[jboss-jira] [JBoss JIRA] (SECURITY-470) Callbackhandlers to get information from LDAP
Anil Saldhana (Updated) (JIRA)
jira-events at lists.jboss.org
Wed Nov 2 11:34:45 EDT 2011
[ https://issues.jboss.org/browse/SECURITY-470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Anil Saldhana updated SECURITY-470:
-----------------------------------
Fix Version/s: PicketBox_v4_0_6.Beta1
Description:
A CallbackHandler using the LDAP to match the passed password.
There are two callbacks that can be passed to this handler.
PasswordCallback: Passing this callback will get the password for the user. The returned password will not be in clear text. It will be in the hashed form the ldap server has stored.
VerifyPasswordCallback Passing this callback with a value will make the handler to do a ldap bind to verify the user password.
The main method is #setConfiguration(Map) which takes in a map of String key/value pairs. The possible pairs are:
passwordAttributeID : what is the name of the attribute where the password is stored. Default: userPassword
bindDN : DN used to bind against the ldap server with read/write permissions for baseCtxDN.
bindCredential : Password for the bindDN. This can be encrypted if the jaasSecurityDomain is specified.
baseCtxDN : The fixed DN of the context to start the user search from.
baseFilter: A search filter used to locate the context of the user to authenticate. The input username/userDN as provided by the NameCallback will be substituted into the filter anywhere a "{0}" expression is seen. This substitution behavior comes from the standard.
searchTimeLimit : The timeout in milliseconds for the user/role searches. Defaults to 10000 (10 seconds).
jaasSecurityDomain : The JMX ObjectName of the JaasSecurityDomain to use to decrypt the java.naming.security.principal. The encrypted form of the password is that returned by the JaasSecurityDomain#encrypt64(byte[]) method. The org.jboss.security.plugins.PBEUtils can also be used to generate the encrypted form.
distinguishedNameAttribute : Used in ldap servers such as Active Directory where the ldap provider has a property (distinguishedName) to return the relative CN of the user. Default: distinguishedName
Example Usages:
LdapCallbackHandler cbh = new LdapCallbackHandler();
Map map = new HashMap();
map.put("bindDN", "cn=Directory Manager");
map.put("bindCredential", "password");
map.put("baseFilter", "(uid={0})");
map.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
map.put("java.naming.provider.url", "ldap://localhost:10389");
map.put("baseCtxDN", "ou=People,dc=jboss,dc=org");
cbh.setConfiguration(map);
NameCallback ncb = new NameCallback("Enter");
ncb.setName("jduke");
VerifyPasswordCallback vpc = new VerifyPasswordCallback();
vpc.setValue("theduke");
cbh.handle(new Callback[] {ncb,vpc} );
assertTrue(vpc.isVerified());
> Callbackhandlers to get information from LDAP
> ---------------------------------------------
>
> Key: SECURITY-470
> URL: https://issues.jboss.org/browse/SECURITY-470
> Project: PicketBox (JBoss Security and Identity Management)
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Components: PicketBox
> Reporter: Anil Saldhana
> Assignee: Anil Saldhana
> Fix For: PicketBox_v4_0_6.Beta1
>
>
> A CallbackHandler using the LDAP to match the passed password.
> There are two callbacks that can be passed to this handler.
> PasswordCallback: Passing this callback will get the password for the user. The returned password will not be in clear text. It will be in the hashed form the ldap server has stored.
> VerifyPasswordCallback Passing this callback with a value will make the handler to do a ldap bind to verify the user password.
> The main method is #setConfiguration(Map) which takes in a map of String key/value pairs. The possible pairs are:
> passwordAttributeID : what is the name of the attribute where the password is stored. Default: userPassword
> bindDN : DN used to bind against the ldap server with read/write permissions for baseCtxDN.
> bindCredential : Password for the bindDN. This can be encrypted if the jaasSecurityDomain is specified.
> baseCtxDN : The fixed DN of the context to start the user search from.
> baseFilter: A search filter used to locate the context of the user to authenticate. The input username/userDN as provided by the NameCallback will be substituted into the filter anywhere a "{0}" expression is seen. This substitution behavior comes from the standard.
> searchTimeLimit : The timeout in milliseconds for the user/role searches. Defaults to 10000 (10 seconds).
> jaasSecurityDomain : The JMX ObjectName of the JaasSecurityDomain to use to decrypt the java.naming.security.principal. The encrypted form of the password is that returned by the JaasSecurityDomain#encrypt64(byte[]) method. The org.jboss.security.plugins.PBEUtils can also be used to generate the encrypted form.
> distinguishedNameAttribute : Used in ldap servers such as Active Directory where the ldap provider has a property (distinguishedName) to return the relative CN of the user. Default: distinguishedName
> Example Usages:
> LdapCallbackHandler cbh = new LdapCallbackHandler();
> Map map = new HashMap();
> map.put("bindDN", "cn=Directory Manager");
> map.put("bindCredential", "password");
> map.put("baseFilter", "(uid={0})");
> map.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
> map.put("java.naming.provider.url", "ldap://localhost:10389");
> map.put("baseCtxDN", "ou=People,dc=jboss,dc=org");
> cbh.setConfiguration(map);
> NameCallback ncb = new NameCallback("Enter");
> ncb.setName("jduke");
> VerifyPasswordCallback vpc = new VerifyPasswordCallback();
> vpc.setValue("theduke");
> cbh.handle(new Callback[] {ncb,vpc} );
> assertTrue(vpc.isVerified());
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list