Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 10 JAAS Authentication Modules : Migrating to the EMS JAAS Modules

Migrating to the EMS JAAS Modules
Migrating from LDAP authentication within the EMS server to authentication using the JAAS modules is relatively straightforward. Many of the parameters directly map to each other. Nevertheless, there are some differences and so care must still be taken.
The LDAP Group User Authentication module provides similar functionality to that of the EMS server. However, if group membership is not required for authentication, then the LDAP Authentication module is a better choice.
This table is a reference for mapping parameters. When parameters have an exact equivalent, as indicated in the notes column, the same values from the EMS Server LDAP parameters can be used in the JAAS modules, except that the JAAS modules expect parameter values to be enclosed in quotes.
 
Parameters Requiring Conversion
ldap_conn_type
The connection type is indirectly supported by the JAAS modules through the protocol portion of the LDAP URL:
ldap:// creates a TCP connection.
ldaps:// creates an SSL connection.
If the startTLS LDAP extension is required, additional JNDI parameters may be specified through the JAAS configuration. Alternately, you can customize the JAAS module. See Custom JAAS Modules for more information.
ldap_tls Parameters
The JAAS modules have the ability to pass any parameters to JNDI. It is up to the user to determine what java SSL parameters to pass to JNDI through the JAAS configuration.
In most cases, only a certificate key store is required. For convenience, the tibems.ldap.truststore parameter can be used to specify the store. Please refer to Java documentation for additional information regarding the use of SSL.
Filters
Filters perform the same function in the JAAS modules as they do when LDAP authentication is configured within the EMS server, but the specification of the filter parameters is slightly different.
Be sure to substitute the EMS server's %s filters for the appropriate {n} JAAS module filter.
ldap_user_class and ldap_static_group_class
The ldap_user_class and ldap_static_group_class parameters are not necessary in the JAAS modules. LDAP class names are specified in the filters, as in the following examples:
tibems.ldap_user_filter="(&({0}={1})(objectClass=uniqueMember))"
and
tibems.ldap.group_filter="(&({0}={1})(objectClass=groupofUniqueNames))"
Please refer to the filter documentation to map various identifiers. For example, in converting the user filter, the EMS server LDAP parameter, %s maps to {1} in the JAAS filter. Many group searches should work with a filter similar to:
(&{0}={1})(objectClass=<group class>)
However, dynamic groups do allow you to specify the class in order to mirror the search algorithm used by the EMS server native LDAP functionality.
Dynamic Groups
Dynamic groups in LDAP should normally behave similarly to static groups in LDAP. However, some LDAP implementations require a modified search algorithm.
In order to perform this type of search with the JAAS modules, set the parameter:
tibems.ldap.dynamic_group_search_direct="true"
It is recommended this is parameter be enabled after you have determined that there is a problem, or when using an OpenLDAP server. In some cases, this is required in order to mirror the EMS Server native LDAP functionality.
Example
This section provides a walkthrough converting an existing set of LDAP parameters in the EMS server using the LDAP Group User Authentication login module.
1.
Set the jre_library parameter to enable the JVM.
For more information, see The JVM in the EMS Server.
2.
For example:
security_classpath = c:\tibco\ems\8.1\bin\tibemsd_jaas.jar;c:\tibco\ems\8.1\lib\tibjmsadmin.jar;c:\tibco\ems\8.1\lib\tibjms.jar;c:\tibco\ems\8.1\lib\jms-2.0.jar
3.
Enable JAAS for LDAP authentication by modifying the user_auth parameter. Remove ldap from the list of authentication sources, and verify that jaas is present. For example:
user_auth=jaas
4.
Edit the provided com.tibco.tibems.tibemsd.security.jaas.LDAPGroupUserAuthentication module for your LDAP server configuration:
a.
Locate the sample configuration file ems_ldap_with_groups.txt in EMS_HOME\samples\config\jaas.
b.
5.
Set the jaas_config_file to reference the JAAS module configuration file created in step 4 above. For example:
jaas_config_file = ems_ldap_with_groups.txt
LDAP Parameters in the tibemsd.conf
Consider the following LDAP server configuration parameters in the EMS server configuration file, tibemsd.conf:

 
ldap_url                        = ldap://ldaphost:389
ldap_principal                  = cn=Manager
ldap_credential                 = $man$fPSdYgyVTQloUv36Km36AEOrARW
ldap_user_class                 = person
ldap_user_attribute             = uid
ldap_user_base_dn               = "ou=People,dc=TIBCO"
ldap_user_scope                 = subtree
ldap_user_filter                = "(&(uid=%s)(objectclass=person))"
ldap_group_base_dn              = "ou=Groups,dc=TIBCO"
ldap_group_scope                = subtree
ldap_group_filter               = "(&(cn=%s)(objectclass=groupOfUniqueNames))"
ldap_static_group_class         = groupOfUniqueNames
ldap_static_group_attribute     = cn
ldap_static_member_attribute    = uniqueMember
ldap_cache_enabled              = FALSE

 
Mapped to LDAP Group User Authentication Module
The LDAP configuration parameters shown above map to the following JAAS configuration file:

 
EMSUserAuthentication {
        com.tibco.tibems.tibemsd.security.jaas.LDAPGroupUserAuthentication required
        tibems.ldap.url="ldap://ldaphost:389"
        tibems.ldap.manager="cn=Manager"
        tibems.ldap.manager_password="$man$fPSdYgyVTQloUv36Km36AEOrARW"
        tibems.ldap.user_attribute="uid"
        tibems.ldap.user_base_dn="ou=People,dc=TIBCO"
        tibems.ldap.scope="subtree"
        tibems.ldap.user_filter="(&(uid={1})(objectclass=person))"
        tibems.ldap.group_base_dn="ou=Groups,dc=TIBCO"
        tibems.ldap.group_scope="subtree"
        tibems.ldap.group_filter="(&({0}={1})(objectclass=groupOfUniqueNames))"
        tibems.ldap.group_attribute="cn"
        tibems.ldap.group_member_attribute="uniqueMember"
        tibems.ldap.cache.enabled = "false" ;
};

 

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved