geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Genender <>
Subject Re: Who understands the LDAP login module?
Date Sun, 20 Nov 2005 20:06:16 GMT
I can answer some of these questions...hopefully correctly.

Aaron Mulder wrote:
> Well, that's a start, but it doesn't actually explain what any of the
> LDAP login module options are -- it only tells you what to set them to
> if you want to connect to the sample.  I'd like to come up with a
> meaningful text description of each option:
> initialContextFactory

The InitialContext factory to use.  Usually is 

> connectionURL

URL of the LDAP server to connect to.  For a production LDAP this will be:

ldap://[your server's LDAP host address]:389

if you use it with Geronimo in its developer configuration, it would be


Because we had the Apache Directory Server listening on 1389 due to 
security issues with running on ports less than 1024.

> connectionUsername

User name to bind.  Should be administrator or Directory manager that 
has access to examine passwords.

> connectionPassword

Password of user to bind

> connectionProtocol

I think it can contain "ssl" for secure communication with certificates.

> authentication

Usually one of several protocols.  I think it follows the COntext, so I 
*believe* the possibilities are "none", "simple", and "strong".  I could 
be wrong depending on the implementation.

> userBase

Base of the LDAP search string to the users.

> userSearchMatching

The LDAP attribute search string to find the user.  Usually will be uid={0}.

> userSearchSubtree

I don't know about this one.

> roleBase

LDAP string specifying the base objects from which to search for group/role

> roleName

Attribute that acts as the role's name.  This typically is the "cn".

> roleSearchMatching

The LDAP search string to find the user.  The value here depends on how 
your group schema is configured.  Generally the role will have many 
attributes that are the same, but with different values.  An example 
would be "memberUID" for LDAP authentication for UNIX systems.  In this 
scenario the value of the roleSearchMatching would be (memberUID={0})

> roleSearchSubtree

I don't know about this one.

> userRoleName

I don't know about this one.

> I have a vague idea of some of them from hacking around with this kind
> of stuff before -- but for the most part, I probably coun't explain it
> well.  But even for nominally straightforward ones like connect
> username and password -- does the provided account need to be an LDAP
> administrator?  


> Do I understand right that the realm will attempt to
> bind to LDAP as the user to verify their password?  

No.  It typically binds as an administrator user who has access to 
verify the password.

> If so, why do you
> need the admin account and search params, why not just connect as the
> user and if it works look up their groups?

Same reason as have a user that has access to user/groups to 
lookup and respond with the appropriate subject/principals (user/roles).

> Thanks,
>    Aaron
> On 11/20/05, Jeff Genender <> wrote:
>> Looks like Hernan put together a really nice tutorial on Geronimo with
>> the LDAp login module and Apache Directory.
>> Aaron Mulder wrote:
>>> It has like 14 parameters -- if I could get some help figuring out
>>> what all of those mean, and maybe some samples for hooking it up to
>>> OpenLDAP, Sun LDAP, and Active Directory LDAP, that would be
>>> outstanding.
>>> Thanks,
>>>     Aaron

View raw message