From b580012f8c172361fec49e57a1aeea5a38f91b4a Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Wed, 1 Feb 2006 13:02:08 +0000 Subject: [PATCH] Added first draft of LDAP docs --- doc/docbook/acegi.xml | 221 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 216 insertions(+), 5 deletions(-) diff --git a/doc/docbook/acegi.xml b/doc/docbook/acegi.xml index f1d01bf159..6755b74aab 100644 --- a/doc/docbook/acegi.xml +++ b/doc/docbook/acegi.xml @@ -4090,8 +4090,6 @@ $CATALINA_HOME/bin/startup.sh X509AuthoritiesPopulator. - . - The populator's single method, getUserDetails(X509Certificate @@ -4122,7 +4120,6 @@ $CATALINA_HOME/bin/startup.sh X509ProcessingFilterEntryPoint which returns a 403 error (forbidden) to the user. - @@ -4174,6 +4171,220 @@ $CATALINA_HOME/bin/startup.sh + + LDAP Authentication Provider + + + Overview + LDAP is often used by organizations as a central repository for user information and + as an authentication service. It can also be used to store the role information for + application users. + There are many different scenarios for how an LDAP server may be configured so the + Acegi LDAP provider is fully configurable. It uses separate strategy interfaces for + authentication and role retrieval and provides default implementations which can be + configured to handle a wide range of situations. + You should be familiar with LDAP before trying to use it with Acegi. The following + link provides a good introduction to the concepts involved and a guide to setting up a + directory using the free LDAP server OpenLDAP: . Some familiarity with the JNDI APIs used to + access LDAP from Java may also be useful. We don't use any third-party LDAP libraries + (Mozilla/Netscape, JLDAP etc.) in the LDAP provider. + + + LDAP with Acegi Security + + The main LDAP provider class is + org.acegisecurity.providers.ldap.LdapAuthenticationProvider. This + bean doesn't actually do much itself other than implement the + retrieveUser method required by its base class, + AbstractUserDetailsAuthenticationProvider. It delegates the work + to two other beans, an LdapAuthenticator and an + LdapAuthoritiesPopulator which are responsible for + authenticating the user and retrieving the user's set of + GrantedAuthoritys respectively. + + + + + + + LdapAuthenticator Implementations + The authenticator is also responsible for retrieving any required user attributes. + This is because the permissions on the attributes may depend on the type of + authentication being used. For example, if binding as the user, it may be necessary to + read them with the user's own permissions. + There are currently two authentication strategies supplied with Acegi Security: + + + Authentication directly to the LDAP server ("bind" authentication). + + + Password comparison, where the password supplied by the user is compared with + the one stored in the repository. This can either be done by retrieving the value + of the password attribute and checking it locally or by performing an LDAP + "compare" operation, where the supplied password is passed to the server for + comparison and the real password value is never retrieved. + + + + + Common Functionality + Before it is possible to authenticate a user (by either strategy), the + distinguished name (DN) has to be obtained from the login name supplied to the + application. This can be done either by simple pattern-matching (by setting the + setUserDnPatterns array property) or by setting the + userSearch property. For the DN pattern-matching approach, a + standard Java pattern format is used, and the login name will be substituted for the + parameter {0}. The pattern should be relative to the DN that + the configured InitialDirContextFactory will bind to + (see the section on connecting to the + LDAP server for more information on this). For example, if you are using an + LDAP server specified by the URL + ldap://monkeymachine.co.uk/dc=acegisecurity,dc=org, and have a + pattern uid={0},ou=greatapes, then a login name of "gorilla" will + map to a DN uid=gorilla,ou=greatapes,dc=acegisecurity,dc=org. Each + configured DN pattern will be tried in turn until a match is found. For information on + using a search, see the section on search + objects below. A combination of the two approaches can also be used - the + patterns will be checked first and if no matching DN is found, the search will be + used. + + + BindAuthenticator + The class + org.acegisecurity.providers.ldap.authenticator.BindAuthenticator + implements the bind authentication strategy. It simply attempts to bind as the user. + + + + PasswordComparisonAuthenticator + The class + org.acegisecurity.providers.ldap.authenticator.PasswordComparisonAuthenticator + implements the password comparison authentication strategy. + + + Active Directory Authentication + In addition to standard LDAP authentication (binding with a DN), Active Directory + has its own non-standard syntax for user authentication. + + + + + + + Connecting to the LDAP Server + The beans