doc/java-broker/src/docbkx/security/Java-Broker-Security-Authentication-Providers-LDAP.xml - qpid-broker-j - Git at Google

 <?xml version="1.0"?>
 <!--

  Licensed to the Apache Software Foundation (ASF) under one
  or more contributor license agreements.  See the NOTICE file
  distributed with this work for additional information
  regarding copyright ownership.  The ASF licenses this file
  to you under the Apache License, Version 2.0 (the
  "License"); you may not use this file except in compliance
  with the License.  You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing,
  software distributed under the License is distributed on an
  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  KIND, either express or implied.  See the License for the
  specific language governing permissions and limitations
  under the License.

 -->

 <section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="Java-Broker-Security-LDAP-Provider">
     <title>Simple LDAP</title>

     <para> The Simple LDAP authenticates connections against a Directory (LDAP). </para>
     <para> To create a SimpleLDAPAuthenticationProvider the following mandatory fields are required: <itemizedlist>
         <listitem>
             <para><emphasis>LDAP server URL</emphasis> is the URL of the server, for example,
                 <literal>ldaps://example.com:636</literal></para>
         </listitem>
         <listitem>
             <para><emphasis>Search context</emphasis> is the distinguished name of the search base
                 object. It defines the location from which the search for users begins, for example,
                 <literal>dc=users,dc=example,dc=com</literal></para>
         </listitem>
         <listitem>
             <para><emphasis>Search filter</emphasis> is a DN template to find an LDAP user entry by
                 provided user name, for example, <literal>(uid={0})</literal></para>
         </listitem>
     </itemizedlist> Additionally, the following optional fields can be specified: <itemizedlist>
         <listitem>
             <para><emphasis>LDAP context factory</emphasis> is a fully qualified class name for the
                 JNDI LDAP context factory. This class must implement the <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="${oracleJdkDocUrl}javax/naming/spi/InitialContextFactory.html">InitialContextFactory</link> interface and produce instances of <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="${oracleJdkDocUrl}javax/naming/directory/DirContext.html">DirContext</link>. If
                 not specified a default value of <literal>com.sun.jndi.ldap.LdapCtxFactory</literal> is
                 used.</para>
         </listitem>
         <listitem>
             <para><emphasis>LDAP authentication URL</emphasis> is the URL of LDAP server for
                 performing "ldap bind". If not specified, the <emphasis>LDAP server URL</emphasis> will
                 be used for both searches and authentications.</para>
         </listitem>
         <listitem>
             <para><emphasis>Truststore name</emphasis> is a name of <link linkend="Java-Broker-Management-Managing-Truststores-Attributes">configured
                 truststore</link>. Use this if connecting to a Directory over SSL (i.e. ldaps://)
                 which is protected by a certificate signed by a private CA (or utilising a self-signed
                 certificate).</para>
         </listitem>
         <listitem>
             <para><emphasis>Authentication method</emphasis> is a method of authentication to use on binding into LDAP
                 when <literal>bind without search</literal> mode is not selected.
                 Supported methods are NONE, SIMPLE, GSSAPI. The latter requires setting of <emphasis>Login Config Scope</emphasis>
                 which is a name of JAAS login module from JASS login configuration file specified using JVM system
                 property <emphasis>java.security.auth.login.config</emphasis> or Java security properties file. If
                 <emphasis>Login Config Scope</emphasis> is not specified with <literal>GSSAPI</literal>
                 <emphasis>Authentication method</emphasis>, the scope <emphasis>qpid-broker-j</emphasis> will be used.
             </para>
         </listitem>
         <listitem>
             <para>Additional group information can be obtained from LDAP.
                 There are two common ways of representing group membership in LDAP.
                 <itemizedlist>
                     <listitem>
                         User entries can hold membership information as attribute.
                         To use this the <emphasis>attribute name</emphasis> that holds the group information must be specified.
                     </listitem>
                     <listitem>
                         Group entries can hold a list of their members as attribute.
                         This can be used by specifying a <emphasis>search context</emphasis> and <emphasis>search filter</emphasis> to find all groups that the user should be considered a member of.
                         Typically this involves filtering groups by looking for the user's DN on a group attribute.
                         The <emphasis>subtree search scope</emphasis> determines whether the search should include the subtree extending from the <emphasis>search context</emphasis>.
                     </listitem>
                 </itemizedlist>
             </para>
         </listitem>
     </itemizedlist>
     </para>

