Example

This section provides a walk through converting an existing set of LDAP parameters in the EMS server using the LDAP Group User Authentication login module.

  1. Set the jre_library parameter to enable the JVM.

    For more information, see The JVM in the EMS Server.

  2. Set the security_classpath.

    For example:

    security_classpath = c:\tibco\ems\8.6\bin\tibemsd_jaas.jar;c:\tibco\ems\8.6\lib\tibjmsadmin.jar;c:\tibco\ems\8.6\lib\tibjms.jar;c:\tibco\ems\8.6\lib\jms-2.0.jar
  3. Enable JAAS for LDAP authentication by modifying the user_auth parameter. Remove ldap from the list of authentication sources, and verify that jaas is present.

    For example:

    user_auth=jaas
  4. Edit the provided com.tibco.tibems.tibemsd.security.jaas.LDAPGroupUserAuthentication module for your LDAP server configuration:
    1. Locate the sample configuration file ems_ldap_with_groups.txt in EMS_HOME\samples\config\jaas.
    2. Copy the file to a secure location, ideally alongside the other EMS server configuration files.

  5. Set the jaas_config_file to reference the JAAS module configuration file created in Step 4 above.

    For example:

    jaas_config_file = ems_ldap_with_groups.txt

LDAP Parameters in the tibemsd.conf

Consider the following LDAP server configuration parameters in the EMS server configuration file, tibemsd.conf:

ldap_url                        = ldap://ldaphost:389
ldap_principal                  = cn=Manager
ldap_credential                 = $man$fPSdYgyVTQloUv36Km36AEOrARW
ldap_user_class                 = person
ldap_user_attribute             = uid
ldap_user_base_dn               = "ou=People,dc=TIBCO"
ldap_user_scope                 = subtree
ldap_user_filter                = "(&(uid=%s)(objectclass=person))"
ldap_group_base_dn              = "ou=Groups,dc=TIBCO"
ldap_group_scope                = subtree
ldap_group_filter               = "(&(cn=%s)(objectclass=groupOfUniqueNames))"
ldap_static_group_class         = groupOfUniqueNames
ldap_static_group_attribute     = cn
ldap_static_member_attribute    = uniqueMember
ldap_cache_enabled              = FALSE

Mapped to LDAP Group User Authentication Module

The LDAP configuration parameters shown above map to the following JAAS configuration file:

EMSUserAuthentication {
        com.tibco.tibems.tibemsd.security.jaas.LDAPGroupUserAuthentication required
        tibems.ldap.url="ldap://ldaphost:389"
        tibems.ldap.manager="cn=Manager"
        tibems.ldap.manager_password="$man$fPSdYgyVTQloUv36Km36AEOrARW"
        tibems.ldap.user_attribute="uid"
        tibems.ldap.user_base_dn="ou=People,dc=TIBCO"
        tibems.ldap.scope="subtree"
        tibems.ldap.user_filter="(&(uid={1})(objectclass=person))"
        tibems.ldap.group_base_dn="ou=Groups,dc=TIBCO"
        tibems.ldap.group_scope="subtree"
        tibems.ldap.group_filter="(&({0}={1})(objectclass=groupOfUniqueNames))"
        tibems.ldap.group_attribute="cn"
        tibems.ldap.group_member_attribute="uniqueMember"
        tibems.ldap.cache.enabled = "false" ;
};