Configuring LDAP Group User Authentication using EMS 8.1 pre-built JAAS modules.
Article ID: KB0085574
Updated On:
| Products | Versions |
|---|---|
| TIBCO Enterprise Message Service | - |
| Not Applicable | - |
Description
Description:
Configuring LDAP Group User Authentication using EMS 8.1 Pre-built JAAS modules.
Symptoms:
N/A
Cause:
N/A
Resolution
The pre-built JAAS Group User LDAP module authenticates a user just as the LDAP Authentication module does, but will make additional requests to garner group membership information from LDAP and update the EMS server for authorization purposes. The permissions are defined within acls.conf on the LDAP group level.
To use the pre-built JAAS module, within EMS main conf file, ammend the security_classpath parameter to include the following JAR files:
— EMS_HOME/bin/tibemsd_jaas.jar
— EMS_HOME/lib/tibjmsadmin.jar
— EMS_HOME/lib/tibjms.jar
— EMS_HOME/lib/jms-2.0.jar
For example:
security_classpath =c:\tibco\ems\8.1\bin\tibemsd_jaas.jar;c:\tibco\ems\8.1\lib\tibjmsadmin.jar;c:\tibco\ems\8.1\lib\tibjms.jar;c:\tibco\ems\8.1\lib\jms-2.0.jar
1). Set the jaas_config_file to reference the JAAS module configuration file:
jaas_config_file = jaas_configuration.txt
2). Set the user_auth parameter to enable JAAS for LDAP authentication. The parameter should specify JAAS, and should not include LDAP.
user_auth=jaas
The JAAS configuration file jaas_configuration.txt for this module should have an entry similar to:
EMSUserAuthentication {
com.tibco.tibems.tibemsd.security.jaas.LDAPGroupUserAuthentication required
tibems.ldap.url="ldap://ldapserver:389"
tibems.ldap.user_base_dn="ou=Marketing,dc=company,dc=com"
tibems.ldap.user_attribute="uid"
tibems.ldap.scope="subtree"
tibems.ldap.group_base_dn="ou=Groups,dc=company"
tibems.ldap.group_member_attribute="uniqueMember"
tibems.ldap.dynamic_group_base_dn="ou=Groups,dc=company"
tibems.ldap.dynamic_group_class="groupOfURLs"
tibems.ldap.dynamic_group_member_attribute="uid"
tibems.ldap.dynamic_group_filter="(objectClass=GroupOfURLs)"
tibems.cache.enabled=true
tibems.cache.user_ttl=600
tibems.ldap.manager="CN=Manager"
tibems.ldap.manager_password="password" ;
};
Example: JAAS conf file using Windows Active Server:
EMSUserAuthentication {
com.tibco.tibems.tibemsd.security.jaas.LDAPGroupUserAuthentication required
debug="true"
tibems.ldap.url="ldap://10.108.114.73:389"
tibems.ldap.manager="CN=Administrator,CN=Users,DC=test,DC=na,DC=tibco,DC=com"
tibems.ldap.manager_password="Tibco123"
tibems.ldap.user_base_dn="CN=Users,DC=test,DC=na,DC=tibco,DC=com"
tibems.ldap.user_attribute="cn"
tibems.ldap.user_filter="(&(cn={1})(objectClass=person))"
tibems.ldap.scope="subtree"
tibems.ldap.retries="10"
tibjms.ldap.retry_delay="1000"
tibems.ldap.group_base_dn="DC=test,DC=na,DC=tibco,DC=com"
tibems.ldap.group_member_attribute="member"
tibems.ldap.group_scope=subtree
tibems.ldap.group_filter="(&({0}={1})(objectClass=group))";
};
Note: tibems.ldap.group_member_attribute should be defined as "member" for windows active directory server.
