HomeJspresso Wiki

LDAP and custom properties

Thu, 08/27/2009 - 11:02 — atao

Jspresso provides all the necessary plumbing to seamlessly integrate any JAAS login module and as of this writing, there are 2 login modules that come with the framework :

• The development login module which does not require any backend and is perfectly suited for development.

• The ldap login module which authenticates the user against an LDAP directory [1].

You may find many other, freely available, JAAS login modules to meet your needs (JDBC, ascii encrypted file, ...).

Here, we will discuss the LDAP login module and its extension to deal with custom properties.

The Jspresso LdapLoginModule extends the JBoss 4.2.2 LdapExtLoginModule so its documentation [2] apply for the basic configuration. It's an enhanced module with support for custom properties to be extracted from he LDAP directory and stored in the Jspresso org.jspresso.framework.security.UserPrincipal (put/getCustomProperty).

The syntax for custom properties configuration is the following :

custom.propertyName="expression"

where expression is in the form :

recordDN[sliceStart, sliceEnd].attribute

some examples :

  • custom.location="l" will store the l attribute of the user LDAP record in the location custom property.
  • custom.userDn="dn" will store the DN of the user LDAP record in the userDn custom property.

with slicing :

  • custom.companyDN="dn[0,-2]" will slice the user LDAP record DN and store the result in the companyDN custom attribute. The negative bound notation is used in place of "length - 2". Slicing operates on JNDI normalized names parts (LDAP uses a reverse notation). For instance, with the previous expression, if the logged-in LDAP user DN is :
      uid=demo,ou=users,dc=example,dc=com
    the normalized JNDI name is :
      dc=com,dc=example,ou=users,uid=demo
    the [0,-2] slice (i.e. [0,length-2]) will be :
      dc=com,dc=example
    that is then re-transformed in LDAP reverse notation before being stored in the companyDN custom property:
      dc=example,dc=com

The same as above, but extracting an attribute instead of the DN :

  • custom.companyLocation="dn[0,-2].l" will store the l attribute of the dc=example,dc=com LDAP record in the companyLocation custom property.

Notes:

[1] As LDAP tools, see Apache Directory Studio. It works under Eclipse and contains anything you need. You can start with the embedded server and the browser. Even for a newbie like me, with it, LDAP is a breeze.

[2] See also http://www.jboss.org/community/wiki/LdapExtLoginModule