Date: 2005-03-14T11:10:23 Editor: EndiDewata Wiki: Apache Directory Project Wiki Page: EveGeneral URL: http://wiki.apache.org/directory/EveGeneral
no comment Change Log: ------------------------------------------------------------------------------ @@ -14,6 +14,60 @@ * By default, anonymous binds are allowed both via JNDI interfaces and via LDAP based network clients. So the server will start and work without any initial configuration. The presence of the ""eve.disable.anonymous"" property key disables anonymous user access on both interfaces (JNDI and LDAP). += Authenticator SPI = +There are 3 ways in which a client can authenticate to the ApacheDS: anonymous, simple, and SASL. Currently only anonymous and simple mechanism (with plain text password) are supported by default in ApacheDS. See http://java.sun.com/products/jndi/tutorial/ldap/security/index.html for more information. + +Using the Authenticator SPI you can implement your own authentication mechanism. You can create an authenticator to extend the simple authentication mechanism to support encryption such as Crypt, SHA, etc. You can also create an authenticator to support SASL mechanisms such as DIGEST-MD5, etc. + +== Writing Authenticator == +Your authenticator class has to extend the org.apache.ldap.server.Authenticator. See the following example: + +{{{ +public class MyAuthenticator extends Authenticator { + + public MyAuthenticator( ) + { + // create authenticator that will handle "simple" authentication mechanism + super( "simple" ); + } + + public void init() throws NamingException + { + ... + } + + public LdapPrincipal authenticate( ServerContext ctx ) throws NamingException + { + ... + + // return the authorization id + LdapName principalDn = new LdapName( dn ); + return new LdapPrincipal( principalDn ); + } + +}}} + +This class needs to have a no-argument constructor. The constructor should call the super() constructor with the authentication mechanism it is going to handle. In the above example, MyAuthenticator class is going to handle the simple authentication mechanism. To implement a SASL mechanism you need to call super() with the name of the SASL mechanism, e.g. super( "DIGEST-MD5" ). + +You can optionally implement the init() method to initialize your authenticator class. This will be called when the authenticator is loaded by ApacheDS during start-up. + +When a client performs an authentication, ApacheDS will call the authenticate() method. You can get the client authentication info from the server context. After you authenticate the client, you need to return the authorization id. If the authentication fails, you should throw an LdapNoPermissionException. + +When there are multiple authenticators registered with the same authentication type, ApacheDS will try to use them in the order it was registered. If one fails it will use the next one, until it finds one that successfully authenticates the client. + +== JNDI Properties == +To tell ApacheDS to load your custom authenticators, you need to specify it in the JNDI Properties. You can also optionally specify the location of a .properties file containing the initialization parameters. See the following example: + +{{{ +server.authenticators=myauthenticator yourauthenticator + +server.authenticator.class.myauthenticator=com.mycompany.MyAuthenticator +server.authenticator.properties.myauthenticator=myauthenticator.properties + +server.authenticator.class.yourauthenticator=com.yourcompany.YourAuthenticator +server.authenticator.properties.yourauthenticator=yourauthenticator.properties +}}} + == Custom Partition == ApacheDS functionalities can be extended using a custom partition. With custom partition you have a full control of how the data should be stored/retrieved in the backend. To use a custom partition first you need to write an implementation class, then configure it in the JNDI Properties, and optionally write a .properties file containing the initialization parameters for your custom partition.
