« Zurück zu JAAS

Configuring JAAS with OpenLDAP

Asset-Tag: ldap jaas

This tutorial explains how to configure portal to use OpenLDAP and to authenticate users over JAAS.

OpenLDAP #

OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol (LDAP). This article will not cover the installation of OpenLDAP binaries. Instead, we will assume that OpenLDAP server/service is up and running.

Besides the LDAP server, we will need a tool for browsing and users management. There are many tools available; one good is Apache Directory Studio. We will create several users and simple organization structure, as shown in the image bellow. Also, for the sake of simplicity, we will store passwords as plain text, both in portal and ldap server.

Enable LDAP in Portal #

There are some base settings in portal-ext.properties:

passwords.encryption.algorithm=NONE
ldap.auth.password.encryption.algorithm=NONE

# ldap
ldap.base.provider.url=ldap://localhost:389
ldap.base.dn=dc=example,dc=com
ldap.security.principal:cn=root,dc=example,dc=com
ldap.security.credentials=secret
ldap.auth.enabled=true
ldap.auth.required=true

Although the settings can be defined in portal-ext.properties, we will use Control Panel to add OpenLDAP server, since portal offers nice feature, to check if entered parameters are correct. Note that web-based settings override settings from properties file. LDAP servers can be added in the "Control Panel > Portal > Settings" section:

Here are settings for OpenLDAP server used in example:

Connection
Base Provider URL: ldap://localhost:389
Base DN: dc=example,dc=com
Principal: cn=root,dc=example,dc=com
Credentials: secret

If everything is ok, the 'Test LDAP connection' action should be successful.

Users
Authentication Search Filter: (mail=@email_address@)
Import Search Filter: (objectClass=inetOrgPerson)
Screen name: cn
Password: password
Email Address: mail
Group: ou
...

'Test LDAP Users' will test parameters by reading users from the LDAP server. If everything is ok, the result may look like this:

Groups
Import Search Filter: (objectClass=groupOfNames)
Group name: cn
User: member
...

Similarly, 'Test LDAP Groups' will test parameters by importing user groups. If everything is ok, the result may look like this:

Enable JAAS in Tomcat #

web.xml #

Let's change the role and realm name - not a necessary step, but let's do that for fun:)

...
		<auth-constraint>
			<role-name>liferay_users</role-name>
		</auth-constraint>
...
	<login-config>
		<auth-method>FORM</auth-method>
		<realm-name>myrealm</realm-name>
...
	<security-role>
		<role-name>liferay_users</role-name>
	</security-role>
...

ROOT.xml #

We also need to enable realm in portal context, i.e. ROOT.xml:

<Context path="" crossContext="true">

	<Realm
			className="org.apache.catalina.realm.JAASRealm"
			appName="myrealm"
			userClassNames="com.liferay.portal.kernel.security.jaas.PortalPrincipal"
			roleClassNames="com.liferay.portal.kernel.security.jaas.PortalRole"
			debug="99"
			useContextClassLoader="false"
	/>

</Context>

jaas.config #

Create a file jaas.config in Tomcat/conf folder, with the following content:

myrealm {
	com.sun.security.auth.module.LdapLoginModule SUFFICIENT
	userProvider="ldap://localhost:389/ou=people,dc=example,dc=com"
	userFilter="(&(employeeNumber={USERNAME})(objectClass=inetOrgPerson))"
	authzIdentity="{EMPLOYEENUMBER}"
	useSSL=false
	debug=true;
};

This file specifies how realms are going to be authenticated. For our LDAP connection we need to specify how users can be selected (userFilter) and what field is used for identification (employeeNumber). More on this later.

Note that one realm can have several login modules active in the same time, such as LdapLoginModule and PortalLoginModule. Furthermore, each login module requires a 'weight' flag, such as: REQUIRED, SUFFICIENT etc. Using flags and several login modules gives user possibility to build a custom authentication combination.

We also need to make Tomcat aware of jaas.config file, by passing its location in the Tomcats command line. For example, we can add the following in 'setenv.bat':

set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.auth.login.config=%CATALINA_HOME%/conf/jaas.config"

Restart Tomcat.

employeeNumber #

At this point everything is prepared: OpenLDAP server is up, portal is connected to LDAP server and Tomcat is ready to use the same LDAP server for authentication. However, we are still missing one key point. As defined in the jaas.config, we are using employeeNumber to identify an user in the LDAP server. This number is actually the userId sent by portal to Tomcat. Problem is that at this moment LDAP users doesn't exist in portals database, so there is no userId defined.

To solve this issue, we need either to import LDAP users or to make our LDAP user to login at least once into the portal. Importing users can be set either in portal-ext.properties or in Control Panel; importing can be scheduled on portals start and so on. Here we gonna login as our user of choice (admin@example.com). On login, portal will check if such user exist in LDAP repository and will try to create a new portal user if it already doesn't exist.

Once when LDAP user is logged in and therefore created in portal database, we can lookup the user_ table for the userId value. Then this value has to be copied to the LDAP record.

JAAS auth type #

Using userId for JAAS authentication may not be so practical and even may be forbidden in clients environment. We have recently (from v6.1) added a new portal property: portal.jaas.auth.type that defines how JAAS can authenticate users based on their email address, screen name, user id, or login as determined by the property company.security.auth.type.

For example, if we want to send to JAAS users email address instead of user id, we just need to set the property:

portal.jaas.auth.type=emailAddress

Of course, now we also need to modify the jaas.config to use email addresses:

myrealm {
	com.sun.security.auth.module.LdapLoginModule SUFFICIENT
	userProvider="ldap://localhost:389/ou=people,dc=example,dc=com"
	userFilter="(&(mail={USERNAME})(objectClass=inetOrgPerson))"
	authzIdentity="{MAIL}"
	useSSL=false
	debug=true;
};

Enable JAAS in Portal #

Finally, everything is set;) The only thing left is to enable the JAAS in portal, in portal-ext.properties:

portal.jaas.enable=true

Restart Tomcat and login as admin@example.com. You will notice that login process is transferred to the Tomcat. Moreover, LdapLoginModule configured in jaas.config will output some log in the console, such:

                [LdapLoginModule] search-first mode; SSL disabled
                [LdapLoginModule] user provider: ldap://localhost:389/ou=people,dc=example,dc=com
                [LdapLoginModule] searching for entry belonging to user: 10401
                [LdapLoginModule] found entry: uid=admin,ou=people,dc=example,dc=com
                [LdapLoginModule] attempting to authenticate user: 10401
                [LdapLoginModule] authentication succeeded
                [LdapLoginModule] added LdapPrincipal "uid=admin,ou=people,dc=example,dc=com" to Subject
                [LdapLoginModule] added UserPrincipal "10401" to Subject

Voilà :)

Note that some Tomcat versions, after the successful login still presents the 403 page (access denied), although user is signed in correctly.

5 Anhänge
21134 Angesehen
Durchschnitt (6 Stimmen)
Die durchschnittliche Bewertung ist 4.33333333333333 von max. 5 Sternen.
Kommentare