Friday, May 15, 2009

JAAS -> AD Configuration

JAAS (Java Authentication and Authorization Service) is a framework can be used to plug authentication modules into a variety of products. Then you enter a jaas configuration to load the module and tell it how to contact an authentication server (or whatever the module implements).

AD (MS Active Directory) is it's usual challenging self. Most LDAP authentication modules assume there is anonymous browsing access. They browse to the user info, and then authenticate the user with a bind attempt. I don't understand why they work that way. If those two activities were reversed, the bind occurred first then the search, you would never need anonymous browse access.

In any case, by default, AD does not allow anonymous browse access, so unless you want to encode a special user name/password in your config files so the module log in to AD, browse to the user info, then bind again with the user info that is trying to authenticate.

It seems incredibly redundant to store a user name and password in config files so we can authenticate everyone, so lets try for a better solution.

Bind authentication:


EMSUserAuthentication {
com.sun.security.auth.module.LdapLoginModule required
userProvider="ldap://192.168.1.10:389/ou=people,dc=jokers,dc=com"
userFilter="sAMAccountName={USERNAME}"
authIdentity="{USERNAME}@jokers.com"
useSSL=false
debug=true;
};

No comments: