Example
This section provides a walk through converting an existing set of pre-EMS 10.0 LDAP parameters using the LDAP Group User Authentication login module.
- Set the
jre_library
parameter to enable the JVM.For more information, see The JVM in the EMS Server.
- Set the
security_classpath
.For example:
security_classpath =
c:\tibco\ems\10.3\bin\tibemsd_jaas.jar;
c:\tibco\ems\10.3\lib\tibjmsadmin.jar;
c:\tibco\ems\10.3\lib\tibjms.jar;c:\tibco\ems\10.3\lib\jakarta.jms-api-2.0.3.jar - Enable JAAS for LDAP authentication by modifying the
user_auth
parameter. Removeldap
from the list of authentication sources, and verify thatjaas
is present.For example:
user_auth=jaas
- Edit the provided
com.tibco.tibems.tibemsd.security.jaas.LDAPGroupUserAuthentication
module for your LDAP server configuration:- Locate the sample configuration file
ems_ldap_with_groups.txt
in
EMS_HOME\samples\config\jaas. - Copy the file to a secure location, ideally alongside the other EMS server configuration files.
- Locate the sample configuration file
- Set the
jaas_config_file
to reference the JAAS module configuration file created in Step 4 above.For example:
jaas_config_file = ems_ldap_with_groups.txt
LDAP Parameters in the tibemsd.conf
Consider the following LDAP server configuration parameters in the EMS server configuration file, tibemsd.conf:
ldap_url = ldap://ldaphost:389 ldap_principal = cn=Manager ldap_credential =$man$fPSdYgyVTQloUv36Km36AEOrARW ldap_user_class = person ldap_user_attribute = uid ldap_user_base_dn = "ou=People,dc=TIBCO" ldap_user_scope = subtree ldap_user_filter = "(&(uid=%s)(objectclass=person))" ldap_group_base_dn = "ou=Groups,dc=TIBCO" ldap_group_scope = subtree ldap_group_filter = "(&(cn=%s)(objectclass=groupOfUniqueNames))"
ldap_static_group_class = groupOfUniqueNames ldap_static_group_attribute = cn ldap_static_member_attribute = uniqueMember ldap_cache_enabled = FALSE
Mapped to LDAP Group User Authentication Module
The LDAP configuration parameters shown above map to the following JAAS configuration file:
EMSUserAuthentication {
com.tibco.tibems.tibemsd.security.jaas.LDAPGroupUserAuthentication required tibems.ldap.url="ldap://ldaphost:389" tibems.ldap.manager="cn=Manager" tibems.ldap.manager_password="$man$fPSdYgyVTQloUv36Km36AEOrARW" tibems.ldap.user_attribute="uid" tibems.ldap.user_base_dn="ou=People,dc=TIBCO" tibems.ldap.scope="subtree" tibems.ldap.user_filter="(&(uid={1})(objectclass=person))" tibems.ldap.group_base_dn="ou=Groups,dc=TIBCO" tibems.ldap.group_scope="subtree"
tibems.ldap.group_filter="(&({0}={1}(objectclass=groupOfUniqueNames))" tibems.ldap.group_attribute="cn" tibems.ldap.group_member_attribute="uniqueMember" tibems.ldap.cache.enabled = "false" ;
};