Dashboard > Community Wiki > ... > Integration > Ldap authentication
Ldap authentication Log In View a printable version of the current page.

Added by GrĂ©gory Joseph , last edited by Boris Kraft on Jun 23, 2008  (view change)
Labels: 

What is it?

The developers of Magnolia chose to use Sun's JAAS for security. This allows separation of the way the client is requested for the username and password and the way they are authenticated and authorized.

This will work with community version 3.5 of Magnolia.

Setup

There are three main things required to make this happen:

  1. The required files from Java 6
  2. The LdapAuthorizationModule (attached)
  3. A jaas.config file

Each one of these are covered in order.

The required files from Java 6

I tried initially to get Magnolia 3.5 to run on Tomcat 5.5.23 with Java 6, but it never worked. Likely the problem had to do with the older version of Derby that is embedded into Java 6. So if like myself you aren't able to get it running with Java 6, or are using Java 5, you'll need to grab the following files from Java 6:

  1. com.sun.security.auth.module.LdapLoginModule
  2. com.sun.security.auth.LdapPrincipal
  3. com.sun.security.auth.UserPrincipal

Copy the .java files from the Java 6 source download and included them in your project in Eclipse, or if you are in another IDE just make sure the compiled .class files are on the classpath of Magnolia.

The LdapAuthorizationModule

This file just needs to be included as part of Magnolia, and ties Sun's LdapLoginModule into the Magnolia authentication and authorization process. It has been released under the same license as Magnolia so it can be included safely along with Magnolia.

jaas.config file

This file is used by the jvm to determine what classes to use for authentication and authorization. It is a slightly altered version of the default jaas.config from the Magnolia project like this:

magnolia
{
com.bc.magnolia.jaas.sp.ldap.LdapAuthenticationModule requisite userProvider="ldap://servername:389"     authIdentity="uid={USERNAME},ou=Users,dc=company,dc=com"
useSSL=false
useJCRsuperuser=true
debug=true;
info.magnolia.jaas.sp.jcr.JCRAuthorizationModule requisite;
};

Jackrabbit
{   org.apache.jackrabbit.core.security.SimpleLoginModule required; };

The actual configuration settings are taken from the javadoc of the LdapLoginModule (the LdapAuthenticationModule just passes them on to Sun's class). There are other settings available beyond what are used in this jaas.config file that are covered in the javadoc. userProvider is the name and port of your ldap server. authIdentity is the distinguished name of the user you are authenticating, where USERNAME is replaced, programmatically, with what the user has entered for authentication. useSSL is not required unless your LDAP server does NOT use SSL. Initially using debug is helpful to confirm that the LDAP authentication was happening properly. Once everything is working properly it can be removed. useJCRsuperuser is a custom option for the LdapAuthenticationModule that makes the LdapAuthenticationModule first attempt to authenticate superuser with whatever is in Magnolia for the superuser's password. If it fails it will try to authenticate superuser against LDAP. This can be handy if you're setting up users and need to be able to activate a new superuser or if you just mess up something in security and need to go in and make it right.

Once you've got this setup, you need to add an option on the command line for java so it uses this file:

--Djava.security.auth.login.config={path to file}jaas.config

You can check in the logs during startup to make sure this is recognized, by Magnolia spitting out something like this:

... JAAS config file set by parent container or some other application
... Config in use {path to file}jaas.config
... Please make sure JAAS config has all necessary modules (refer config/jaas.config) configured

Once you see that you know that it is configured properly, and everything should work now.

Final Thought

The only issue that really needs to be considered at this point is to make sure the public server also has access to the LDAP server. This can be an issue if your public server(s) are outside of a firewall. They will be required to have connection to the LDAP server to authenticate users when anything is published.

.

In its previous incarnation on JspWiki, this page was last edited on Dec 3, 2007 11:45:46 PM by Tomjnsn
Other known authors include :
Powered by a free Atlassian Confluence Open Source Project License granted to Magnolia International. Evaluate Confluence today.
Powered by Atlassian Confluence 2.7, the Enterprise Wiki. Bug/feature request - Atlassian news - Contact administrators