Wiki source code of org.clazzes.login.ldap
Last modified by wolfgang_glas@iteg_at on 2018-08-25 09.26:23
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | = {{id name="org.clazzes.login.ldap-Functionality"/}}Functionality = | ||
| 2 | |||
| 3 | |||
| 4 | |||
| 5 | The LDAP login service authenticates against users in an ADS domain or against users in an LDAP server configured for an individual domain. | ||
| 6 | |||
| 7 | The function {{code language="none"}}tryLogin(){{/code}} needs credentials if run against a legacy LDAP Server. | ||
| 8 | |||
| 9 | For AD DS servers, an additional non-search authentication method {{code language="none"}}bindAds{{/code}} is implemented for {{code language="none"}}tryLogin(){{/code}}, which tries to bind using a principal in the form {{code language="none"}}user@domain{{/code}}. | ||
| 10 | |||
| 11 | The functions {{code language="none"}}searchUser(){{/code}}, {{code language="none"}}getGroups(){{/code}}, {{code language="none"}}getGroupMembers(){{/code}} need bind credentials and will only work in AD DS environments. | ||
| 12 | |||
| 13 | = {{id name="org.clazzes.login.ldap-SampleConfigurationforauthenticationagainstanADS-Domain"/}}Sample Configuration for authentication against an ADS-Domain{{id name="org.clazzes.login.ldap-sampleAdsConfig"/}} = | ||
| 14 | |||
| 15 | The following sample configuration is the most common configuration OSGi configuration in PID {{code language="none"}}org.clazzes.login.ldap{{/code}}, which allows you to authenticate users against an Active Directory Domain. | ||
| 16 | |||
| 17 | All you need to know is the Windows/NetBIOS Name of your domain and the corresponding DNS name used to physically locate the Active Directory server. | ||
| 18 | |||
| 19 | In our example we use {{code language="none"}}EXAMPLE{{/code}} as the Windows/NetBIOS domain name with its DNS counterpart {{code language="none"}}example.com{{/code}}. | ||
| 20 | |||
| 21 | (% class="wrapped" %) | ||
| 22 | |=((( | ||
| 23 | (% class="tablesorter-header-inner" %) | ||
| 24 | ((( | ||
| 25 | Key | ||
| 26 | ))) | ||
| 27 | )))|=((( | ||
| 28 | (% class="tablesorter-header-inner" %) | ||
| 29 | ((( | ||
| 30 | Value | ||
| 31 | ))) | ||
| 32 | ))) | ||
| 33 | |((( | ||
| 34 | {{code language="none"}} | ||
| 35 | defaultDomain | ||
| 36 | {{/code}} | ||
| 37 | )))|((( | ||
| 38 | {{code language="none"}} | ||
| 39 | EXAMPLE | ||
| 40 | {{/code}} | ||
| 41 | ))) | ||
| 42 | |((( | ||
| 43 | {{code language="none"}} | ||
| 44 | domain.EXAMPLE.controllerUri | ||
| 45 | {{/code}} | ||
| 46 | )))|((( | ||
| 47 | {{code language="none"}} | ||
| 48 | ads://example.com | ||
| 49 | {{/code}} | ||
| 50 | ))) | ||
| 51 | |((( | ||
| 52 | {{code language="none"}} | ||
| 53 | domain.EXAMPLE.authMethod | ||
| 54 | {{/code}} | ||
| 55 | )))|((( | ||
| 56 | {{code language="none"}} | ||
| 57 | bindAds | ||
| 58 | {{/code}} | ||
| 59 | ))) | ||
| 60 | |||
| 61 | = {{id name="org.clazzes.login.ldap-DetailedConfiguration"/}}Detailed Configuration = | ||
| 62 | |||
| 63 | The LDAP login service may be configured using the OSGi configuration PID {{code language="none"}}org.clazzes.login.ldap{{/code}} using these configuration values: | ||
| 64 | |||
| 65 | (% class="wrapped" %) | ||
| 66 | |=((( | ||
| 67 | (% class="tablesorter-header-inner" %) | ||
| 68 | ((( | ||
| 69 | Key | ||
