Module configuration
The LdapLoginModule is used to delegate credentials validation to an LDAP server.
NB:
To prevent LDAP injection attacks, the LDAPLoginModule rejects usernames containing special characters that can be used in an LDAP query (characters (, ), *, &, |, !, =, >, < and ~).
If this creates a problem, you can explicitly authorize all or some of these characters using the -Dadelia.relaxedLdapCharacters parameter. To authorize all the excluded characters, add the "-adelia.relaxedLdapCharacters=()*&|!=><~" option to the command line.
Extract from wagon.xml file:
<realm name="adelia" loginModuleName="LdapLoginModule" className="com.hardis.adelia.cloud.security.realms.BasicRealm"/>
<loginModules>
<loginModule name="LdapLoginModule" className="com.hardis.adelia.cloud.security.loginmodules.ldap.LdapLoginModule">
<parameters>
<!-- connections informations -->
<!-- AD, Domino ou ldap -->
<item key="type" value="AD" />
<item key="connectionsURL" value="adserver.domain.com:636" />
<item key="connectionName" value="domain\user" />
<item key="connectionPassword" value="password" />
<item key="connectionTimeout" value="5000" />
<item key="connectionPoolSize" value="10" />
<item key="useSSL" value="true" />
<!-- user query informations -->
<item key="userBase" value="DC=domain,DC=com" />
<item key="userSearch" value="|(sAMAccountName={0})(mail={0})" />
<item key="userSearchScope" value="SUB" />
<item key="userName" value="sAMAccountName" />
<item key="userAttributes" value="mail,name,sn" />
<item key="userAttributesSearchAsUser" value="true"/>
<!-- user groups query informations -->
<item key="groupBase" value="DC=domain,DC=com" />
<item key="groupSearch" value="(member={0})" />
<item key="groupSearchScope" value="SUB" />
<item key="groupSearchAsUser" value="true"/>
<item key="groupName" value="cn" />
<item key="roles-mapping" value="role1=group1|group2|group3;rol2=group4" />
<item key="maxLoginAttempts" value="5" />
</parameters>
</loginModule>
Details of parameters:
URLconnections is the LDAP URL, connectionName (login) and connectionPassword (password) are required to connect to the LDAP.
userBase indicates the location where users are stored, userSearch is the LDAP command to use to find a user from his login {0} and userName is the attribute name to use for the user's name.
userAttributes are used, according to requirements, to retrieve information on the authenticated user other than the name. The attributes are added to the information linked to the user and accessible via the VaToolBxCloudGetUserAttribute() function.
userSearchScope indicates the search scope (BASE, ONE, SUB, SUBORDINATE_SUBTREE). The default value is SUB (recursive search).
userAttributesSearchAsUser indicates whether the user attribute search must be executed under the identity of the user to authenticate (true by default) or by using the LDAP connection profile (connectionName).
groupBase, groupSearch and groupName are used to find the groups the user is in.
groupSearchScope indicates the search scope (BASE, ONE, SUB, SUBORDINATE_SUBTREE). If the parameter is not specified, the userSearchScope value is used.
groupSearchAsUser indicates whether the group search must be executed under the identity of the user to authenticate (true by default) or by using the LDAP connection profile (connectionName).
roles-mapping maps roles defined by the application and the group name (from groupName=cn). The VaToolBxCloudIsUserInRole() API checks if the user has a role.
The search scope (userSearchScope, groupSearchScope) indicates how the search must be executed in the LDAP tree (recursivity). The possible values are:
BASE |
Only the object targeted by the search is considered. |
ONE |
Only the object targeted by the search and its immediate descendants are considered. |
SUB |
The object targeted by the search and all its descendants are considered. |
SUBORDINATE_SUBTREE |
All the descendants of the object targeted by the search are considered but the object itself is excluded. |
To read the user attributes, you can use the "VaToolBxCloudGetUserAttribute" VaToolBx function:
ALPHA(250) value CALL_DLL VaToolBox 'VaToolBxCloudGetUserAttribute' 'attr' value 250
To test the user roles, you can use the "VaToolBxCloudIsUserInRole" VaToolBx function:
BOOL allowed CALL_DLL VaToolBox 'VaToolBxCloudIsUserInRole' 'internal' allowed
N.B. : an optional "substituteValues" attribute (boolean type, default value: false) can be indicated in the "parameters" element.
If this attribute is present and equal to "true", the ${VARIABLE} syntax will be replaced in the parameters value ("value" attribute of "item" elements) by the value of the "VARIABLE" Java system property if it is defined (e.g. via -DVARIABLE=value on the Java command line).
The value remains the same if the system property does not exist.
In the following example:
<parameters substituteValues="true">
...
<item key="connectionName" value="${LDAP_USER}" />
<item key="connectionPassword" value="${LDAP_PASSWORD}" />
...
</parameters>
The parameters "connectionName" and "connectionPassword" will be substituted during execution by the parameters indicated in the command line (-DLDAP_USER=username -DLDAP_PASSWORD=password).
