LDAPLoginModule
The LDAPLoginModule uses a LDAP to load the users and roles, bind the users on the LDAP to check passwords. The LDAPLoginModule supports the following parameters:
| Name | Description |
|---|---|
| connection.url | The LDAP connection URL, e.g. ldap://hostname |
| connection.username | Admin username to connect to the LDAP. This parameter is optional, if it's not provided, the LDAP connection will be anonymous. |
| connection.password | Admin password to connect to the LDAP. Only used if the connection.username is specified. |
| user.base.dn | The LDAP base DN used to looking for user, e.g. ou=user,dc=apache,dc=org |
| user.filter | The LDAP filter used to looking for user, e.g. (uid=%u) where %u will be replaced by the username. |
| user.search.subtree | If "true", the user lookup will be recursive (SUBTREE). If "false", the user lookup will be performed only at the first level (ONELEVEL). |
| role.base.dn | The LDAP base DN used to looking for roles, e.g. ou=role,dc=apache,dc=org |
| role.filter | The LDAP filter used to looking for user's role, e.g. (member:=uid=%u) |
| role.name.attribute | The LDAP role attribute containing the role string used by Karaf, e.g. cn |
| role.search.subtree | If "true", the role lookup will be recursive (SUBTREE). If "false", the role lookup will be performed only at the first level (ONELEVEL). |
| authentication | Define the authentication backend used on the LDAP server. The default is simple. |
| initial.context.factory | Define the initial context factory used to connect to the LDAP server. The default is com.sun.jndi.ldap.LdapCtxFactory |
| ssl | If "true" or if the protocol on the connection.url is ldaps, an SSL connection will be used |
| ssl.provider | The provider name to use for SSL |
| ssl.protocol | The protocol name to use for SSL (SSL for example) |
| ssl.algorithm | The algorithm to use for the KeyManagerFactory and TrustManagerFactory (PKIX for example) |
| ssl.keystore | The key store name to use for SSL. The key store must be deployed using a jaas:keystore configuration. |
| ssl.keyalias | The key alias to use for SSL |
| ssl.truststore | The trust store name to use for SSL. The trust store must be deployed using a jaas:keystore configuration. |
An example of LDAPLoginModule usage follows:
<jaas:config name="karaf">
<jaas:module
className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
flags="required">
connection.url = ldap://localhost:389
user.base.dn = ou=user,dc=apache,dc=org
user.filter = (cn=%u)
user.search.subtree = true
role.base.dn = ou=group,dc=apache,dc=org
role.filter = (member:=uid=%u)
role.name.attribute = cn
role.search.subtree = true
authentication = simple
</jaas:module>
</jaas:config>If you want to use an SSL connection, the following configuration can be used as an example:
<ext:property-placeholder />
<jaas:config name="karaf" rank="1">
<jaas:module
className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
flags="required">
connection.url = ldaps://localhost:10636
user.base.dn = ou=users,ou=system
user.filter = (uid=%u)
user.search.subtree = true
role.base.dn = ou=groups,ou=system
role.filter = (uniqueMember=uid=%u)
role.name.attribute = cn
role.search.subtree = true
authentication = simple
ssl.protocol=SSL
ssl.truststore=ks
ssl.algorithm=PKIX
</jaas:module>
</jaas:config>
<jaas:keystore name="ks"
path="file:///${karaf.home}/etc/trusted.ks"
keystorePassword="secret" />