| 70 | ))) | ||
| 71 | )))|=((( | ||
| 72 | (% class="tablesorter-header-inner" %) | ||
| 73 | ((( | ||
| 74 | Default Value | ||
| 75 | ))) | ||
| 76 | )))|=((( | ||
| 77 | (% class="tablesorter-header-inner" %) | ||
| 78 | ((( | ||
| 79 | Description | ||
| 80 | ))) | ||
| 81 | ))) | ||
| 82 | |((( | ||
| 83 | {{code language="none"}} | ||
| 84 | defaultDomain | ||
| 85 | {{/code}} | ||
| 86 | )))|((( | ||
| 87 | |||
| 88 | )))|((( | ||
| 89 | The domain to use for principals, which do not contain a domain. | ||
| 90 | ))) | ||
| 91 | |((( | ||
| 92 | {{code language="none"}} | ||
| 93 | domain.<domain>.controllerUri | ||
| 94 | {{/code}} | ||
| 95 | )))|((( | ||
| 96 | |||
| 97 | )))|((( | ||
| 98 | The server to contact. Supported URL schemes: {{code language="none"}}ldap{{/code}}, {{code language="none"}}ldaps{{/code}}, {{code language="none"}}ads{{/code}}. See below | ||
| 99 | ))) | ||
| 100 | |((( | ||
| 101 | {{code language="none"}} | ||
| 102 | domain.<domain>.authMethod | ||
| 103 | {{/code}} | ||
| 104 | )))|((( | ||
| 105 | {{code language="none"}} | ||
| 106 | searchAndBind | ||
| 107 | {{/code}} | ||
| 108 | )))|((( | ||
| 109 | The method for authenticating a user. Supported methods: {{code language="none"}}searchAndBind{{/code}}, {{code language="none"}}bindAds{{/code}}. | ||
| 110 | ))) | ||
| 111 | |((( | ||
| 112 | {{code language="none"}} | ||
| 113 | domain.<domain>.bindUser | ||
| 114 | {{/code}} | ||
| 115 | )))|((( | ||
| 116 | |||
| 117 | )))|((( | ||
| 118 | The DN used for binding before searching something in the domain <domain>. For {{code language="none"}}tryLogin(){{/code}} this applies only to the authMethod {{code language="none"}}searchAndBind{{/code}}. | ||
| 119 | ))) | ||
| 120 | |((( | ||
| 121 | {{code language="none"}} | ||
| 122 | domain.<domain>.bindPassword | ||
| 123 | {{/code}} | ||
| 124 | )))|((( | ||
| 125 | |||
| 126 | )))|((( | ||
| 127 | The password used for binding searching something in the domain <domain>. For {{code language="none"}}tryLogin(){{/code}} this applies only to the authMethod {{code language="none"}}searchAndBind{{/code}}. | ||
| 128 | ))) | ||
| 129 | |((( | ||
| 130 | {{code language="none"}} | ||
| 131 | domain.<domain>.userAttribute | ||
| 132 | {{/code}} | ||
| 133 | )))|((( | ||
| 134 | {{code language="none"}} | ||
| 135 | samAccountName | ||
| 136 | {{/code}} | ||
| 137 | )))|((( | ||
| 138 | The LDAP attribute to use for finding a given user name. | ||
| 139 | ))) | ||
| 140 | |((( | ||
| 141 | {{code language="none"}} | ||
| 142 | domain.<domain>.prettyNameAttribute | ||
| 143 | {{/code}} | ||
| 144 | )))|((( | ||
| 145 | {{code language="none"}} | ||
| 146 | cn | ||
| 147 | {{/code}} | ||
| 148 | )))|((( | ||
| 149 | The LDAP attribute to try to use as pretty name for users and groups. | ||
| 150 | ))) | ||
| 151 | |((( | ||
| 152 | {{code language="none"}} | ||
| 153 | domain.<domain>.eMailAddressAttribute | ||
| 154 | {{/code}} | ||
| 155 | )))|((( | ||
| 156 | {{code language="none"}} | ||
| 157 | |||
| 158 | {{/code}} | ||
| 159 | )))|((( | ||
| 160 | The LDAP attribute to try to use as primary e-mail address for users. | ||
| 161 | ))) | ||
| 162 | |((( | ||
| 163 | {{code language="none"}} | ||
| 164 | domain.<domain>.mobileAttribute | ||
| 165 | {{/code}} | ||
| 166 | )))|((( | ||
| 167 | \\ | ||
| 168 | )))|((( | ||
