description"

# LDAP.personPropAttr

#Allow to specify which fields to search for as properties
#of a group entry
#Is Required: No
#Valid values: string, for example: "cn,description"

# LDAP.groupPropAttr

#Allow to use the special secure authentication using SASL,
#providing the directory supports this mechanism.
#Is Required: No
#Valid values: 0, 1 (default: 0)

# LDAP.ldapSaslBind

#Allow to switch from a non-secure connection to a TLS connection,
#providing the directory supports this mechanism.
#of a group entry
#Is Required: No
#Valid values: 0, 1 (default: 0)

# LDAP.ldapStartTls

#By default, the first "dc=" occurrence within the distinguished name
#name string denotes the domain name.
#If additional abbreviations want to be defined, one can use
#the following 2 parameter.
#Example:  Short="RnD;Admins;board"
#      with Long="ou=Rnd,ou=user,dc=mycom,dc=com;ou=Administrators,dc=mycom,dc=com;ou=VIP,dc=mycom,dc-com"
#LDAP.ldapDomainShort
#LDAP.ldapDomainLong

#If NOT the automatic domain name should be used to compose
#the canonical user id (SSXGetCanonicalUserId_A/W),
#specify this part of the ID here.
#LDAP.canonicalDomainName

#Three algorithms are supported to find the groups of a user:
#"ru", recurse up: take the group pointer from the user entry
#                  and continue to search up for all groups
#                  found
#"rd", recurse down: search for all groups that have the 
#                    user as member (no recursion)
#"cp", computed property: use a special field in the user
#                         entry to find all groups
#                         --> computedGroupProp retuired
#Default: "ru"
#LDAP.resolveGroups

#If resolveGroup is set to "cp", this parameter must provide
#the field name to look for in the user entry that denotes
#the user groups
#Default: None
#LDAP.computedGroupProp=

#If the LDAP connection is protected by SSL/TLS, this
#parameter must be set.
#Valid Values: 0, 1
#Default: 0
#LDAP.ldapSSLConnection=1

################################################################
# ADSI Section

#Specifies the authentication type.

#Is Required: Yes
#Valid values: {"os", "ldap", "adsi", "iaf", "saf"}
#No default value

ADSI.authType=adsi

#Specifies the name of the AD Forest.

#Is Required: No, but should be specified
#Example: "dc=mycom,dc=com" (with a possible domain called "dc=eur,dc=mycom,dc=com")
#No default value

#ADSI.adsiForestDn

#Seconds how long auth. user remains in cache.

#Is Required: No
#Valid values: 
#	0 - No cache
#	Min: 1, Max: No limit
#Default value: 180
ADSI.cacheTime=12

#Specify the max. number of cached users that have been successfully
#authenticated. When the cache overflows, the oldest entry is removed.

#Is Required: No
#Valid values: 
#	0 - No cache
#	Min: 1, Max: No limit
#Default value: 300
ADSI.cacheSize=4

#Time (in seconds) how long to ignore any further authentication
#requests for a particular User-Id.

#Is Required: No
#Valid values:
#	Min: 1, Max: No limit
#Default value: 100
ADSI.denyTime=4

#Number of invalid logon attempts.

#Is Required: No
#Valid values:
#	Min: 1, Max: No limit
#Default value: 3
ADSI.denyCount=3

#Specifies an output file for logging.

#Is Required: No
#Valid values: (Valid log file path)
#No default value
#ADSI.nativeLogFile=SIN_SSX.log
ADSI.logCallback=true

#Specifies the log level.

#Is Required: No
#Valid values:
#	0 - No logging
#   Min: 1
#   Max: 6
#No default value
#ADSI.nativeLogLevel=6

#In case the scope for the node to access users needs to be limited,
#one can specify a particular subtree:
#Example: "ou=user,ou=Rnd,dc=mycom,dc=com"
#ADSI.adsiPersonBindDn

#In case the scope for the node to access groups needs to be limited,
#one can specify a particular subtree:
#Example: "ou=groups,ou=Rnd,dc=mycom,dc=com"
#ADSI.adsiGroupBindDn

#By default, the first "dc=" occurrence within the distinguished name
#name string denotes the domain name.
#If additional abbreviations want to be defined, one can use
#the following 2 parameter.
#Example:  Short="RnD;Admins;board"
#      with   Dn="ou=Rnd,ou=user,dc=mycom,dc=com;ou=Administrators,dc=mycom,dc=com;ou=VIP,dc=mycom,dc-com"
#ADSI.adsiDomainShort
#ADSI.adsiDomainDn

#If NOT the automatic domain name should be used to compose
#the canonical user id (SSXGetCanonicalUserId_A/W),
#specify this part of the ID here.
#ADSI.canonicalDomainName

#Three algorithms are supported to find the groups of a user:
#"ru", recurse up: take the group pointer from the user entry
#                  and continue to search up for all groups
#                  found
#"rd", recurse down: search for all groups that have the 
#                    user as member (no recursion)
#"cp", computed property: use a special field in the user
#                         entry to find all groups
#                         --> computedGroupProp retuired
#Default: "ru"
#ADSI.resolveGroups

#If resolveGroup is set to "cp", this parameter must provide
#the field name to look for in the user entry that denotes
#the user groups
#Default: None
#ADSI.computedGroupProp=

################################################################
# IAF Section

#Specifies the authentication type.

#Is Required: Yes
#Valid values: {"os", "ldap", "adsi", "iaf", "saf"}
#No default value
IAF.authType=iaf

#Seconds how long auth. user remains in cache.

#Is Required: No
#Valid values: 
#	0 - No cache
#	Min: 1, Max: No limit
#Default value: 180
IAF.cacheTime=12

#Specify the max. number of cached users that have been successfully
#authenticated. When the cache overflows, the oldest entry is removed.

#Is Required: No
#Valid values: 
#	0 - No cache
#	Min: 1, Max: No limit
#Default value: 300
IAF.cacheSize=4

#Time (in seconds) how long to ignore any further authentication
#requests for a particular User-Id.

#Is Required: No
#Valid values:
#	Min: 1, Max: No limit
#Default value: 100
IAF.denyTime=4

#Number of invalid logon attempts.

#Is Required: No
#Valid values:
#	Min: 1, Max: No limit
#Default value: 3
IAF.denyCount=3

#Specifies an output file for logging.

#Is Required: No
#Valid values: (Valid log file path)
#No default value
#IAF.nativeLogFile=SIN_SSX.log
IAF.logCallback=true

#Specifies the log level.

#Is Required: No
#Valid values:
#	0 - No logging
#   Min: 1
#   Max: 6
#No default value
IAF.nativeLogLevel=6

#Specify the local code page to be used
#for converting strings from the
#IAF wire protocol (UTF8) to a local string
#Default: Unix, Win: ISO-8859-1, mainframe: IBM-037
#IAF.localCodePage=

#Specify the local code page to be used
#for converting strings from the
#IAF wire protocol (UTF8) to a local string
#Default: Unix, Win: sagssxtomcrypt, mainframe: SSXCTC
#IAF.cryptLib=

#Directory where to load dynamically the libraries:
# - broker[32][.dll|.so|.sl]
# - sagssxtomcrypt | SSXCTC (s. IAF.cryptLib)
#IAF.homeDir=

Top of page