Google Git
Sign in
apache / archiva-web-content / c0cf87f31f55f8ab88c274f982473ed1a15c0aa4 / . / redback / integration / ldap.html
blob: de2230b57b5bc91f6ce43569572194228c60c560 [file] [log] [blame]
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia
| Rendered using Apache Maven Fluido Skin 1.3.1
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Creation-yyyymmdd" content="20121123" />
<meta name="Date-Revision-yyyymmdd" content="20170517" />
<meta http-equiv="Content-Language" content="en" />
<title>Apache Redback &#x2013; Ldap Integration</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.3.1.min.css" />
<link rel="stylesheet" href="../css/site.css" />
<link rel="stylesheet" href="../css/print.css" media="print" />
<script type="text/javascript" src="../js/apache-maven-fluido-1.3.1.min.js"></script>
<!-- Google Analytics -->
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-140879-5']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
</head>
<body class="topBarEnabled">
<div id="topbar" class="navbar navbar-fixed-top ">
<div class="navbar-inner">
<div class="container"><div class="nav-collapse">
<ul class="nav">
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
<ul class="dropdown-menu">
<li> <a href="../index.html" title="Introduction">Introduction</a>
</li>
<li> <a href="../authentication.html" title="Authentication">Authentication</a>
</li>
<li> <a href="../authorization.html" title="Authorization">Authorization</a>
</li>
<li> <a href="../user-management.html" title="User Management">User Management</a>
</li>
<li> <a href="../key-store.html" title="Key Stores">Key Stores</a>
</li>
<li> <a href="../configuration.html" title="Configuration">Configuration</a>
</li>
<li class="dropdown-submenu">
<a href="../rbac/introduction.html" title="Role Based Access Control">Role Based Access Control</a>
<ul class="dropdown-menu">
<li> <a href="../rbac/role-management.html" title="Role Management">Role Management</a>
</li>
</ul>
</li>
<li> <a href="../integration/ldap.html" title="Ldap">Ldap</a>
</li>
<li> <a href="../integration/rest.html" title="Rest">Rest</a>
</li>
</ul>
</li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Development <b class="caret"></b></a>
<ul class="dropdown-menu">
<li> <a href="../development/extending-authn.html" title="Extending Redback Authentication">Extending Redback Authentication</a>
</li>
<li> <a href="../../redback/components" title="Redback Components">Redback Components</a>
</li>
<li> <a href="../../redback/core" title="Redback Core">Redback Core</a>
</li>
</ul>
</li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown">ASF <b class="caret"></b></a>
<ul class="dropdown-menu">
<li> <a href="http://www.apache.org/foundation/how-it-works.html" title="How Apache Works">How Apache Works</a>
</li>
<li> <a href="http://www.apache.org/foundation/" title="Foundation">Foundation</a>
</li>
<li> <a href="http://www.apache.org/foundation/sponsorship.html" title="Sponsoring Apache">Sponsoring Apache</a>
</li>
<li> <a href="http://www.apache.org/foundation/thanks.html" title="Thanks">Thanks</a>
</li>
</ul>
</li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Project Documentation <b class="caret"></b></a>
<ul class="dropdown-menu">
<li class="dropdown-submenu">
<a href="../project-info.html" title="Project Information">Project Information</a>
<ul class="dropdown-menu">
<li> <a href="../integration.html" title="Continuous Integration">Continuous Integration</a>
</li>
<li> <a href="../issue-tracking.html" title="Issue Tracking">Issue Tracking</a>
</li>
<li> <a href="../mail-lists.html" title="Mailing Lists">Mailing Lists</a>
</li>
<li> <a href="../license.html" title="Project License">Project License</a>
</li>
<li> <a href="../team-list.html" title="Project Team">Project Team</a>
</li>
<li> <a href="../source-repository.html" title="Source Repository">Source Repository</a>
</li>
</ul>
</li>
</ul>
</li>
</ul>
<form id="search-form" action="http://www.google.com/search" method="get" class="navbar-search pull-right" >
<input value="http://archiva.apache.org/redback" name="sitesearch" type="hidden"/>
<input class="search-query" name="q" id="query" type="text" />
</form>
<script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=search-form"></script>
<ul class="nav pull-right"><li>
<a href="https://twitter.com/archiva" class="twitter-follow-button" data-show-count="false" data-align="right" data-size="large" data-show-screen-name="true" data-lang="en">Follow archiva</a>
<script type="text/javascript">!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
</li></ul>
</div>
</div>
</div>
</div>
<div class="container">
<div id="banner">
<div class="pull-left">
<a href="../../redback" id="bannerLeft">
<img src="../images/redback.jpg" alt="Redback"/>
</a>
</div>
<div class="pull-right"> <a href="http://www.apache.org/" id="bannerRight">
<img src="https://www.apache.org/images/asf_logo_wide_2016.png" alt="Apache Software Foundation"/>
</a>
</div>
<div class="clear"><hr/></div>
