Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 10 JAAS Authentication Modules : Prebuilt JAAS Modules

Prebuilt JAAS Modules
Configuration files for the JAAS modules are provided in the EMS_HOME/samples/config/jaas directory.
For the LDAP modules, properties added in the JAAS configuration file that do not begin with tibems are passed into every LDAP context creation, allowing LDAP-specific parameters to be set in the JAAS configuration file.
Properties that must be set in the environment, such as SSL related properties, are configured through the jre_option parameter in the EMS server configuration. However, an SSL key store location can be set using the tibems.ldap.truststore parameter for convenience. See the parameter descriptions for each module type for details.
LDAP Simple Authentication
The LDAP Simple Authentication module implements a very basic form of LDAP authentication. The module validates all connections (users, routes, and so on) by authenticating to the LDAP server. The authentication process uses the name and password that the application used when connecting to the EMS server.
The user name must be in the form of a distinguished name, unless a user name pattern is supplied through the tibems.ldap.user_pattern parameter. When a user pattern is supplied, the DN used for the lookup is that pattern string, with %u replaced with the name of the user.
Authentication Process
The simple authentication login module creates a local LDAP context, binding to the LDAP server as a particular user with credentials from the incoming connection. The result of the bind dictates authentication success or failure.
Implementation
The LDAP Simple Authentication module name is:
com.tibco.tibems.tibemsd.security.jaas.LDAPSimpleAuthentication
The JAAS configuration file entry for this login module should have a section similar to the following:
EMSUserAuthentication {
    com.tibco.tibems.tibemsd.security.jaas.LDAPSimpleAuthentication required
    tibems.ldap.url="ldap://ldapserver:389"
    tibems.ldap.user_pattern="CN=%u" ;
};
Parameters
When set to true, enables debug output for the module. Enabling this parameter may aid in diagnosing configuration problems.
Warning: Enabling the debug flag may create security vulnerabilities by revealing information in the log file.
The default is ldap://localhost:389.
LDAP Authentication
The LDAP Authentication login module is a more fully featured LDAP authentication module. This module validates all connections (users, routes, and so on) by authenticating to the LDAP server using the supplied credentials.
This EMS JAAS module keeps one lookup context open using a manager context, and then uses copies of that context to search for users. This allows the LDAP implementation to reuse the connection for subsequent searches, improving performance.
Authentication Process
This implementation queries LDAP, and optionally a user cache, to authenticate a user. A context with LDAP manager credentials is first used to look up a user and retrieve the complete distinguished name of the user's entry. If the user exists, a separate LDAP context is then created to authenticate the user. For performance reasons, the manager context, once created, exists for the lifetime of the module.
Should connectivity with the LDAP server break, multiple reconnection attempts may be made based on the parameters.
To increase performance, you can enable user caching. When enabled, a user is added to the user cache after being authenticated though LDAP. This allows for faster authentication on subsequent logins. If the user cache entry is found to be expired, the user is authenticated with LDAP again and the cache is updated.
Implementation
The LDAP Authentication module name is:
com.tibco.tibems.tibemsd.security.jaas.LDAPAuthentication
The JAAS configuration file entry for this login module should have a section similar to the following:
EMSUserAuthentication {
    com.tibco.tibems.tibemsd.security.jaas.LDAPAuthentication required
    tibems.ldap.url="ldaps://ldapserver:391"
    tibems.ldap.truststore="/certificates/cacerts"
    tibems.ldap.user_base_dn="ou=Marketing,dc=company,dc=com"
    tibems.ldap.user_attribute="uid"
    tibems.ldap.scope="subtree"
    tibems.cache.enabled=true
    tibems.cache.user_ttl=600
    tibems.ldap.manager="CN=Manager"
    tibems.ldap.manager_password="password" ;
};
Parameters
When set to true, enables debug output for the module. Enabling this parameter may aid in diagnosing configuration problems.
Warning: Enabling the debug flag may create security vulnerabilities by revealing information in the log file.
The default is ldap://localhost:389.
When true, enables caching of user information for better performance.
The default is a unique cache based on the values of the tibems.ldap.url, tibems.ldap.user_base_dn, and tibems.ldap.user_attribute parameters.
If a more complex filter is needed, use this property to override the default. Any occurrence of {0} in the search string will be the user attribute, and {1} will be replaced with the user name.
The default is CN=Manager.
If one or more backup severs are specified in tibems.ldap.url, this parameter determines the number of times the EMS server iterates through the list of backup LDAP servers.
object  
LDAP Group User Authentication
The LDAP Group User Authentication module extends the full featured LDAP Authentication module and provides additional group information to the EMS server. This module validates all connections (users, routes, and so on) by authenticating to the LDAP server using the supplied credentials, and then updates the EMS server with any related group information found.
If caching is enabled, changes to group membership in the LDAP server are not reflected in EMS until the user's entry in the cache has expired.
Authentication Process
The Group User LDAP module authenticates a user just as the LDAP Authentication module does, but will make additional requests to garner group membership information from LDAP and update the EMS server for authorization purposes.
For example, consider a user "Joe", who belongs to the "Engineering" group in the LDAP server. When an application connects to the EMS server using Joe's credentials, the information that Joe belongs to the Engineering group is passed back up to the server after a successful authentication. If access controls are set up in EMS for the group Engineering, then Joe inherits those permissions.
Implementation
The LDAP Group User Authentication module name is:
com.tibco.tibems.tibemsd.security.jaas.LDAPGroupUserAuthentication
The JAAS configuration file entry for this module should have an entry similar to:
EMSUserAuthentication {
    com.tibco.tibems.tibemsd.security.jaas.LDAPGroupUserAuthentication required
    tibems.ldap.url="ldap://ldapserver:389"
    tibems.ldap.user_base_dn="ou=Marketing,dc=company,dc=com"
    tibems.ldap.user_attribute="uid"
    tibems.ldap.scope="subtree"
    tibems.ldap.group_base_dn="ou=Groups,dc=company"
    tibems.ldap.group_member_attribute="uniqueMember"
    tibems.ldap.dynamic_group_base_dn="ou=Groups,dc=company"
    tibems.ldap.dynamic_group_class="groupOfURLs"
    tibems.ldap.dynamic_group_member_attribute="uid"
    tibems.ldap.dynamic_group_filter="(objectClass=GroupOfURLs)"
    tibems.cache.enabled=true
    tibems.cache.user_ttl=600
    tibems.ldap.manager="CN=Manager"
    tibems.ldap.manager_password="password" ;
};
Parameters
In addition to all parameters available for the LDAP Authentication module, which are described in Table 52, the following parameters are supported:
 
