From 24d10be23d2368868c56e0053030972e6b15e275 Mon Sep 17 00:00:00 2001 From: Keith Wall Date: Thu, 30 Oct 2014 23:37:03 +0000 Subject: QPID-6108: [Java Documentation] Refactor security/auth providers section into separate files to allow for convenient re-purposing of the document git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1635639 13f79535-47bb-0310-9956-ffa450edef68 --- ...oker-Security-Authentication-Providers-LDAP.xml | 99 ++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-LDAP.xml (limited to 'qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-LDAP.xml') diff --git a/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-LDAP.xml b/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-LDAP.xml new file mode 100644 index 0000000000..81b36f4692 --- /dev/null +++ b/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-LDAP.xml @@ -0,0 +1,99 @@ + + +%entities; +]> + +
+ Simple LDAP + + The Simple LDAP authenticates connections against a Directory (LDAP). + To create a SimpleLDAPAuthenticationProvider the following mandatory fields are required: + + LDAP server URL is the URL of the server, for example, + ldaps://example.com:636 + + + Search context is the distinguished name of the search base + object. It defines the location from which the search for users begins, for example, + dc=users,dc=example,dc=com + + + Search filter is a DN template to find an LDAP user entry by + provided user name, for example, (uid={0}) + + Additionally, the following optional fields can be specified: + + LDAP context factory is a fully qualified class name for the + JNDI LDAP context factory. This class must implement the InitialContextFactory interface and produce instances of DirContext. If + not specified a default value of com.sun.jndi.ldap.LdapCtxFactory is + used. + + + LDAP authentication URL is the URL of LDAP server for + performing "ldap bind". If not specified, the LDAP server URL will + be used for both searches and authentications. + + + Truststore name is a name of configured + truststore. Use this if connecting to a Directory over SSL (i.e. ldaps://) + which is protected by a certificate signed by a private CA (or utilising a self-signed + certificate). + + + + + + In order to protect the security of the user's password, when using LDAP authentication, + you must: + + + Use SSL on the broker's AMQP, HTTP and JMX ports to protect the password during + transmission to the Broker. The Broker enforces this restriction automatically on AMQP + and HTTP ports. + + + Authenticate to the Directory using SSL (i.e. ldaps://) to protect the password + during transmission from the Broker to the Directory. + + + + + The LDAP Authentication Provider works in the following manner. If not in bind + without search mode, it first connects to the Directory and searches for the ldap + entity which is identified by the username. The search begins at the distinguished name + identified by Search Context and uses the username as a filter. The search + scope is sub-tree meaning the search will include the base object and the subtree extending + beneath it. + + If the search returns a match, or is configured in bind without search + mode, the Authentication Provider then attempts to bind to the LDAP server with the given name + and the password. Note that simple security + authentication is used so the Directory receives the password in the clear. +
-- cgit v1.2.1