Skip to main content

LDAPLoginModule

The LDAPLoginModule uses a LDAP to load the users and roles, bind the users on the LDAP to check passwords. The LDAPLoginModule supports the following parameters:

Name Description
connection.url The LDAP connection URL, e.g. ldap://hostname
connection.username Admin username to connect to the LDAP. This parameter is optional, if it's not provided, the LDAP connection will be anonymous.
connection.password Admin password to connect to the LDAP. Only used if the connection.username is specified.
user.base.dn The LDAP base DN used to looking for user, e.g. ou=user,dc=apache,dc=org
user.filter The LDAP filter used to looking for user, e.g. (uid=%u) where %u will be replaced by the username.
user.search.subtree If "true", the user lookup will be recursive (SUBTREE). If "false", the user lookup will be performed only at the first level (ONELEVEL).
role.base.dn The LDAP base DN used to looking for roles, e.g. ou=role,dc=apache,dc=org
role.filter The LDAP filter used to looking for user's role, e.g. (member:=uid=%u)
role.name.attribute The LDAP role attribute containing the role string used by Karaf, e.g. cn
role.search.subtree If "true", the role lookup will be recursive (SUBTREE). If "false", the role lookup will be performed only at the first level (ONELEVEL).
authentication Define the authentication backend used on the LDAP server. The default is simple.
initial.context.factory Define the initial context factory used to connect to the LDAP server. The default is com.sun.jndi.ldap.LdapCtxFactory
ssl If "true" or if the protocol on the connection.url is ldaps, an SSL connection will be used
ssl.provider The provider name to use for SSL
ssl.protocol The protocol name to use for SSL (SSL for example)
ssl.algorithm The algorithm to use for the KeyManagerFactory and TrustManagerFactory (PKIX for example)
ssl.keystore The key store name to use for SSL. The key store must be deployed using a jaas:keystore configuration.
ssl.keyalias The key alias to use for SSL
ssl.truststore The trust store name to use for SSL. The trust store must be deployed using a jaas:keystore configuration.

An example of LDAPLoginModule usage follows:

<jaas:config name="karaf">
   <jaas:module 
      className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" 
      flags="required">
      connection.url = ldap://localhost:389
      user.base.dn = ou=user,dc=apache,dc=org
      user.filter = (cn=%u)
      user.search.subtree = true
      role.base.dn = ou=group,dc=apache,dc=org
      role.filter = (member:=uid=%u)
      role.name.attribute = cn
      role.search.subtree = true
      authentication = simple
   </jaas:module>
</jaas:config>

If you want to use an SSL connection, the following configuration can be used as an example:

<ext:property-placeholder />

<jaas:config name="karaf" rank="1">
   <jaas:module 
   className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" 
   flags="required">
   connection.url = ldaps://localhost:10636
   user.base.dn = ou=users,ou=system
   user.filter = (uid=%u)
   user.search.subtree = true
   role.base.dn = ou=groups,ou=system
   role.filter = (uniqueMember=uid=%u)
   role.name.attribute = cn
   role.search.subtree = true
   authentication = simple
   ssl.protocol=SSL
   ssl.truststore=ks
   ssl.algorithm=PKIX
   </jaas:module>
</jaas:config>

<jaas:keystore name="ks"
   path="file:///${karaf.home}/etc/trusted.ks"
   keystorePassword="secret" />

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!