Example: ActiveDirectory
Extract from wagon.xml:
<realm name="adelia" loginModuleName="LdapLoginModule" className="com.hardis.adelia.cloud.security.realms.BasicRealm"/>
<loginModules>
<loginModule name="LdapLoginModule" className="com.hardis.adelia.cloud.security.loginmodules.ldap.LdapLoginModule">
<parameters>
<!-- connections informations -->
<item key="type" value="AD" />
<item key="connectionsURL" value="adserver.domain.com:636" />
<item key="connectionName" value="domain\user" />
<item key="connectionPassword" value="password" />
<item key="connectionTimeout" value="5000" />
<item key="connectionPoolSize" value="10" />
<item key="useSSL" value="true" />
<!-- user query informations -->
<item key="userBase" value="DC=domain,DC=com" />
<item key="userSearch" value="|(sAMAccountName={0})(mail={0})" />
<item key="userSearchScope" value="SUB" />
<item key="userName" value="sAMAccountName" />
<item key="userAttributes" value="mail,name,sn" />
<item key="userAttributesSearchAsUser" value="true"/>
<!-- user groups query informations -->
<item key="groupBase" value="DC=domain,DC=com" />
<item key="groupSearch" value="(member={0})" />
<item key="groupSearchScope" value="SUB" />
<item key="groupSearchAsUser" value="true"/>
<item key="groupName" value="cn" />
<item key="roles-mapping" value="internal=Domain users" />
<item key="maxLoginAttempts" value="5" />
</parameters>
</loginModule>
In this example, the search is carried out in an Active Directory (AD)-type server on the "sAMAccountName" or "mail" attribute of the "DC=domain,DC=com" tree view objects.
*USER takes the user's "sAMAccountName" attribute value, "mail", "name" and "sn" attributes are retrieved from user attributes.
The "internal" Adelia role is associated with the "Domain users" group (<item key="roles-mapping" value="internal=Domain users" />).
Example: IBM Domino
Extract from wagon.xml:
<realm name="adelia" loginModuleName="LdapLoginModule" className="com.hardis.adelia.cloud.security.realms.BasicRealm"/>
<loginModules>
<loginModule name="LdapLoginModule" className="com.hardis.adelia.cloud.security.loginmodules.ldap.LdapLoginModule">
<parameters>
<!-- connections informations -->
<item key="type" value="Domino" />
<item key="connectionsURL" value="adserver.domain.com:636" />
<item key="connectionName" value="user" />
<item key="connectionPassword" value="password" />
<item key="connectionTimeout" value="5000" />
<item key="connectionPoolSize" value="10" />
<item key="useSSL" value="false" />
<!-- user query informations -->
<item key="userBase" value="o=domain" />
<!-- search objectclass dominoPerson and uid -->
<item key="userSearch" value="(&(uid={0})(objectclass=dominoPerson))" />
<item key="userSearchScope" value="SUB" />
<item key="userName" value="sn" />
<item key="userAttributes" value="mail,name,sn" />
<item key="userAttributesSearchAsUser" value="true"/>
<!-- user groups query informations -->
<item key="groupBase" value="o=domain" />
<item key="groupSearch" value="(member={0})" />
<item key="groupSearchScope" value="SUB" />
<item key="groupSearchAsUser" value="true"/>
<item key="groupName" value="cn" />
<item key="roles-mapping" value="role1=group1|group2|group3;role2=group4" />
<item key="maxLoginAttempts" value="5" />
</parameters>
</loginModule>
In this example, the search is carried out in an IBM Domino-type server (Domino) on the "uid" attribute of the "dominoPerson"-type "o=domain" tree view objects.
*USER takes the user's "sn" attribute value, the "mail" attribute is retrieved from user attributes.
Example: OpenLdap
Extract from wagon.xml:
<realm name="adelia" loginModuleName="LdapLoginModule" className="com.hardis.adelia.cloud.security.realms.BasicRealm"/>
<loginModules>
<loginModule name="LdapLoginModule" className="com.hardis.adelia.cloud.security.loginmodules.ldap.LdapLoginModule">
<parameters>
<!-- connections informations -->
<item key="type" value="ldap" />
<item key="connectionsURL" value="adserver.domain.com:636" />
<item key="connectionName" value="user" />
<item key="connectionPassword" value="password" />
<item key="connectionTimeout" value="5000" />
<item key="connectionPoolSize" value="10" />
<item key="useSSL" value="false" />
<!-- user query informations -->
<item key="userBase" value="dc=domain,dc=com" />
<!-- search cn, sn or mail -->
<item key="userSearch" value="((|(cn={0})(sn={0})(mail={0}))" />
<item key="userSearchScope" value="SUB" />
<item key="userName" value="uid" />
<item key="userAttributes" value="mail" />
<item key="userAttributesSearchAsUser" value="false"/>
<!-- user groups query informations -->
<item key="groupBase" value="dc=domain,dc=com" />
<item key="groupSearch" value="(member={0})" />
<item key="groupSearchScope" value="SUB" />
<item key="groupSearchAsUser" value="true"/>
<item key="groupName" value="cn" />
<item key="roles-mapping" value="role1=group1|group2|group3;role2=group4" />
<item key="maxLoginAttempts" value="5" />
</parameters>
</loginModule>
In this example, the search is carried out in an Open LDAP (ldap)-type server on the "cn", "sn" or "mail" attribute of the "dc=domain,dc=com" tree view objects.
*USER takes the user's "uid" attribute value, the "mail" attribute is retrieved from user attributes. ↑ Top of page