discussed above have to be able to connect to the server. They both have + to be supplied with an InitialDirContextFactory instance. + Unless you have special requirements, this will usually be a + DefaultInitialDirContextFactory bean, which can be configured + with the URL of your LDAP server and optionally with the username and password of a + "manager" user which will be used by default when binding to the server (instead of + binding anonymously). It currently supports "simple" LDAP authentication. + DefaultInitialDirContextFactory uses Sun's JNDI LDAP + implementation by default (the one that comes with the JDK). It also supports the + built in connection pooling offered by Sun's provider. Connections which are obtained + either anonymously or with the "manager" user's identity will be pooled automatically. + Connections obtained with a specific user's identity will not be pooled. Connection + pooling can be disabled completely by setting the useConnectionPool + property to false. + + See the class Javadoc and source for more information on this bean and its properties. + + + + + LDAP Search Objects + Often more a more complicated strategy than simple DN-matching is required to locate + a user entry in the directory. This can be encapsulated in an + LdapUserSearch instance which can be supplied to the + authenticator implementations, for example, to allow them to locate a user. The supplied + implementation is FilterBasedLdapUserSearch. + + + + <classname>FilterBasedLdapUserSearch</classname> + This bean uses an LDAP filter to match the user object in the directory. The + process is explained in the Javadoc for the corresponding search method on the + JDK + DirContext class. + As explained there, the search filter can be supplied with parameters. For this class, + the only valid parameter is {0} which will be replaced with + the user's login name. + + + + + + Configuring the LDAP Provider + + There is a version of the + Contacts Sample Application which + uses LDAP. You can copy the beans and filter setup from this as a starting + point for configuring your own application. + + + A typical configuration, using some of the beans we've discussed above, might look like this: + + <bean id="initialDirContextFactory" class="org.acegisecurity.providers.ldap.DefaultInitialDirContextFactory"> + <constructor-arg value="ldap://monkeymachine:389/dc=acegisecurity,dc=org"/> + <property name="managerDn"><value>cn=manager,dc=acegisecurity,dc=org</value></property> + <property name="managerPassword"><value>password</value></property> + </bean> + + <bean + id="userSearch" + class="org.acegisecurity.providers.ldap.search.FilterBasedLdapUserSearch"> + <property name="searchSubtree"> + <value>true</value> + </property> + <property name="initialDirContextFactory"> + <ref local="initialDirContextFactory" /> + </property> + <property name="searchFilter"> + <value>(uid={0})</value> + </property> + </bean> + + <bean + id="ldapAuthProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> + <constructor-arg> + <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> + <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> + <property name="userDnPatterns"><list><value>uid={0},ou=people</value></list></property> + </bean> + </constructor-arg> + <constructor-arg> + <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> + <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> + <constructor-arg><value>ou=groups</value></constructor-arg> + <property name="groupRoleAttribute"><value>ou</value></property> + </bean> + </constructor-arg> + </bean> + + + + This would set up the provider to access an LDAP server with URL + ldap://monkeymachine:389/dc=acegisecurity,dc=org. Authentication will be performed by + attempting to bind with the DN uid=<user-login-name>,ou=people,dc=acegisecurity,dc=org. + After successful authentication, roles will be assigned to the user by searching under the DN + ou=groups,dc=acegisecurity,dc=org with the default filter (member=<user's-DN>). + The role name will be taken from the ou attribute of each match. + + + We've also included the configuration for a user search object, which uses the filter + (uid=<user-login-name>). This could be used + instead of the DN-pattern (or in addition to it), by setting the authenticator's + userSearch property. The autheticator would then call the search + object to obtain the correct user's DN before attempting to bind as this user. + + + + + Channel Security @@ -5181,11 +5392,11 @@ INSERT INTO acl_permission VALUES (null, 6, 'scott', 1); Questions and comments on the Acegi Security System for Spring are welcome. Please use the Spring Community Forum web site at - http://forum.springframework.org. You're also welcome + . You're also welcome to join the acegisecurity-developer mailing list. Our project home page (where you can obtain the latest release of the project and access to CVS, mailing lists, forums etc) is at - http://acegisecurity.sourceforge.net. + . \ No newline at end of file