directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Apache Directory Project Wiki] Updated: EveGeneral
Date Mon, 14 Mar 2005 19:10:23 GMT
   Date: 2005-03-14T11:10:23
   Editor: EndiDewata
   Wiki: Apache Directory Project Wiki
   Page: EveGeneral

   no comment

Change Log:

@@ -14,6 +14,60 @@
  * By default, anonymous binds are allowed both via JNDI interfaces and via LDAP based network
clients.  So the server will start and work without any initial configuration.  The presence
of the ""eve.disable.anonymous"" property key disables anonymous user access on both interfaces
(JNDI and LDAP).
+= Authenticator SPI =
+There are 3 ways in which a client can authenticate to the ApacheDS: anonymous, simple, and
SASL. Currently only anonymous and simple mechanism (with plain text password) are supported
by default in ApacheDS. See
for more information.
+Using the Authenticator SPI you can implement your own authentication mechanism. You can
create an authenticator to extend the simple authentication mechanism to support encryption
such as Crypt, SHA, etc. You can also create an authenticator to support SASL mechanisms such
as DIGEST-MD5, etc.
+== Writing Authenticator ==
+Your authenticator class has to extend the org.apache.ldap.server.Authenticator. See the
following example:
+public class MyAuthenticator extends Authenticator {
+    public MyAuthenticator( )
+    {
+        // create authenticator that will handle "simple" authentication mechanism
+        super( "simple" );
+    }
+    public void init() throws NamingException
+    {
+        ...
+    }
+    public LdapPrincipal authenticate( ServerContext ctx ) throws NamingException
+    {
+        ...
+        // return the authorization id
+        LdapName principalDn = new LdapName( dn );
+        return new LdapPrincipal( principalDn );
+    }
+This class needs to have a no-argument constructor. The constructor should call the super()
constructor with the authentication mechanism it is going to handle. In the above example,
MyAuthenticator class is going to handle the simple authentication mechanism. To implement
a SASL mechanism you need to call super() with the name of the SASL mechanism, e.g. super(
+You can optionally implement the init() method to initialize your authenticator class. This
will be called when the authenticator is loaded by ApacheDS during start-up.
+When a client performs an authentication, ApacheDS will call the authenticate() method. You
can get the client authentication info from the server context. After you authenticate the
client, you need to return the authorization id. If the authentication fails, you should throw
an LdapNoPermissionException.
+When there are multiple authenticators registered with the same authentication type, ApacheDS
will try to use them in the order it was registered. If one fails it will use the next one,
until it finds one that successfully authenticates the client.
+== JNDI Properties ==
+To tell ApacheDS to load your custom authenticators, you need to specify it in the JNDI Properties.
You can also optionally specify the location of a .properties file containing the initialization
parameters. See the following example: 
+server.authenticators=myauthenticator yourauthenticator
 == Custom Partition ==
 ApacheDS functionalities can be extended using a custom partition. With custom partition
you have a full control of how the data should be stored/retrieved in the backend. To use
a custom partition first you need to write an implementation class, then configure it in the
JNDI Properties, and optionally write a .properties file containing the initialization parameters
for your custom partition.

View raw message