The filter used in the static group search. By default, a filter is created using the ems_ldap.group_member_attribute parameter. If a more complex filter is needed, use this property to override the default. Any occurrence of {0} in the search string is replaced with the group member attribute. Any occurrence of {1} is replaced with the user DN. {2} contains solely the user name for cases where the DN does not match group membership.
Default is {0}={1}.
Default is uniqueMember.
Default is groupOfURLs.
The filter used in the dynamic group search. By default, a filter is created using the ems_ldap.dynamic_group_member_attribute property. If a more complex filter is needed, use this property to override the default. Any occurrence of {0} is replaced with the group member property. Any occurrence of {1} is replaced with the DN of the user for cases where that may be required. A {2} in the search string is replaced with the user name.
When using tibems.ldap.dynamic_group_search_direct, a simple filter should be used which matches all dynamic groups that may contain the user. For example, (objectClass=GroupOfURLs).
Default is {0}={1}.
Default is uniqueMember.
Default is memberURL.
Default is memberOf.
Default is (distinguishedName={1}).
Host Based Authentication
The Host Based Authentication module authenticates a user based on the IP address or host name that is associated with their client connection during authentication.
When enabled, the IP address of the incoming connection is evaluated against a whitelist of IP addresses and/or IP masks. If any of the IP addresses or masks result in a match, IP authentication for the user is considered successful.
If an IP match is not found, then the host name of the incoming connection is compared with the configured whitelist of patterns, which may be specific host names or regular expressions. If the connection's host name evaluates to true with any of the patterns in the list, authentication is considered successful.
Either the host name or IP mask must match for authentication success.
Authentication Process
When a client connects to the EMS server, this module compares the IP address with the specified IP net/prefix list, if configured. If that is not successful, then the hostname is compared with the list of hostnames or domain names. Should none of the above succeed, authentication fails.
Implementation
The Host Based Authentication module name is:
com.tibco.tibems.tibemsd.security.jaas.HostBasedAuthentication
The JAAS configuration file entry for this login module should have a section similar to the following:
EMSUserAuthentication {
    com.tibco.tibems.tibemsd.security.jaas.HostBasedAuthentication required
    tibems.hostbased.accepted_hostnames="'production.*','.tibco.com"
    tibems.hostbased.accepted_addresses"10.1.2.23, 10.100.0.0/16, 0:0:0:0:0:0:0:1"
};
Parameters
When set to true, enables debug output for the module. Enabling this parameter may aid in diagnosing configuration problems.
Warning: Enabling the debug flag may create security vulnerabilities by revealing information in the log file.
Host names or domains can be explicitly specified, or any regular expression working with the Java Pattern class may be used. A domain may be used by beginning the string with a dot (.). Each host-name or pattern must be encapsulated by a single quote and separated by a comma. These entries are compared with the hostname associated with the IP of the connecting EMS client.
WARNING: This could have a performance impact as a NIS or DNS lookup may be performed. If this property is not set, host names are not checked during authentication.
 

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved