Repository: karaf Updated Branches: refs/heads/karaf-2.x f210c80f6 -> 92578b03c
[KARAF-3105] Introduce the fqdn pattern in the LDAPLoginModule and update the documentation with the available patterns Project: http://git-wip-us.apache.org/repos/asf/karaf/repo Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/2b6a1814 Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/2b6a1814 Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/2b6a1814 Branch: refs/heads/karaf-2.x Commit: 2b6a18141cf3d5dfafce60a3206e09246400a370 Parents: f210c80 Author: Jean-Baptiste Onofré <[email protected]> Authored: Sat Jul 12 14:13:48 2014 +0200 Committer: Jean-Baptiste Onofré <[email protected]> Committed: Sat Jul 12 14:32:29 2014 +0200 ---------------------------------------------------------------------- .../jaas/modules/ldap/LDAPLoginModule.java | 4 +- .../developers-guide/security-framework.conf | 6 ++ .../src/main/webapp/users-guide/security.conf | 83 -------------------- 3 files changed, 9 insertions(+), 84 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/karaf/blob/2b6a1814/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java ---------------------------------------------------------------------- diff --git a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java index 0ddc83f..2c587a8 100644 --- a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java +++ b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java @@ -191,6 +191,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { } logger.debug("Get the user DN."); String userDN; + String userDNNamespace; DirContext context = null; try { logger.debug("Initialize the JNDI LDAP Dir Context."); @@ -224,7 +225,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { // // the second escapes the slashes correctly. userDN = result.getNameInNamespace().replace("," + userBaseDN, ""); - + userDNNamespace = (String) result.getNameInNamespace(); namingEnumeration.close(); } catch (Exception e) { throw new LoginException("Can't connect to the LDAP server: " + e.getMessage()); @@ -288,6 +289,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { roleFilter = roleFilter.replaceAll(Pattern.quote("%u"), Matcher.quoteReplacement(user)); roleFilter = roleFilter.replaceAll(Pattern.quote("%dn"), Matcher.quoteReplacement(userDN)); roleFilter = roleFilter.replaceAll(Pattern.quote("%fqdn"), Matcher.quoteReplacement(userDN + "," + userBaseDN)); + roleFilter = roleFilter.replaceAll(Pattern.quote("%nsdn"), Matcher.quoteReplacement(userDNNamespace)); roleFilter = roleFilter.replace("\\", "\\\\"); logger.debug(" filter: " + roleFilter); NamingEnumeration namingEnumeration = context.search(roleBaseDN, roleFilter, controls); http://git-wip-us.apache.org/repos/asf/karaf/blob/2b6a1814/manual/src/main/webapp/developers-guide/security-framework.conf ---------------------------------------------------------------------- diff --git a/manual/src/main/webapp/developers-guide/security-framework.conf b/manual/src/main/webapp/developers-guide/security-framework.conf index 17105bd..09b1f5c 100644 --- a/manual/src/main/webapp/developers-guide/security-framework.conf +++ b/manual/src/main/webapp/developers-guide/security-framework.conf @@ -263,6 +263,12 @@ If you wish to use an SSL connection, the following configuration can be used as keystorePassword="secret" /> {pygmentize} +The LDAPLoginModule supports the following patterns that you can use in the filter (user and role filters): + +* {{%u}} is replaced by the user +* {{%dn}} is replaced by the user DN +* {{%fqdn}} is replaced by the user full qualified DN ({{userDN,userBaseDN}}). +* {{%nsdn}} is replaced by the userDNNamespace (interesting especially for ActiveDirectory). h2. Encryption service http://git-wip-us.apache.org/repos/asf/karaf/blob/2b6a1814/manual/src/main/webapp/users-guide/security.conf ---------------------------------------------------------------------- diff --git a/manual/src/main/webapp/users-guide/security.conf b/manual/src/main/webapp/users-guide/security.conf deleted file mode 100644 index 482f633..0000000 --- a/manual/src/main/webapp/users-guide/security.conf +++ /dev/null @@ -1,83 +0,0 @@ -h1. Security - -h2. Managing users and passwords - -The default security configuration uses a property file located at {{etc/users.properties}} to store authorized users and their passwords. - -The default user name is {{karaf}} and the associated password is {{karaf}} too. We strongly encourage you to change the default password by editing the above file before moving Karaf into production. - -The users are currently used in three different places in Karaf: -* access to the SSH console -* access to the JMX management layer -* access to the Web console -Those three ways all delegate to the same JAAS based security authentication. - -The {{users.properties}} file contains one or more lines, each line defining a user, its password and the associated roles. - -{code} -user=password[,role][,role]... -{code} - -h2. Managing roles - -JAAS roles can be used by various components. The three management layers (SSH, JMX and WebConsole) all use a global role based authorization system. The default role name is configured in the {{etc/system.properties}} using the {{karaf.admin.role}} system property and the default value is {{admin}}. All users authenticating for the management layer must have this role defined. - -The syntax for this value is the following: -{code} -[classname:]principal -{code} -where classname is the class name of the principal object (defaults to org.apache.karaf.jaas.modules.RolePrincipal) and principal is the name of the principal of that class (defaults to admin). - -Note that roles can be changed for a given layer using ConfigAdmin in the following configurations: -|| Layer || PID || Value || -| SSH | org.apache.karaf.shell | sshRole | -| JMX | org.apache.karaf.management | jmxRole | -| Web | org.apache.karaf.webconsole | role | - -h2. Enabling password encryption - -In order to not keep the passwords in plain text, the passwords can be stored encrypted in the configuration file. -This can be easily enabled using the following commands: - -{code} -# edit config -config:edit org.apache.karaf.jaas -config:propset encryption.enabled true -config:update -# force a restart -dev:restart -{code} - -The passwords will be encrypted automatically in the {{etc/users.properties}} configuration file the first time the user logs in. -Encrypted passwords are prepended with {{\{CRYPT\}}} so that are easy to recognize. - -h2. Managing realms - -More information about modifying the default realm or deploying new realms is provided in the [developers guide|/developers-guide/security-framework]. - -h2. Deploying security providers - -Some applications require specific security providers to be available, such as [BouncyCastle|http://www.bouncycastle.org]. The JVM impose some restrictions about the use of such jars: they have to be signed and be available on the boot classpath. One way to deploy those providers is to put them in the JRE folder at {{$JAVA_HOME/jre/lib/ext}} and modify the security policy configuration ({{$JAVA_HOME/jre/lib/security/java.security}}) in order to register such providers. - -While this approach works fine, it has a global effect and requires you to configure all your servers accordingly. - -Karaf offers a simple way to configure additional security providers: -* put your provider jar in {{lib/ext}} -* modify the {{etc/config.properties}} configuration file to add the following property - -{code} -org.apache.karaf.security.providers = xxx,yyy -{code} - -The value of this property is a comma separated list of the provider class names to register. -For example: -{code} -org.apache.karaf.security.providers = org.bouncycastle.jce.provider.BouncyCastleProvider -{code} - -In addition, you may want to provide access to the classes from those providers from the system bundle so that all bundles can access those. It can be done by modifying the {{org.osgi.framework.bootdelegation}} property in the same configuration file: -{code} -org.osgi.framework.bootdelegation = ...,org.bouncycastle* -{code} - -
