To be able to use a non-plain text password to enable connection to an LDAP server, a password that can be reversed must be used. The mangled password generated by tibemsadmin tool can be reversed. By creating a customized JAAS login module, which utilize the EMS Admin API of Tibjmsadmin.unManglePassword(), you can have the "bindingPassword" set as a mangled one.

In the attachment (Filename:  jetty_ldap_loginmodule.jar) you can an example LDAPLoginModule that is based on the existing org.eclipse.jetty.jaas.spi.LdapLoginModule, as well as a JAAS file containing the compiled class which you can add into the classpath in tibemsca.bat or tibemsca.sh.

Instructions:

- Put the jetty_ldap_loginmodule.jar into ems/8.x/bin directory .

- Edit tibemsca.bat and add %EMS_BIN%\jetty_ldap_loginmodule.jar.jar .

- Use tibemsadmin -mangle command to mangle your bindingPassword of the LDAP server, then copy and paste the password into your JAAS config file in place of the original bindPassword.

- In your EMSCA jaas config file, the LoginModule class should be changed to: org.eclipse.jetty.jaas.spi.LdapLoginModuleWithManglePassword required .

The source code is also attached (Filename: LdapLoginModuleWithManglePassword.java) for reference. Note that you will need the Jetty 9 source code to compile this. Note that we have compile and built the JAR file.


Revision:
EMS 8.4.1 has upgraded Jetty version to 9.4.11. Due to the change made in the LdapLoginModule in newer version the old solution no longer work for 8.4.1. The attached file with 8.4.1 suffix can be used for EMS 8.4.1.

The same instructions apply with the only exception of the following:

>> In your EMSCA jaas config file, the LoginModule class should be changed to: org.eclipse.jetty.jaas.spi.LdapLoginModuleWithManglePassword required .

The class name is now

org.eclipse.jetty.jaas.spi.LdapLoginModuleMangled