| The module prompts for a username and password
and then verifies the password against the password stored in
a directory service configured under JNDI.
This LoginModule interoperates with
any conformant JNDI service provider. To direct this
LoginModule to use a specific JNDI service provider,
two options must be specified in the login Configuration
for this LoginModule .
user.provider.url=name_service_url
group.provider.url=name_service_url
name_service_url specifies
the directory service and path where this LoginModule
can access the relevant user and group information. Because this
LoginModule only performs one-level searches to
find the relevant user information, the URL
must point to a directory one level above where the user and group
information is stored in the directory service.
For example, to instruct this LoginModule
to contact a NIS server, the following URLs must be specified:
user.provider.url="nis://NISServerHostName/NISDomain/user"
group.provider.url="nis://NISServerHostName/NISDomain/system/group"
NISServerHostName specifies the server host name of the
NIS server (for example, nis.sun.com, and NISDomain
specifies the domain for that NIS server (for example, jaas.sun.com.
To contact an LDAP server, the following URLs must be specified:
user.provider.url="ldap://LDAPServerHostName/LDAPName"
group.provider.url="ldap://LDAPServerHostName/LDAPName"
LDAPServerHostName specifies the server host name of the
LDAP server, which may include a port number
(for example, ldap.sun.com:389),
and LDAPName specifies the entry name in the LDAP directory
(for example, ou=People,o=Sun,c=US and ou=Groups,o=Sun,c=US
for user and group information, respectively).
The format in which the user's information must be stored in
the directory service is specified in RFC 2307. Specifically,
this LoginModule will search for the user's entry in the
directory service using the user's uid attribute,
where uid=username. If the search succeeds,
this LoginModule will then
obtain the user's encrypted password from the retrieved entry
using the userPassword attribute.
This LoginModule assumes that the password is stored
as a byte array, which when converted to a String ,
has the following format:
"{crypt}encrypted_password"
The LDAP directory server must be configured
to permit read access to the userPassword attribute.
If the user entered a valid username and password,
this LoginModule associates a
UnixPrincipal , UnixNumericUserPrincipal ,
and the relevant UnixNumericGroupPrincipals with the
Subject .
This LoginModule also recognizes the following Configuration
options:
debug if, true, debug messages are output to System.out.
useFirstPass if, true, this LoginModule retrieves the
username and password from the module's shared state,
using "javax.security.auth.login.name" and
"javax.security.auth.login.password" as the respective
keys. The retrieved values are used for authentication.
If authentication fails, no attempt for a retry is made,
and the failure is reported back to the calling
application.
tryFirstPass if, true, this LoginModule retrieves the
the username and password from the module's shared state,
using "javax.security.auth.login.name" and
"javax.security.auth.login.password" as the respective
keys. The retrieved values are used for authentication.
If authentication fails, the module uses the
CallbackHandler to retrieve a new username and password,
and another attempt to authenticate is made.
If the authentication fails, the failure is reported
back to the calling application.
storePass if, true, this LoginModule stores the username and password
obtained from the CallbackHandler in the module's
shared state, using "javax.security.auth.login.name" and
"javax.security.auth.login.password" as the respective
keys. This is not performed if existing values already
exist for the username and password in the shared state,
or if authentication fails.
clearPass if, true, this LoginModule clears the
username and password stored in the module's shared state
after both phases of authentication (login and commit)
have completed.
version: 1.19, 05/05/07 |