org.jboss.security.auth.spi
Class LdapLoginModule

java.lang.Object
  extended byorg.jboss.security.auth.spi.AbstractServerLoginModule (src) 
      extended byorg.jboss.security.auth.spi.UsernamePasswordLoginModule (src) 
          extended byorg.jboss.security.auth.spi.LdapLoginModule
All Implemented Interfaces:
javax.security.auth.spi.LoginModule

public class LdapLoginModule
extends UsernamePasswordLoginModule (src)

An implementation of LoginModule that authenticates against an LDAP server using JNDI, based on the configuration properties.

The LoginModule options include whatever options your LDAP JNDI provider supports. Examples of standard property names are:

The Context.SECURITY_PRINCIPAL is set to the distinguished name of the user as obtained by the callback handler and the Context.SECURITY_CREDENTIALS property is either set to the String password or Object credential depending on the useObjectCredential option.

Additional module properties include:

A sample login config:

 testLdap {
 org.jboss.security.auth.spi.LdapLoginModule required
 java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
 java.naming.provider.url="ldap://ldaphost.jboss.org:1389/"
 java.naming.security.authentication=simple
 principalDNPrefix=uid=
 uidAttributeID=userid
 roleAttributeID=roleName
 principalDNSuffix=,ou=People,o=jboss.org
 rolesCtxDN=cn=JBossSX Tests,ou=Roles,o=jboss.org
 };

 testLdap2 {
 org.jboss.security.auth.spi.LdapLoginModule required
 java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
 java.naming.provider.url="ldap://ldaphost.jboss.org:1389/"
 java.naming.security.authentication=simple
 principalDNPrefix=uid=
 uidAttributeID=userid
 roleAttributeID=roleName
 principalDNSuffix=,ou=People,o=jboss.org
 userRolesCtxDNAttributeName=ou=Roles,dc=user1,dc=com
 };

 testLdapToActiveDirectory {
 org.jboss.security.auth.spi.LdapLoginModule required
 java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
 java.naming.provider.url="ldap://ldaphost.jboss.org:1389/"
 java.naming.security.authentication=simple
 rolesCtxDN=cn=Users,dc=ldaphost,dc=jboss,dc=org
 uidAttributeID=userPrincipalName
 roleAttributeID=memberOf
 roleAttributeIsDN=true
 roleNameAttributeID=name
 };
 


Field Summary
 
Fields inherited from class org.jboss.security.auth.spi.AbstractServerLoginModule (src)
callbackHandler, log, loginOk, options, principalClassName, sharedState, subject, unauthenticatedIdentity, useFirstPass
 
Constructor Summary
LdapLoginModule()
           
 
Method Summary
protected  java.security.acl.Group[] getRoleSets()
          Overriden by subclasses to return the Groups that correspond to the to the role sets assigned to the user.
protected  java.lang.String getUsersPassword()
          Overriden to return an empty password string as typically one cannot obtain a user's password.
protected  boolean validatePassword(java.lang.String inputPassword, java.lang.String expectedPassword)
          Validate the inputPassword by creating a ldap InitialContext with the SECURITY_CREDENTIALS set to the password.
 
Methods inherited from class org.jboss.security.auth.spi.UsernamePasswordLoginModule (src)
createPasswordHash, getCredentials, getIdentity, getUnauthenticatedIdentity, getUsername, getUsernameAndPassword, initialize, login
 
Methods inherited from class org.jboss.security.auth.spi.AbstractServerLoginModule (src)
abort, commit, createGroup, createIdentity, getUseFirstPass, logout
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

LdapLoginModule

public LdapLoginModule()
Method Detail

getUsersPassword

protected java.lang.String getUsersPassword()
                                     throws javax.security.auth.login.LoginException
Overriden to return an empty password string as typically one cannot obtain a user's password. We also override the validatePassword so this is ok.

Specified by:
getUsersPassword in class UsernamePasswordLoginModule (src)
Returns:
and empty password String
Throws:
javax.security.auth.login.LoginException

getRoleSets

protected java.security.acl.Group[] getRoleSets()
                                         throws javax.security.auth.login.LoginException
Overriden by subclasses to return the Groups that correspond to the to the role sets assigned to the user. Subclasses should create at least a Group named "Roles" that contains the roles assigned to the user. A second common group is "CallerPrincipal" that provides the application identity of the user rather than the security domain identity.

Specified by:
getRoleSets in class AbstractServerLoginModule (src)
Returns:
Group[] containing the sets of roles
Throws:
javax.security.auth.login.LoginException

validatePassword

protected boolean validatePassword(java.lang.String inputPassword,
                                   java.lang.String expectedPassword)
Validate the inputPassword by creating a ldap InitialContext with the SECURITY_CREDENTIALS set to the password.

Overrides:
validatePassword in class UsernamePasswordLoginModule (src)
Parameters:
inputPassword - the password to validate.
expectedPassword - ignored
Returns:
true if the inputPassword is valid, false otherwise.