FileDocCategorySizeDatePackage
LDAPLoginModule.javaAPI DocGlassfish v2 API5286Fri May 04 22:35:26 BST 2007com.sun.enterprise.security.auth.login

LDAPLoginModule

public class LDAPLoginModule extends PasswordLoginModule
iAS JAAS LoginModule for an LDAP Realm.

Refer to the LDAPRealm documentation for necessary and optional configuration parameters for the iAS LDAP login support.

There are various ways in which a user can be authenticated using an LDAP directory. Currently this login module only supports one mode, 'find and bind'. Other modes may be added as schedules permit.

Mode: find-bind

  1. An LDAP search is issued on the directory starting at base-dn with the given search-filter (having substituted the user name in place of %s). If no entries match this search, login fails and authentication is over.
  2. The DN of the entry which matched the search as the DN of the user in the directory. If the search-filter is properly set there should always be a single match; if there are multiple matches, the first one found is used.
  3. Next an LDAP bind is attempted using the above DN and the provided password. If this fails, login is considered to have failed and authentication is over.
  4. Then an LDAP search is issued on the directory starting at group-base-dn with the given group-search-filter (having substituted %d for the user DN previously found). From the matched entry(ies) all the values of group-target are taken as group names in which the user has membership. If no entries are found, the group membership is empty.

Fields Summary
private com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
_ldapRealm
Constructors Summary
Methods Summary
protected voidauthenticate()
Performs authentication for the current user.

        if (!(_currentRealm instanceof LDAPRealm)) {
            String msg = sm.getString("ldaplm.badrealm");
            throw new LoginException(msg);
        }
        _ldapRealm = (LDAPRealm)_currentRealm;
        
                                // enforce that password cannot be empty.
                                // ldap may grant login on empty password!
        if (_password == null || _password.length() == 0) {
            String msg = sm.getString("ldaplm.emptypassword", _username);
            throw new LoginException(msg);
        }
        
        String mode = _currentRealm.getProperty(LDAPRealm.PARAM_MODE);

        if (LDAPRealm.MODE_FIND_BIND.equals(mode)) {
            String[] grpList = _ldapRealm.findAndBind(_username, _password);
            String[] groupListToForward = new String[grpList.length];
            for (int i = 0; i< grpList.length; i++){
                groupListToForward[i] = grpList[i];
            }

            commitAuthentication(_username, _password,
                    _currentRealm, groupListToForward);
        } else {
            String msg = sm.getString("ldaplm.badmode", mode);
            throw new LoginException(msg);
        }