XmlBlaster Logo

REQUIREMENT

security.ldap

XmlBlaster Logo


Type NEW
Priority HIGH
Status CLOSED
Topic XmlBlaster provides a LDAP based authentication plugin
Des
cription

Authentication in xmlBlaster is based on plugins. The plugin described here is based on using an external LDAP server for authentication.

The LDAP server

To get started with ldap authentication please setup an ldap server first. See the example section below. Start your LDAP server and fill it with the demo data from xmlBlaster/demo/ldap/demoData.ldif.

Get it running

Add the configuration of the LDAP plugin in xmlBlaster.properties:

ldap.serverUrl=ldap://localhost:389/o=xmlBlaster,c=ORG
ldap.rootDN=cn=Manager,o=xmlBlaster,c=ORG
ldap.rootPwd=secret
ldap.loginFieldName=cn

Start the xmlBlaster server

java -jar lib/xmlBlaster.jar

You may set these settings on command line as well:

   java -jar lib/xmlBlaster.jar \
         -ldap.serverUrl "ldap://localhost:389/o=xmlBlaster,c=ORG" \
         -ldap.rootDN "cn=Manager,o=xmlBlaster,c=ORG" \
         -ldap.rootPwd "secret" \
         -ldap.loginFieldName "cn"

Start a client (all in one line), e.g.

java HelloWorld3 -session.name tim -passwd tim -Security.Client.DefaultPlugin ldap,1.0

In the log output of xmlBlaster server you should see something like:

SecurityPluginManager] Plugin 'org.xmlBlaster.authentication.plugins.ldap.Manager'
                       successfully initialized

Congratulations, you were authenticated by LDAP!

Edit xmlBlaster.properties and add this line

Security.Client.DefaultPlugin=ldap,1.0

Now LDAP is switched on as default, try again:

java HelloWorld3 -session.name tim -passwd tim

The used connect() QoS which you can directly use from Python or Perl clients looks like this:

<securityService type="ldap" version="1.0">
   <user>tim</user>
   <passwd>tim</passwd>
</securityService>

Now try an invalid password:

java HelloWorld3 -session.name tim -passwd aaah

You should get an authentication error from LDAP
Example
Java

Here is an example how to setup the LDAP server based on openldap server 2.x, the free ldap server (slapd) http://www.openldap.org/ 


Note:

  In this xmlBlaster/demo/ldap/README you find a description of how to set up openldap.
  After you have the running LDAP server, please follow

     xmlBlaster/src/java/org/xmlBlaster/authentication/plugins/ldap/README

   on how to use it with xmlBlaster (it is simple - just go for it).

See:

  http://nimbus.temple.edu/ldap/ 
  http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP.html
  http://www.ldapguru.com/
  http://java.sun.com/products/jndi
       The JAVA based ldap interface
  http://developer.netscape.com/docs/manuals/dirsdk/jsdk40/servinfo.htm
       Demo code
  xmlBlaster/demo/ldap/demoData.ldif
       Demo users for our ldap server

GUI based client:

  Under UNIX you can use 'gq' to manage your ldap data.
  (The gentlemans LDAP client)


Install this demo:

  JDK 1.3 and higher has ldap drivers integrated, for
  JDK 1.2 please download the ldap driver and add it to your
  classpath.


Configure OpenLDAP server:

  Edit /etc/openldap/slapd.conf
    suffix     "o=xmlBlaster, c=ORG"
    rootdn     "cn=Manager, o=xmlBlaster, c=ORG"

    # Define global ACLs to allow default read/write access.
    access to * by * read
    access to * by * write

    # Switch on logging:
    loglevel -1

  tail -f /var/log/messages


Start/Stop:

  rcldap start
  rcldap stop


Feed some initial users:

  We have provided a file demoData.ldif which contains some
  demo data, in the ldap interchange format.
  The demo data is based on the core.schema.
  Please import it:

  ldapadd -x -D "cn=Manager,o=xmlBlaster,c=ORG" -w secret -v -f demoData.ldif


Query the ldap server (cn is the unique user name):

  ldapsearch -x -b 'o=xmlBlaster,c=ORG' '(objectclass=*)'

  Check password:
    ldapsearch -x -b 'o=xmlBlaster,c=ORG' '(&(cn=tim)(userPassword=tim))'
  You should get a line like:  # numEntries: 1


Recursiv remove all data:

  echo "o=xmlBlaster, c=ORG" | ldapdelete -x -D "cn=Manager,o=xmlBlaster,c=ORG" -w secret -v -r


Query ldap server with netscape or konqueror (Linux):

  ldap://localhost/o=xmlBlaster, c=ORG??base
  ldap://localhost/o=xmlBlaster, c=ORG??sub
  ldap://localhost/o=xmlBlaster, c=ORG?cn,dbAnrede?sub
  ldap://localhost/o=xmlBlaster, c=ORG?cn?sub?(sn=Stallman)

  Syntax:
    ldap[s]://<hostname>:<port>/<base_dn>?<attributes>?<scope>?<filter>
    RFC2255


LDAP and Kerberos:

  http://www.umich.edu/~dirsvcs/ldap/doc/guides/slapd/15.html#RTFToC123
Configure

Server side configuration

Property Default / Example Description Impl
Security.Server.Plugin[ldap][1.0] org.xmlBlaster. authentication.plugins. ldap.Manager Load/activate this plugin yes
ldap.serverUrl ldap://localhost:389/o=xmlBlaster,c=ORG URL to find your ldap server yes
ldap.rootDN cn=Manager,o=xmlBlaster,c=ORG LDAP entry yes
ldap.rootPwd secret The LDAP access password yes
ldap.loginFieldName cn The field name in the LDAP server which contains the clients login name yes

Additional client side configuration

Property Default Description Impl
Security.Client.Plugin[ldap][1.0] org.xmlBlaster. authentication.plugins. ldap.ClientPlugin Load the plugin on client side yes

NOTE: Configuration parameters are specified on command line (-someValue 17) or in the xmlBlaster.properties file (someValue=17). See requirement "util.property" for details.
Columns named Impl tells you if the feature is implemented.
Columns named Hot tells you if the configuration is changeable in hot operation.

Todo
See REQ security.introduction
See REQ security.development.serverPlugin.howto
See REQ security.htpasswd
See API org.xmlBlaster.authentication.plugins.ldap.LdapGateway
See ../../src/java/org/xmlBlaster/authentication/plugins/ldap/README
See ../../demo/ldap/README
See TEST org.xmlBlaster.test.authentication.TestAuthenticationHtPassWd

This page is generated from the requirement XML file xmlBlaster/doc/requirements/security.ldap.xml

Back to overview