Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Re: Web Services Authentication and LDAP

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Re: Web Services Authentication and LDAP


Chronological Thread 
  • From: "Michael R. Gettes" <>
  • To: Chris Hyzer <>
  • Cc: "" <>
  • Subject: [grouper-users] Re: Web Services Authentication and LDAP
  • Date: Fri, 10 May 2013 13:45:30 +0000
  • Accept-language: en-US
  • Authentication-results: sfpop-ironport01.merit.edu; dkim=neutral (message not signed) header.i=none

THANK YOU SO MUCH!

/mrg

On May 9, 2013, at 6:30 PM, Chris Hyzer
<>
wrote:

> I did an implementation:
>
> https://bugs.internet2.edu/jira/browse/GRP-905
>
> Try it out with the attached jar, you can remove the jar once 2.1.4 comes
> out and you upgrade to it:
>
> Note, this uses the username the WS client passes in and tries to get a
> subject by id or identifier...
>
> ####################################################################
>
> You can specify the following in the grouper-loader.properties (might
> already have this configured, you dont have to configure twice), note you
> dont have to have a user/pass since it will use the one from the
> authenticating WS user. Also, pooling is not applicable to this
>
> #################################
> ## LDAP connections
> #################################
> # specify the ldap connection with user, pass, url
> # the string after "ldap." is the ID of the connection, and it should not
> have
> # spaces or other special chars in it. In this case is it "personLdap"
>
> #note the URL should start with ldap: or ldaps: if it is SSL.
> #It should contain the server and port (optional if not default), and
> baseDn,
> #e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu
> #ldap.personLdap.url = ldaps://ldapserver.school.edu:636/dc=school,dc=edu
>
> #optional, if you are using tls, set this to true. Generally you will not
> be using an SSL URL to use TLS...
> #ldap.personLdap.tls = false
>
> #optional, if using sasl
> #ldap.personLdap.saslAuthorizationId =
> #ldap.personLdap.saslRealm =
>
> #optional (note, time limit is for search operations, timeout is for
> connection timeouts),
> #most of these default to vt-ldap defaults. times are in millis
> #validateOnCheckout defaults to true if all other validate methods are
> false
> #ldap.personLdap.timeout =
>
>
> ####################################################################
> Then you can specify this in the grouper-ws.properties:
>
> # to provide custom authentication (instead of the default
> httpServletRequest.getUserPrincipal()
> # for non-Rampart authentication. Class must implement the interface:
> # edu.internet2.middleware.grouper.ws.security.WsCustomAuthentication
> # class must be fully qualified. e.g. edu.school.whatever.MyAuthenticator
> # blank means use default:
> edu.internet2.middleware.grouper.ws.security.WsGrouperDefaultAuthentication
> # kerberos:
> edu.internet2.middleware.grouper.ws.security.WsGrouperKerberosAuthentication
>
> # ldap:
> edu.internet2.middleware.grouper.ws.security.WsGrouperLdapAuthentication
> ws.security.non-rampart.authentication.class =
> edu.internet2.middleware.grouper.ws.security.WsGrouperLdapAuthentication
>
> # if ldap authn should cache results
> ws.authn.ldap.cacheResults = true
>
> # if ldap authn should be used, which ldap connection name in the
> grouper-loader.properties should
> # be used for the connection to the ldap
> ws.authn.ldap.grouperLoaderLdapConfigId = personLdap
>
> # if ldap authn should be used, this is the prefix of the userId when
> connecting to ldap, e.g. uid=
> ws.authn.ldap.loginDnPrefix =
>
> # if ldap authn should be used, this is the suffix to the userId when
> connecting to ldap, e.g. ,ou=users,dc=school,dc=edu
> ws.authn.ldap.loginDnSuffix =
>
>
> ########################################################################
>
> Note, if you want to debug this, put this in the log4j.properties:
>
> log4j.logger.edu.internet2.middleware.grouper.ws.security.WsGrouperLdapAuthentication
> = DEBUG
>
>
> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of Michael R. Gettes
> Sent: Wednesday, May 08, 2013 11:53 AM
> To: Chris Hyzer
> Cc:
>
> Subject: [grouper-users] Re: Web Services Authentication and LDAP
>
> I prefer user/pass over ldapS so the ldap server does authN. Bad practice
> to operate on the hashed pw.
>
> next time i am in philly i will buy beer, cheese steak (Mama's Pizza, best
> in the world!) or a pretzel or whatever! THANK YOU!
>
> /mrg
>
> On May 8, 2013, at 11:50 AM, Chris Hyzer
> <>
> wrote:
>
>> Whoops, this was my first response, but it didn't get sent :)
>>
>>
>> I have not heard of someone doing this, if someone has, let us know.
>>
>> It is very easy to do though. Do you want the user/pass in the basic auth
>> header to be used as a bind to ldap(s)? Or is it comparing a hashed
>> password? Give me the exact details and I can help throw something
>> together...
>>
>> Thanks,
>> Chris
>>
>> -----Original Message-----
>> From:
>>
>>
>> [mailto:]
>> On Behalf Of Michael R. Gettes
>> Sent: Wednesday, May 08, 2013 10:37 AM
>> To:
>>
>> Subject: [grouper-users] Web Services Authentication and LDAP
>>
>> Has anyone implemented authentication to Web Services against LDAP(S)???
>>
>> Would love to have this problem solved today! :-)
>>
>> Thanks!
>>
>> /mrg
>
> <grouperWsLdapAuthPre_v2_4.jar>




Archive powered by MHonArc 2.6.16.

Top of Page