     <important>
         <para>In order to protect the security of the user's password, when using LDAP authentication,
             you must: </para>
         <itemizedlist>
             <listitem>
                 <para>Use SSL on the broker's AMQP and HTTP ports to protect the password during
                     transmission to the Broker. The Broker enforces this restriction automatically on AMQP
                     and HTTP ports.</para>
             </listitem>
             <listitem>
                 <para>Authenticate to the Directory using SSL (i.e. ldaps://) to protect the password
                     during transmission from the Broker to the Directory.</para>
             </listitem>
         </itemizedlist>
     </important>

     <para> The LDAP Authentication Provider works in the following manner. If not in <literal>bind
         without search</literal> mode, it first connects to the Directory and searches for the ldap
         entity which is identified by the username. The search begins at the distinguished name
         identified by <literal>Search Context</literal> and uses the username as a filter. The search
         scope is sub-tree meaning the search will include the base object and the subtree extending
         beneath it. </para>

     <para> If the search returns a match, or is configured in <literal>bind without search</literal>
         mode, the Authentication Provider then attempts to bind to the LDAP server with the given name
         and the password. Note that <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="${oracleJdkDocUrl}javax/naming/Context.html#SECURITY_AUTHENTICATION">simple security
             authentication</link> is used so the Directory receives the password in the clear.
     </para>
     <para>
         By default, this authentication provider caches the result of an authentication for a short period of time. This
         reduces the load on the Directory service if the same credentials are presented frequently within a short
         period of time.  The length of time a result will be cached is defined by context variable
         <literal>qpid.auth.cache.expiration_time</literal> (default to 600 seconds).  The cache can be disabled by
         setting the context variable <literal>qpid.auth.cache.size</literal> to 0.
     </para>
 </section>
	<?xml version="1.0"?>
	<!--

	Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.

	-->

	<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="Java-Broker-Security-LDAP-Provider">
	<title>Simple LDAP</title>

