Difference between revisions of "D4Science Portal LDAP Authorization"
(→Authentication Modules) |
(→Authentication Modules) |
||
| Line 4: | Line 4: | ||
This WIKI Has been tested with Gridsphere 3.1, deployed on Apache Tomcat 5.5.26, you also need to download a JBoss Application Server 4.0.3 distribution (see http://www.jboss.com/products/jbossas/downloads). | This WIKI Has been tested with Gridsphere 3.1, deployed on Apache Tomcat 5.5.26, you also need to download a JBoss Application Server 4.0.3 distribution (see http://www.jboss.com/products/jbossas/downloads). | ||
| − | ==Authentication Modules== | + | |
| + | ==Authentication Modules - Java Authentication and Authorization Framework== | ||
| + | |||
An authentication module is described by an XML descriptor file called authmodules.xml located in WEB-INF directory of web application. | An authentication module is described by an XML descriptor file called authmodules.xml located in WEB-INF directory of web application. | ||
| Line 35: | Line 37: | ||
<error key="key3" lang="es">Error Inesperado</error> | <error key="key3" lang="es">Error Inesperado</error> | ||
</auth-module> | </auth-module> | ||
| + | </pre> | ||
| + | |||
| + | This Authentication Module will be Active and with highest priority respect to the first one (The default One) | ||
| + | |||
| + | * Authentication modules that are ACTIVE will be executed upon attempted login. | ||
| + | * A module has a priority number associated with it. Starting with the module with the lowest priority number, all active modules are executed until authentication is successful. | ||
| + | |||
| + | ==Configure Portal to authenticate with some external source== | ||
| + | We are going to use the '''JBoss JAAS LdapExtLoginModule''' to authenticate with an LDAP server. The necessary classes are contained in the jboss-common.jar and jbosssx.jar included with a standard JBoss Application Server. | ||
| + | |||
| + | |||
| + | '''Step 2nd: Copy jboss-common.jar and jbosssx.jar in folder $tomcat/shared/lib''' | ||
| + | |||
| + | With these libraries in our class path, we then need to create a standard JAAS configuration file. | ||
| + | This file can be arbitrary named and can be placed anywhere. For our example, we will call it jaas.config and place it into the configuration directory of our Application Server. Here is what the file should contain: | ||
| + | |||
| + | <pre> | ||
| + | Gridsphere { | ||
| + | org.jboss.security.auth.spi.LdapExtLoginModule required | ||
| + | java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory | ||
| + | java.naming.provider.url="ldap://ldap.research-infrastructures.eu/" | ||
| + | java.naming.security.authentication=simple | ||
| + | bindDN="cn=anonymous,ou=System,dc=research-infrastructures,dc=eu" | ||
| + | bindCredential=freeToSearch | ||
| + | baseCtxDN="ou=Organizations,dc=research-infrastructures,dc=eu" | ||
| + | baseFilter="(uid={0})" | ||
| + | rolesCtxDN="ou=Groups,ou=DevelopmentPortal,ou=D4Science,ou=Applications,dc=research-infrastructures,dc=eu" | ||
| + | roleFilter="(uniqueMember={1})" | ||
| + | roleAttributeID="cn" | ||
| + | roleRecursion="-1" | ||
| + | ; | ||
| + | }; | ||
</pre> | </pre> | ||
Revision as of 12:37, 12 June 2008
In order to communicate with the LDAP, to have a centralized authorization point, the D4Science portal requires the following steps to be performed once you have installed Gridsphere Portal on your machine.
Applications Needed
This WIKI Has been tested with Gridsphere 3.1, deployed on Apache Tomcat 5.5.26, you also need to download a JBoss Application Server 4.0.3 distribution (see http://www.jboss.com/products/jbossas/downloads).
Authentication Modules - Java Authentication and Authorization Framework
An authentication module is described by an XML descriptor file called authmodules.xml located in WEB-INF directory of web application.
GridSphere provides a pluggable way to specify "authetication modules" used for authenticating users to the portal. The model is very similar to the PAM (Pluggable Authentication Modules) approach used in Unix in that modules may be "stackable" such that each module that is selected as active also has a priority associated with it. This makes it possible for instance to default to the GridSphere password based authentication module if some other module with a higher priority fails at first.
Step 1st: Edit the authmodules.xml located in $TOMCAT/webapps/$PortalInstallation_DIR/WEB-INF
Replace the second <auth-module> with this one:
<auth-module>
<name>GridSphere JAAS for LDAP</name>
<description lang="en">Use the Java Authentication and Authorization Framework</description>
<description lang="ja">Java認証&授権フレームワーク(Java Authentication and Authorization Framework)を使用</description>
<implementation>org.gridsphere.services.core.security.auth.modules.impl.JaasAuthModule</implementation>
<active>true</active>
<priority>10</priority>
<auth-config>
<param-name>contextName</param-name>
<param-value>LdapExtLoginModule</param-value>
</auth-config>
<error key="key1" lang="en">Account Expired</error>
<error key="key2" lang="en">Credentials Expired</error>
<error key="key3" lang="en">Unexpected Error</error>
<error key="key1" lang="it">Il tuo Account é scaduto</error>
<error key="key2" lang="it">Credenziali Scadute</error>
<error key="key3" lang="it">Errore non previsto, contatta il system administrator</error>
<error key="key1" lang="es">La cuenta ha expiradi</error>
<error key="key2" lang="es">Credenciales expiradas</error>
<error key="key3" lang="es">Error Inesperado</error>
</auth-module>
This Authentication Module will be Active and with highest priority respect to the first one (The default One)
- Authentication modules that are ACTIVE will be executed upon attempted login.
- A module has a priority number associated with it. Starting with the module with the lowest priority number, all active modules are executed until authentication is successful.
Configure Portal to authenticate with some external source
We are going to use the JBoss JAAS LdapExtLoginModule to authenticate with an LDAP server. The necessary classes are contained in the jboss-common.jar and jbosssx.jar included with a standard JBoss Application Server.
Step 2nd: Copy jboss-common.jar and jbosssx.jar in folder $tomcat/shared/lib
With these libraries in our class path, we then need to create a standard JAAS configuration file. This file can be arbitrary named and can be placed anywhere. For our example, we will call it jaas.config and place it into the configuration directory of our Application Server. Here is what the file should contain:
Gridsphere {
org.jboss.security.auth.spi.LdapExtLoginModule required
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
java.naming.provider.url="ldap://ldap.research-infrastructures.eu/"
java.naming.security.authentication=simple
bindDN="cn=anonymous,ou=System,dc=research-infrastructures,dc=eu"
bindCredential=freeToSearch
baseCtxDN="ou=Organizations,dc=research-infrastructures,dc=eu"
baseFilter="(uid={0})"
rolesCtxDN="ou=Groups,ou=DevelopmentPortal,ou=D4Science,ou=Applications,dc=research-infrastructures,dc=eu"
roleFilter="(uniqueMember={1})"
roleAttributeID="cn"
roleRecursion="-1"
;
};
