Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Web Services Authentication and LDAP

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Web Services Authentication and LDAP


Chronological Thread 
  • From: Chris Hyzer <>
  • To: "Michael R. Gettes" <>
  • Cc: "" <>
  • Subject: [grouper-users] RE: Web Services Authentication and LDAP
  • Date: Thu, 9 May 2013 22:30:01 +0000
  • Accept-language: en-US
  • Authentication-results: sfpop-ironport02.merit.edu; dkim=neutral (message not signed) header.i=none

I did an implementation:

https://bugs.internet2.edu/jira/browse/GRP-905

Try it out with the attached jar, you can remove the jar once 2.1.4 comes out
and you upgrade to it:

Note, this uses the username the WS client passes in and tries to get a
subject by id or identifier...

####################################################################

You can specify the following in the grouper-loader.properties (might already
have this configured, you dont have to configure twice), note you dont have
to have a user/pass since it will use the one from the authenticating WS
user. Also, pooling is not applicable to this

#################################
## LDAP connections
#################################
# specify the ldap connection with user, pass, url
# the string after "ldap." is the ID of the connection, and it should not
have
# spaces or other special chars in it. In this case is it "personLdap"

#note the URL should start with ldap: or ldaps: if it is SSL.
#It should contain the server and port (optional if not default), and baseDn,
#e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu
#ldap.personLdap.url = ldaps://ldapserver.school.edu:636/dc=school,dc=edu

#optional, if you are using tls, set this to true. Generally you will not be
using an SSL URL to use TLS...
#ldap.personLdap.tls = false

#optional, if using sasl
#ldap.personLdap.saslAuthorizationId =
#ldap.personLdap.saslRealm =

#optional (note, time limit is for search operations, timeout is for
connection timeouts),
#most of these default to vt-ldap defaults. times are in millis
#validateOnCheckout defaults to true if all other validate methods are false
#ldap.personLdap.timeout =


####################################################################
Then you can specify this in the grouper-ws.properties:

# to provide custom authentication (instead of the default
httpServletRequest.getUserPrincipal()
# for non-Rampart authentication. Class must implement the interface:
# edu.internet2.middleware.grouper.ws.security.WsCustomAuthentication
# class must be fully qualified. e.g. edu.school.whatever.MyAuthenticator
# blank means use default:
edu.internet2.middleware.grouper.ws.security.WsGrouperDefaultAuthentication
# kerberos:
edu.internet2.middleware.grouper.ws.security.WsGrouperKerberosAuthentication
# ldap:
edu.internet2.middleware.grouper.ws.security.WsGrouperLdapAuthentication
ws.security.non-rampart.authentication.class =
edu.internet2.middleware.grouper.ws.security.WsGrouperLdapAuthentication

# if ldap authn should cache results
ws.authn.ldap.cacheResults = true

# if ldap authn should be used, which ldap connection name in the
grouper-loader.properties should
# be used for the connection to the ldap
ws.authn.ldap.grouperLoaderLdapConfigId = personLdap

# if ldap authn should be used, this is the prefix of the userId when
connecting to ldap, e.g. uid=
ws.authn.ldap.loginDnPrefix =

# if ldap authn should be used, this is the suffix to the userId when
connecting to ldap, e.g. ,ou=users,dc=school,dc=edu
ws.authn.ldap.loginDnSuffix =


########################################################################

Note, if you want to debug this, put this in the log4j.properties:

log4j.logger.edu.internet2.middleware.grouper.ws.security.WsGrouperLdapAuthentication
= DEBUG


-----Original Message-----
From:


[mailto:]
On Behalf Of Michael R. Gettes
Sent: Wednesday, May 08, 2013 11:53 AM
To: Chris Hyzer
Cc:

Subject: [grouper-users] Re: Web Services Authentication and LDAP

I prefer user/pass over ldapS so the ldap server does authN. Bad practice to
operate on the hashed pw.

next time i am in philly i will buy beer, cheese steak (Mama's Pizza, best in
the world!) or a pretzel or whatever! THANK YOU!

/mrg

On May 8, 2013, at 11:50 AM, Chris Hyzer
<>
wrote:

> Whoops, this was my first response, but it didn't get sent :)
>
>
> I have not heard of someone doing this, if someone has, let us know.
>
> It is very easy to do though. Do you want the user/pass in the basic auth
> header to be used as a bind to ldap(s)? Or is it comparing a hashed
> password? Give me the exact details and I can help throw something
> together...
>
> Thanks,
> Chris
>
> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of Michael R. Gettes
> Sent: Wednesday, May 08, 2013 10:37 AM
> To:
>
> Subject: [grouper-users] Web Services Authentication and LDAP
>
> Has anyone implemented authentication to Web Services against LDAP(S)???
>
> Would love to have this problem solved today! :-)
>
> Thanks!
>
> /mrg

Attachment: grouperWsLdapAuthPre_v2_4.jar
Description: grouperWsLdapAuthPre_v2_4.jar




Archive powered by MHonArc 2.6.16.

Top of Page