Added by Sebastian Gonzalez Oyuela, last edited by Gianluca Brigandi on Jan 20, 2009  (view change)

Labels:

Enter labels to add to this page:
Wait Image 
Looking for a label? Just start typing.

Leverages a directory information tree (DIT) as a source for user and entitlement information.

Standard LDAP Directory

Component Properties

Properties
securityPrincipal the DN of the user to be used to bind to the LDAP Server
securityCredential the securityPrincipal password to be used for binding to the LDAP Server.
securityAuthentication the security level to be used with the LDAP Server session. Its value is one of the following strings: "none", "simple", "strong". If not set, "simple" will be used.
ldapSearchScope alows control over LDAP search scope : valid values are ONELEVEL, SUBTREE
usersCtxDN the fixed distinguished name to the context to search for user accounts.
principalUidAttributeID the name of the attribute that contains the user login name. This is used to locate the user.
rolesCtxDN The fixed distinguished name to the context to search for user roles.
uidAttributeID the name of the attribute that, in the object containing the user roles, references role members. The attribute value should be the DN of the user associated with the role. This is used to locate the user roles.
roleAttributeID The name of the attribute that contains the role name
credentialQueryString The query string to obtain user credentials. It should have the following format : user_attribute_name=credential_attribute_name,... For example : uid=username,userPassword=password
userPropertiesQueryString The query string to obtain user properties. It should have the following format : ldap_attribute_name=user_attribute_name,... For example : mail=mail,cn=description
updateableCredentialAttribute Optional, the user attribute that will store a new password. Used when password reset (forgot your passwrod?) is neabled

Sample Component Definition

josso-gateway-stores.xml
    <ldap-istore:ldap-bind-store
            id="josso-identity-store"
            initialContextFactory="com.sun.jndi.ldap.LdapCtxFactory"
            providerUrl="ldap://localhost:10389"
            securityPrincipal="uid=admin,ou=system"
            securityCredential="secret"
            securityAuthentication="simple"
            ldapSearchScope="SUBTREE"
            usersCtxDN="ou=People,dc=my-domain,dc=com"
            principalUidAttributeID="uid"
            uidAttributeID="uniquemember"
            rolesCtxDN="ou=Roles,dc=my-domain,dc=com"
            roleAttributeID="cn"
            updateableCredentialAttribute="userPassword"
            userPropertiesQueryString="mail=mail,cn=description"
            />

Microsoft Active Directory

The main issue with Active Directory is that it does not allow retrieving the user password value, therefore JOSSO cannot verify the supplied credentials during the authentication process. To overcome this limitation, JOSSO comes with two components which can authenticate users by performing a bind against the configured persistence mechanism using the credentials provided by the authenticating user. If the bind succeeds, the user is considered authenticated.

The first component is an extension of the basic authentication scheme provided with JOSSO. This extension, known as BindUsernamePasswordAuthScheme, relays on the configured Credential Store to authenticate users, being such store of type BindableCredentialStore. If the bind operation provided by the store succeeds, the user is considered authenticated.

The second component is a CredentialStore implementation known as the BindableCredentialStore. This type of store provides a new operation that, based on the supplied user name and password, binds to the underlaying persistence mechanism, returning true if the bind succeeds.

Even thought this additional components are aimed to support Active Directory, they could be used against directories of other vendors. JOSSO currently provides an LDAP BindIdentityStore implementation but future releases could include new bindable stores that would support user authentication by binding to other persistence mechanisms such as a RDBMS.

Sample Component Definition

<?xml version="1.0" encoding="ISO-8859-1" ?>
<s:beans xmlns:s="http://www.springframework.org/schema/beans"
         xmlns:ldap-istore="urn:org:josso:ldap:identitystore"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
         urn:org:josso:ldap:identitystore http://www.josso.org/schema/josso-ldap-identitystore.xsd"
        >

        <ldap-istore:ldap-bind-store
            id="josso-identity-store"
	    initialContextFactory="com.sun.jndi.ldap.LdapCtxFactory"
	    providerUrl="ldap://127.0.0.1:389"
	    securityPrincipal="cn=Administrator,cn=USERS,dc=my-domain"
	    securityCredential="secret"
	    securityAuthentication="simple"
	    ldapSearchScope="SUBTREE"
	    usersCtxDN="CN=Users,dc=my-Domain"
	    principalUidAttributeID="sAMAccountName"
	    uidAttributeID="member"
	    rolesCtxDN="CN=Users,dc=my-domain"
	    roleAttributeID="sAMAccountName"
	    updateableCredentialAttribute="userPassword"
	    userPropertiesQueryString="mail=mail,cn=description"
            />

</s:beans>