</div>
<div id="breadcrumbs">
<ul class="breadcrumb">
<li id="publishDate">Last Published: 2017-05-17
<span class="divider">|</span>
</li>
<li class="">
<a href="http://www.apache.org/" class="externalLink" title="Apache">
Apache</a>
<span class="divider">/</span>
</li>
<li class="">
<a href="../" title="Apache Redback">
Apache Redback</a>
<span class="divider">/</span>
</li>
<li class="active ">Ldap Integration</li>
</ul>
</div>
<div id="bodyColumn" >
<!-- Licensed to the Apache Software Foundation (ASF) under one --><!-- or more contributor license agreements. See the NOTICE file --><!-- distributed with this work for additional information --><!-- regarding copyright ownership. The ASF licenses this file --><!-- to you under the Apache License, Version 2.0 (the --><!-- "License"); you may not use this file except in compliance --><!-- with the License. You may obtain a copy of the License at --><!-- --><!-- http://www.apache.org/licenses/LICENSE-2.0 --><!-- --><!-- Unless required by applicable law or agreed to in writing, --><!-- software distributed under the License is distributed on an --><!-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY --><!-- KIND, either express or implied. See the License for the --><!-- specific language governing permissions and limitations --><!-- under the License. --><!-- NOTE: For help with the syntax of this file, see: --><!-- http://maven.apache.org/guides/mini/guide-apt-format.html --><div class="section">
<h2><a name="Redback_Ldap_Integration"></a>Redback Ldap Integration</h2>
<p>Redback has limited support for ldap has been added as an authentication source. Limited support for ldap means:</p>
<ul>
<li>Read-Only User Management</li>
<li>xml and properties based configuration</li>
<li>tested against open ldap on linux and <a class="externalLink" href="http://directory.apache.org">apacheds</a> 1.5.0/2.0.0 and <a class="externalLink" href="http://opendj.forgerock.org">OpenDj</a></li></ul>
<div class="section">
<h3><a name="Setting_up_Ldap"></a>Setting up Ldap</h3>
<p>Configuration for ldap is actually a relatively simple procedure, a few components definitions need to be declared in an appropriate application.xml and then some configuration options must be set in the security.properties file.</p>
<div class="section">
<h4><a name="The_applicationContext.xml_Additions"></a>The applicationContext.xml Additions</h4>
<p>These components should be defined in the applicable spring configuration files</p>
<div class="section">
<h5><a name="ldap_connection_factory"></a>ldap connection factory </h5>
<div class="source">
<pre>
&lt;bean name=&quot;ldapConnectionFactory&quot; class=&quot;org.apache.archiva.redback.common.ldap.connection.ConfigurableLdapConnectionFactory&quot;&gt;
&lt;property name=&quot;userConf&quot; ref=&quot;userConfiguration&quot;/&gt;
&lt;/bean&gt;
</pre></div>
<p>In security.properties files</p>
<ul>
<li>ldap.config.hostname - The hostname of the ldap server</li>
<li>ldap.config.port - The port of the ldap server</li>
<li>ldap.config.base.dn - The baseDn of the ldap system</li>
<li>ldap.config.context.factory - context factory for ldap connections (com.sun.jndi.ldap.LdapCtxFactory)</li>
<li>ldap.config.password - password for the bindDn for the root ldap connection</li>
<li>ldap.config.bind.dn - the core user used for authentication the ldap server, must be able to perform the necessary searches, etc.</li></ul></div>
<div class="section">
<h5><a name="user_mapper"></a>user mapper</h5>
<div class="source">
<pre>
&lt;bean name=&quot;ldapUserMapper&quot; class=&quot;org.apache.archiva.redback.common.ldap.user.LdapUserMapper&quot;&gt;
&lt;property name=&quot;emailAttribute&quot; value=&quot;email&quot;/&gt;
&lt;property name=&quot;fullNameAttribute&quot; value=&quot;givenName&quot;/&gt;
&lt;property name=&quot;passwordAttribute&quot; value=&quot;userPassword&quot;/&gt;
&lt;property name=&quot;userIdAttribute&quot; value=&quot;cn&quot;/&gt;
&lt;property name=&quot;userBaseDn&quot; value=&quot;o=com&quot;/&gt;
&lt;property name=&quot;userObjectClass&quot; value=&quot;inetOrgPerson&quot;/&gt;
&lt;property name=&quot;userConf&quot; ref=&quot;userConfiguration&quot;/&gt;
&lt;/bean&gt;
</pre></div>
<p>In security.properties</p>
<ul>
<li>ldap.config.mapper.attribute.email - The name of the attribute on a user that contains the email address</li>
<li>ldap.config.mapper.attribute.fullname - The name of the attribute on a user that contains the users fullName</li>
<li>ldap.config.mapper.attribute.password - The name of the attribute containing the users password, used for the authentiction using the user manager and not the ldap bind authenticator</li>
<li>ldap.config.mapper.attribute.user.id - The name of the attribute containing the users userId, most commonly cn or sn.</li>
<li>ldap.config.mapper.attribute.user.base.dn - The base dn that will be subtree searched for users.</li>
<li>ldap.config.mapper.attribute.user.object.class - the objectClass used in the ldap server for indentifying users, most commonly inetOrgPerson.</li>