Example JAAS config file using SunOne Directory server:
EMSUserAuthentication {
com.tibco.tibems.tibemsd.security.jaas.LDAPGroupUserAuthentication required
debug="true"
tibems.ldap.url="ldap://10.108.114.103:64805"
tibems.ldap.manager="uid=dmanager,ou=People,DC=na,DC=tibco,DC=com"
tibems.ldap.manager_password="password"
tibems.ldap.user_base_dn="ou=people,dc=na,dc=tibco,dc=com"
tibems.ldap.user_attribute="uid"
tibems.ldap.user_filter="(&(uid={1})(objectClass=person))"
tibems.ldap.scope="subtree"
tibems.ldap.retries="10"
tibjms.ldap.retry_delay="1000"
tibems.ldap.group_base_dn="ou=people,dc=na,dc=tibco,dc=com"
tibems.ldap.group_member_attribute=uniqueMember
tibems.ldap.group_scope=subtree
tibems.ldap.group_filter="(&({0}={1})(objectClass=groupOfUniqueNames))";
};
To use the pre-built JAAS module, within EMS main conf file, ammend the security_classpath parameter to include the following JAR files:
— EMS_HOME/bin/tibemsd_jaas.jar
— EMS_HOME/lib/tibjmsadmin.jar
— EMS_HOME/lib/tibjms.jar
— EMS_HOME/lib/jms-2.0.jar
For example:
security_classpath =c:\tibco\ems\8.1\bin\tibemsd_jaas.jar;c:\tibco\ems\8.1\lib\tibjmsadmin.jar;c:\tibco\ems\8.1\lib\tibjms.jar;c:\tibco\ems\8.1\lib\jms-2.0.jar
1). Set the jaas_config_file to reference the JAAS module configuration file:
jaas_config_file = jaas_configuration.txt
2). Set the user_auth parameter to enable JAAS for LDAP authentication. The parameter should specify JAAS, and should not include LDAP.
Example:
user_auth=jaas
The JAAS configuration file jaas_configuration.txt for this module should have an entry similar to:
EMSUserAuthentication {
com.tibco.tibems.tibemsd.security.jaas.LDAPGroupUserAuthentication required
tibems.ldap.url="ldap://ldapserver:389"
tibems.ldap.user_base_dn="ou=Marketing,dc=company,dc=com"
tibems.ldap.user_attribute="uid"
tibems.ldap.scope="subtree"
tibems.ldap.group_base_dn="ou=Groups,dc=company"
tibems.ldap.group_member_attribute="uniqueMember"
tibems.ldap.dynamic_group_base_dn="ou=Groups,dc=company"
tibems.ldap.dynamic_group_class="groupOfURLs"
tibems.ldap.dynamic_group_member_attribute="uid"
tibems.ldap.dynamic_group_filter="(objectClass=GroupOfURLs)"
tibems.cache.enabled=true
tibems.cache.user_ttl=600
tibems.ldap.manager="CN=Manager"
tibems.ldap.manager_password="password" ;
};
Example: JAAS conf file using Windows Active Server:
EMSUserAuthentication {
com.tibco.tibems.tibemsd.security.jaas.LDAPGroupUserAuthentication required
debug="true"
tibems.ldap.url="ldap://10.108.114.73:389"
tibems.ldap.manager="CN=Administrator,CN=Users,DC=test,DC=na,DC=tibco,DC=com"
tibems.ldap.manager_password="Tibco123"
tibems.ldap.user_base_dn="CN=Users,DC=test,DC=na,DC=tibco,DC=com"
tibems.ldap.user_attribute="cn"
tibems.ldap.user_filter="(&(cn={1})(objectClass=person))"
tibems.ldap.scope="subtree"
tibems.ldap.retries="10"
tibjms.ldap.retry_delay="1000"
tibems.ldap.group_base_dn="DC=test,DC=na,DC=tibco,DC=com"
tibems.ldap.group_member_attribute="member"
tibems.ldap.group_scope=subtree
tibems.ldap.group_filter="(&({0}={1})(objectClass=group))";
};
Note: tibems.ldap.group_member_attribute should be defined as "member" for windows active directory server.
Example JAAS config file using SunOne Directory server:
EMSUserAuthentication {
com.tibco.tibems.tibemsd.security.jaas.LDAPGroupUserAuthentication required
debug="true"
tibems.ldap.url="ldap://10.108.114.103:64805"
tibems.ldap.manager="uid=dmanager,ou=People,DC=na,DC=tibco,DC=com"
tibems.ldap.manager_password="password"
tibems.ldap.user_base_dn="ou=people,dc=na,dc=tibco,dc=com"
tibems.ldap.user_attribute="uid"
tibems.ldap.user_filter="(&(uid={1})(objectClass=person))"
tibems.ldap.scope="subtree"
tibems.ldap.retries="10"
tibjms.ldap.retry_delay="1000"
tibems.ldap.group_base_dn="ou=people,dc=na,dc=tibco,dc=com"
tibems.ldap.group_member_attribute=uniqueMember
tibems.ldap.group_scope=subtree
tibems.ldap.group_filter="(&({0}={1})(objectClass=groupOfUniqueNames))";
};
Issue/Introduction
Configuring LDAP Group User Authentication using EMS 8.1 pre-built JAAS modules.
Additional Information
Refer to EMS user guide -> ?hapter 10 JAAS Authentication Modules -> Prebuilt JAAS Moduels for details
Feedback
Yes
No
Powered by
