This is an implementation of a Security Service which uses an LDAP server to authenticate users.
This service provides authentication only by default. Group, role and permission information should be managed elsewhere, for example in a database. The following configuration example uses the default database classes for this and authenticates against an Active Directory server.
You need to configure Turbine to use the LDAP Security Service and the LDAP User Manager:
services.SecurityService.classname=org.apache.turbine.services.security.ldap.LDAPSecurityService services.SecurityService.user.manager=org.apache.turbine.services.security.ldap.LDAPUserManager
As mentioned before, LDAP does not yet provide custom Group, User and Role objects so you must use it with the default TurbineGroup, TurbineRole and TurbinePermission objects. There is a generic LDAP user and a specialized Active Directory user. We use the latter for this example.
# Class for User. #services.SecurityService.user.class=org.apache.turbine.services.security.ldap.LDAPUser services.SecurityService.user.class=org.apache.turbine.services.security.ldap.ActiveDirectoryUser # Class for Group. services.SecurityService.group.class=org.apache.turbine.services.security.torque.TorqueGroup # Class for Role. services.SecurityService.role.class=org.apache.turbine.services.security.torque.TorqueRole # Class for Permission. services.SecurityService.permission.class=org.apache.turbine.services.security.torque.TorquePermission
Now the security service needs to know your LDAP configuration. Note that using
sAMAccountName
as user name allows you to log in with the same name
as in Windows. You can, however, use any other attribute, like
userPrincipalName
(eMail-address), for example.
services.SecurityService.ldap.security.authentication=simple services.SecurityService.ldap.port=389 services.SecurityService.ldap.host=ad.acme.com # # The user name of the admin user. The admin user should be able to # read from the LDAP repository. # Characters '/' are replaced by '=' and '%' are replaced by ','. # # Default: none # services.SecurityService.ldap.admin.username=CN/JoeAdmin%CN/Users%DC/acme%DC/com services.SecurityService.ldap.admin.password=password # # The directory base to search. # '/' are replaced by '=' and '%' are replaced by ','. # # Default: none # services.SecurityService.ldap.basesearch=CN/Users%DC/acme%DC/com services.SecurityService.ldap.dn.attribute=distinguishedName services.SecurityService.ldap.provider=com.sun.jndi.ldap.LdapCtxFactory # Active Directory settings # services.SecurityService.ldap.user.userid=userAccountControl services.SecurityService.ldap.user.username=sAMAccountName #services.SecurityService.ldap.user.username=cn services.SecurityService.ldap.user.firstname=givenName services.SecurityService.ldap.user.lastname=sn services.SecurityService.ldap.user.email=userPrincipalName services.SecurityService.ldap.user.password=userPassword
See the Security Service page for details of these and other properties that may also need to be configured.