<li>ldap.config.mapper.attribute.user.filter - the user filter is used to reduce the number of results during a LDAP request. It is optional.</li></ul></div>
<div class="section">
<h5><a name="security_policy_for_the_password_encoder"></a>security policy (for the password encoder) </h5>
<div class="source">
<pre>
&lt;bean name=&quot;userSecurityPolicy&quot; class=&quot;org.apache.archiva.redback.policy.DefaultUserSecurityPolicy&quot;&gt;
&lt;property name=&quot;config&quot; ref=&quot;userConfiguration&quot;/&gt;
&lt;property name=&quot;passwordEncoder&quot; ref=&quot;passwordEncoder#sha1&quot;/&gt;
&lt;property name=&quot;userValidationSettings&quot; ref=&quot;userValidationSettings&quot;/&gt;
&lt;property name=&quot;rememberMeCookieSettings&quot; ref=&quot;cookieSettings#rememberMe&quot;/&gt;
&lt;property name=&quot;signonCookieSettings&quot; ref=&quot;cookieSettings#signon&quot;/&gt;
&lt;property name=&quot;rules&quot;&gt;
add the rules you want to applied
&lt;list&gt;
&lt;ref bean=&quot;passwordRule#alpha-count&quot;/&gt;
&lt;ref bean=&quot;passwordRule#alpha-numeric&quot;/&gt;
&lt;ref bean=&quot;passwordRule#character-length&quot;/&gt;
&lt;ref bean=&quot;passwordRule#must-have&quot;/&gt;
&lt;ref bean=&quot;passwordRule#no-whitespaces&quot;/&gt;
&lt;ref bean=&quot;passwordRule#numerical-count&quot;/&gt;
&lt;/list&gt;
&lt;/property&gt;
&lt;/bean&gt;
</pre></div></div></div></div>
<div class="section">
<h3><a name="security.properties"></a>security.properties</h3>
<p>These properties should be set as shown:</p>
<div class="source">
<pre>
user.manager.impl=ldap
ldap.bind.authenticator.enabled=true
redback.default.admin=admin
redback.default.guest=guest
security.policy.password.expiration.enabled=false
</pre></div>
<p>The user.manager.impl is the role hint that is used to determine which user manaher to use while running. The default is 'cached' and if this is desired to be used with ldap then you must include the component declartion below in the caching section for the cached UserManager that sets the underlying userImpl to ldap. </p>
<p>The ldap.bind.authenitcator.enabled boolean value will toggle the use of authenticator that will authenticate using the bind operation. There are two different mechanisms used to authenticate with ldap, either the bind authenticator which is a standard way to authentication, and then the user manager password validation approach. If this is desired then you must ensure that the security policy is configured to use the correct password encoding. Normally the bind authenticator is simply enabled since this bypasses concerns of password encoding.</p>
<p>It is also now possible to redefine the basic admin user and guest user names. Since its unlikely that ldap oriented authentication systems will have a specific admin or guest user these can be redefined simply in the security.properties. Care must be taken that they exist in the ldap system since they are looked up. Guest users can be simple utilitie or application users.</p>
<p>The final setting of security.policy.password.expiration.enabled is a boolean that should be set to false for ldap based authentication. This is because redback will want to attempt to manage and enforce password expiration and that is no longer under the direction of redback but is an artifact of the ldap system in place. Setting this to false prevents issues from cropping up related to redback trying to obtain this type of information.</p></div>
<div class="section">
<h3><a name="Caching"></a>Caching</h3>
<p>A cache named 'ldapUser' is used to reduce access to the LDAP server.</p>
<p>Pooled connection are enabled per default using the properties <a class="externalLink" href="http://docs.oracle.com/javase/jndi/tutorial/ldap/connect/pool.html">ldap pooling</a>:</p>
<ul>
<li>com.sun.jndi.ldap.connect.pool = true</li>
<li>com.sun.jndi.ldap.connect.pool.timeout = 3600</li></ul>
<p>For advanced options see <a class="externalLink" href="http://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html">advanced configuration</a>.</p></div></div>
</div>
</div>
<hr/>
<footer>
<div class="container">
<div class="row">
<p >Copyright &copy; 2006&#x2013;2017
<a href="http://www.apache.org/">The Apache Software Foundation</a>.
All rights reserved.
</p>
</div>
<div class="row span12">Apache Redback, Redback, Apache, the Apache feather logo, and the Apache Archiva project logos are trademarks of The Apache Software Foundation.</div>
<div class="row span12">
<a href="http://archiva.apache.org/redback-site/privacy-policy.html">Privacy Policy</a>
</div>
<p id="poweredBy" class="pull-right">
<a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
<img class="builtBy" alt="Built by Maven" src="../images/logos/maven-feather.png" />
</a>
</p>
<div id="ohloh" class="pull-right">
<script type="text/javascript" src="http://www.ohloh.net/p/8659/widgets/project_basic_stats.js"></script>
</div>
</div>
</footer>
</body>
</html>