Grouper Users - Open Discussion List

[Chris Hyzer <>]

I did an implementation:

https://bugs.internet2.edu/jira/browse/GRP-905

Try it out with the attached jar, you can remove the jar once 2.1.4 comes out 
and you upgrade to it:

Note, this uses the username the WS client passes in and tries to get a 
subject by id or identifier... 

#################################################################### 

You can specify the following in the grouper-loader.properties (might already 
have this configured, you dont have to configure twice), note you dont have 
to have a user/pass since it will use the one from the authenticating WS 
user. Also, pooling is not applicable to this 

################################# 
## LDAP connections 
################################# 
# specify the ldap connection with user, pass, url 
# the string after "ldap." is the ID of the connection, and it should not 
have 
# spaces or other special chars in it. In this case is it "personLdap" 

#note the URL should start with ldap: or ldaps: if it is SSL. 
#It should contain the server and port (optional if not default), and baseDn, 
#e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu 
#ldap.personLdap.url = ldaps://ldapserver.school.edu:636/dc=school,dc=edu 

#optional, if you are using tls, set this to true. Generally you will not be 
using an SSL URL to use TLS... 
#ldap.personLdap.tls = false 

#optional, if using sasl 
#ldap.personLdap.saslAuthorizationId = 
#ldap.personLdap.saslRealm = 

#optional (note, time limit is for search operations, timeout is for 
connection timeouts), 
#most of these default to vt-ldap defaults. times are in millis 
#validateOnCheckout defaults to true if all other validate methods are false 
#ldap.personLdap.timeout = 


#################################################################### 
Then you can specify this in the grouper-ws.properties: 

# to provide custom authentication (instead of the default 
httpServletRequest.getUserPrincipal() 
# for non-Rampart authentication. Class must implement the interface: 
# edu.internet2.middleware.grouper.ws.security.WsCustomAuthentication 
# class must be fully qualified. e.g. edu.school.whatever.MyAuthenticator 
# blank means use default: 
edu.internet2.middleware.grouper.ws.security.WsGrouperDefaultAuthentication 
# kerberos: 
edu.internet2.middleware.grouper.ws.security.WsGrouperKerberosAuthentication 
# ldap: 
edu.internet2.middleware.grouper.ws.security.WsGrouperLdapAuthentication 
ws.security.non-rampart.authentication.class = 
edu.internet2.middleware.grouper.ws.security.WsGrouperLdapAuthentication 

# if ldap authn should cache results 
ws.authn.ldap.cacheResults = true 

# if ldap authn should be used, which ldap connection name in the 
grouper-loader.properties should 
# be used for the connection to the ldap 
ws.authn.ldap.grouperLoaderLdapConfigId = personLdap 

# if ldap authn should be used, this is the prefix of the userId when 
connecting to ldap, e.g. uid= 
ws.authn.ldap.loginDnPrefix = 

# if ldap authn should be used, this is the suffix to the userId when 
connecting to ldap, e.g. ,ou=users,dc=school,dc=edu 
ws.authn.ldap.loginDnSuffix = 


######################################################################## 

Note, if you want to debug this, put this in the log4j.properties: 

log4j.logger.edu.internet2.middleware.grouper.ws.security.WsGrouperLdapAuthentication
 = DEBUG 


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Michael R. Gettes
Sent: Wednesday, May 08, 2013 11:53 AM
To: Chris Hyzer
Cc: 

Subject: [grouper-users] Re: Web Services Authentication and LDAP

I prefer user/pass over ldapS so the ldap server does authN.  Bad practice to 
operate on the hashed pw.

next time i am in philly i will buy beer, cheese steak (Mama's Pizza, best in 
the world!) or a pretzel or whatever!  THANK YOU!

/mrg

On May 8, 2013, at 11:50 AM, Chris Hyzer 
<>
 wrote:

> Whoops, this was my first response, but it didn't get sent :) 
> 
> 
> I have not heard of someone doing this, if someone has, let us know.
> 
> It is very easy to do though.  Do you want the user/pass in the basic auth 
> header to be used as a bind to ldap(s)?  Or is it comparing a hashed 
> password?  Give me the exact details and I can help throw something 
> together...
> 
> Thanks,
> Chris
> 
> -----Original Message-----
> From: 
> 
>  
> [mailto:]
>  On Behalf Of Michael R. Gettes
> Sent: Wednesday, May 08, 2013 10:37 AM
> To: 
> 
> Subject: [grouper-users] Web Services Authentication and LDAP
> 
> Has anyone implemented authentication to Web Services against LDAP(S)???
> 
> Would love to have this problem solved today!  :-)
> 
> Thanks!
> 
> /mrg

Attachment: grouperWsLdapAuthPre_v2_4.jar
Description: grouperWsLdapAuthPre_v2_4.jar