	<para> The Simple LDAP authenticates connections against a Directory (LDAP). </para>
	<para> To create a SimpleLDAPAuthenticationProvider the following mandatory fields are required: <itemizedlist>
	<listitem>
	<para><emphasis>LDAP server URL</emphasis> is the URL of the server, for example,
	<literal>ldaps://example.com:636</literal></para>
	</listitem>
	<listitem>
	<para><emphasis>Search context</emphasis> is the distinguished name of the search base
	object. It defines the location from which the search for users begins, for example,
	<literal>dc=users,dc=example,dc=com</literal></para>
	</listitem>
	<listitem>
	<para><emphasis>Search filter</emphasis> is a DN template to find an LDAP user entry by
	provided user name, for example, <literal>(uid={0})</literal></para>
	</listitem>
	</itemizedlist> Additionally, the following optional fields can be specified: <itemizedlist>
	<listitem>
	<para><emphasis>LDAP context factory</emphasis> is a fully qualified class name for the
	JNDI LDAP context factory. This class must implement the <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="${oracleJdkDocUrl}javax/naming/spi/InitialContextFactory.html">InitialContextFactory</link> interface and produce instances of <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="${oracleJdkDocUrl}javax/naming/directory/DirContext.html">DirContext</link>. If
	not specified a default value of <literal>com.sun.jndi.ldap.LdapCtxFactory</literal> is
	used.</para>
	</listitem>
	<listitem>
	<para><emphasis>LDAP authentication URL</emphasis> is the URL of LDAP server for
	performing "ldap bind". If not specified, the <emphasis>LDAP server URL</emphasis> will
	be used for both searches and authentications.</para>
	</listitem>
	<listitem>
	<para><emphasis>Truststore name</emphasis> is a name of <link linkend="Java-Broker-Management-Managing-Truststores-Attributes">configured
	truststore</link>. Use this if connecting to a Directory over SSL (i.e. ldaps://)
	which is protected by a certificate signed by a private CA (or utilising a self-signed
	certificate).</para>
	</listitem>
	<listitem>
	<para><emphasis>Authentication method</emphasis> is a method of authentication to use on binding into LDAP
	when <literal>bind without search</literal> mode is not selected.
	Supported methods are NONE, SIMPLE, GSSAPI. The latter requires setting of <emphasis>Login Config Scope</emphasis>
	which is a name of JAAS login module from JASS login configuration file specified using JVM system
	property <emphasis>java.security.auth.login.config</emphasis> or Java security properties file. If
	<emphasis>Login Config Scope</emphasis> is not specified with <literal>GSSAPI</literal>
	<emphasis>Authentication method</emphasis>, the scope <emphasis>qpid-broker-j</emphasis> will be used.
	</para>
	</listitem>
	<listitem>
	<para>Additional group information can be obtained from LDAP.
	There are two common ways of representing group membership in LDAP.
	<itemizedlist>
	<listitem>
	User entries can hold membership information as attribute.
	To use this the <emphasis>attribute name</emphasis> that holds the group information must be specified.
	</listitem>
	<listitem>
	Group entries can hold a list of their members as attribute.
	This can be used by specifying a <emphasis>search context</emphasis> and <emphasis>search filter</emphasis> to find all groups that the user should be considered a member of.
	Typically this involves filtering groups by looking for the user's DN on a group attribute.
	The <emphasis>subtree search scope</emphasis> determines whether the search should include the subtree extending from the <emphasis>search context</emphasis>.
	</listitem>
	</itemizedlist>
	</para>
	</listitem>
	</itemizedlist>
	</para>

	<important>
	<para>In order to protect the security of the user's password, when using LDAP authentication,
	you must: </para>
	<itemizedlist>
	<listitem>
	<para>Use SSL on the broker's AMQP and HTTP ports to protect the password during
	transmission to the Broker. The Broker enforces this restriction automatically on AMQP
	and HTTP ports.</para>
	</listitem>
	<listitem>
	<para>Authenticate to the Directory using SSL (i.e. ldaps://) to protect the password
	during transmission from the Broker to the Directory.</para>
	</listitem>
	</itemizedlist>
	</important>

	<para> The LDAP Authentication Provider works in the following manner. If not in <literal>bind
	without search</literal> mode, it first connects to the Directory and searches for the ldap
	entity which is identified by the username. The search begins at the distinguished name
	identified by <literal>Search Context</literal> and uses the username as a filter. The search
	scope is sub-tree meaning the search will include the base object and the subtree extending
	beneath it. </para>

	<para> If the search returns a match, or is configured in <literal>bind without search</literal>
	mode, the Authentication Provider then attempts to bind to the LDAP server with the given name
	and the password. Note that <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="${oracleJdkDocUrl}javax/naming/Context.html#SECURITY_AUTHENTICATION">simple security
	authentication</link> is used so the Directory receives the password in the clear.
	</para>
	<para>
	By default, this authentication provider caches the result of an authentication for a short period of time. This
	reduces the load on the Directory service if the same credentials are presented frequently within a short
	period of time. The length of time a result will be cached is defined by context variable
	<literal>qpid.auth.cache.expiration_time</literal> (default to 600 seconds). The cache can be disabled by
	setting the context variable <literal>qpid.auth.cache.size</literal> to 0.
	</para>
	</section>