| 169 | The LDAP attribute to try to use as mobile phone number for users. This number is used to send ephemerals OTP for two-factor-authentication to the user. If this option is activated, two-factor signons are mandatory for this domain. Usually, this option is configured to the value {{code language="none"}}mobile{{/code}} in order to activate ephemeral OTP two-factor-authentication. | ||
| 170 | ))) | ||
| 171 | |((( | ||
| 172 | {{code language="none"}} | ||
| 173 | domain.<domain>.tokenIdsAttribute | ||
| 174 | {{/code}} | ||
| 175 | )))|((( | ||
| 176 | \\ | ||
| 177 | )))|((( | ||
| 178 | The LDAP attribute to try to use as a space separated list of 12-character YubiKey token IDs (like {{code language="none"}}cccccceiiuch{{/code}}) for users. These token IDs are used to check token OTPs for two-factor-authentication to the user. If this option is activated, two-factor signons are mandatory for this domain. Usually, this option is configured to the value {{code language="none"}}pager{{/code}} in order to activate token-based OTP two-factor-authentication. | ||
| 179 | ))) | ||
| 180 | |||
| 181 | There may be multiple domains in a configuration. | ||
| 182 | |||
| 183 | == {{id name="org.clazzes.login.ldap-ControllerSchemes"/}}Controller Schemes == | ||
| 184 | |||
| 185 | The URL schemes for a domain controller are ldap, ldaps and ads. | ||
| 186 | |||
| 187 | === {{id name="org.clazzes.login.ldap-ADScontrollerscheme"/}}ADS controller scheme === | ||
| 188 | |||
| 189 | The {{code language="none"}}ads{{/code}} URL scheme for the URL {{code language="none"}}ads://mydomain.com{{/code}} undertakes a lookup for the DNS records | ||
| 190 | |||
| 191 | (% class="code" %) | ||
| 192 | ((( | ||
| 193 | SRV _ldap._tcp.mydomain.com | ||
| 194 | TXT _ldap._tcp.mydomain.com | ||
| 195 | ))) | ||
| 196 | |||
| 197 | to auto-detect the apropriate {{code language="none"}}ldap(s){{/code}} URI. | ||
| 198 | |||
| 199 | === {{id name="org.clazzes.login.ldap-LDAPcontrollerscheme"/}}LDAP controller scheme === | ||
| 200 | |||
| 201 | When directly specifying the LDAP-Server using an URL like {{code language="none"}}ldap://ldap-01.mydomain.com{{/code}} it is possible to specify the baseDN for searches using a pseudo-path like in {{code language="none"}}ldap://ldap-01.mydomain.com/dc=mydomain,dc=com{{/code}} | ||
| 202 | |||
| 203 | = {{id name="org.clazzes.login.ldap-ManualinstallationinOSGicontainer"/}}Manual installation in OSGi container = | ||
| 204 | |||
| 205 | I some software product has pointed to this page for configuration details, the bundle is probably already installed in the OSGi container the software product runs in. | ||
| 206 | |||
| 207 | OSGi administrators maintaining an individual OSGi container can install the ldap-login-service bundle using these osgi commands: | ||
| 208 | |||
| 209 | (% class="code" %) | ||
| 210 | ((( | ||
| 211 | obr:addurl http:~/~/maven.clazzes.org/repository.xml | ||
| 212 | obr:deploy ldap-login-service | ||
| 213 | ))) | ||
| 214 | |||
| 215 | = {{id name="org.clazzes.login.ldap-Developerinformation"/}}Developer information = | ||
| 216 | |||
| 217 | The maven artifact is: | ||
| 218 | |||
| 219 | (% class="code" %) | ||
| 220 | ((( | ||
| 221 | <groupId>org.clazzes.login</groupId> | ||
| 222 | <artifactId>ldap-login-service</artifactId> | ||
| 223 | ))) | ||
| 224 | |||
| 225 |