N1 Grid Service Provisioning System 5.0 System Administration Guide

Setting Up Additional Authentication Methods

The provisioning system has three requirements with regard to adding authentication methods.

The provisioning system only allows authentication methods that require a single user name and password to authenticate.

Adding an authentication method that allows multiple challenge and responses results in the user being unable to log in.
Users are not able to add authentication methods with the name “internal” to the jaas.config file.

The internal authentication method is automatically available in the jaas.config file as a hidden authentication method.
Changes to the authentication methods require the Master Server to be restarted.

How to Modify External Authentication Methods

This procedure describes how to modify the authentication methods that are used within the provisioning system. After you have added a new authentication method, see How to Change a User's Authentication Method.

Before You Begin

For more information about how to add authentication methods to the provisioning system, refer to the following documentation.

For information on editing the Java Authentication and Authorization Service (JAAS) configuration files, see the Java 2 Platform javax.security.auth.login.Configuration class documentation.
For information about each LoginModule bundled with JAAS, see the com.sun.security.auth.module Java package documentation.

Steps

Log into the machine as the user who installed the provisioning system.

Stop the Master Server.

%N1SPS-MasterServer-home/server/bin/cr_server stop

Edit the jaas.config file.

This file is located at N1SPS-MasterServer-home/server/lib/security/jaas.config. This file contains documentation on how to set up authentication using LDAP, Sun Directory Server, and Microsoft Windows 2000 Active Directory Server.

Edit the config.properties file.

This file is located at N1SPS-MasterServer-home/server/config/config.properties.

Set the userdb.authModules property. The value of this property should be a comma-separated list of the login configurations specified in the jaas.config file. The order that the login configurations are listed in represents the order they display in the Authentication Method menu.

Note –
Although internal cannot be specified in the jaas.config file, you can include the default, internal authentication method in the userdb.authModules property's comma-separated list.

Restart the Master Server.

The new or modified login configurations are used by the provisioning system after restart.

Note –
If a user's password changes as the result of a change in their login configuration, they will need to re-encrypt or flush their session variables.

Example A–1 `jaas.config` File Configured for LDAP and Sun Directory Server

// This file shall contain login configuration definitions
// for the system. The login configurations enabled for
// authentication are listed in a comma separated list
// value of the property userdb.authModules in the
// config.properties file.
//
// Please note that login configuration name 'internal'
// is reserved and cannot be specified in this file.
// 'internal' login configuration is always available
// by default and includes only internal login module
// for authentication.
//
// Examples
//
// Using internal login configuration only
//
// internal-auth {
// com.sun.n1.sps.userdb.UserDBLoginModule Required;
// };
//
//
//
// Using LDAP authentication
//
// ldap-auth {
//   com.sun.n1.sps.userdb.LdapLoginModule Required
//   userProvider="ldap://LDAPServerHostName/userDN"
//   userFilter="ldapFilter"
//   authIdentity="userDN"
//   useSSL="sslFlag"
//   debug="debugFlag";
// }
corporate-ds {
  com.sun.n1.sps.userdb.LdapLoginModule Required
  userProvider="ldap://sol01.cr.n1lab.sfbay.sun.com"
  authIdentity="uid={USERNAME},ou=People,dc=cr,dc=n1lab,dc=sfbay,dc=sun,dc=com"
  }; 
//
// where:
//     userProvider consists of the LDAPServerHostName part,
//         which specifies the server host name of the LDAP 
//         server, which may include a port number (for more 
//         information check: (http://www.ietf.org/rfc/rfc2255.txt)
//         (for example, ldap.sun.com:389) and the position 
//         in its directory tree where user entries (userDN)
//         are located.This userDN is optional and if specified
//         is used by the userFilter.
//     userFilter specifies the search filter to use to locate
//         a user's entry in the LDAP directory.The ldapFilter
//         is an LDAP filter string(for more information check:
//         (http://www.ietf.org/rfc/rfc2254.txt).If it contains
//         the special token {USERNAME}, then that token will be
//         replaced with the supplied username value before the
//         filter is used to search the directory.The userFilter
//         search is based on the userDN specified in the 
//         userProvider.
//     authIdentity specifies the distinguished name to use to 
//         authenticate a user. It is an LDAP distinguished
//         name string (for more information check:
//         http://www.ietf.org/rfc/rfc2253.txt)
//         It must contain the special token "{USERNAME}"
//         which will be replaced with the supplied username 
//         value before the distinguished name is used for
//         authentication.Note that if this option does not 
//         contain a distinguished name then the userFilter
//         option must also be specified. 
//     sslFlag specifies if a ssl connection should be used
//         to connect to the ldap server. Valid values are
//         true or false. The default value is true.
//     debugFlag specifies if debugging information may be
//         generated when attempting LDAP authentication.
//         Valid values are true or false.The default value is
//         false.
//
//
// Here are some example entries for authenticating with a 
// Sun Directory Server.
// 
//
// sun-ldap1 {
//   com.sun.n1.sps.userdb.LdapLoginModule Required
//   userProvider="ldap://ldaphost.example.com/ou=People,dc=example,dc=com"
//   userFilter="(&(uid={USERNAME})(objectClass=inetOrgPerson))"
//   };
//
// sun-ldap2 {
//   com.sun.n1.sps.userdb.LdapLoginModule Required
//   userProvider="ldap://ldaphost.example.com"
//   authIdentity="uid={USERNAME},ou=People,dc=example,dc=com"
//   };
//
sun-ldap2 {
   com.sun.n1.sps.userdb.LdapLoginModule Required
   userProvider="ldap://falkland.cr.n1lab.sfbay.sun.com:389"
   authIdentity="uid={USERNAME},ou=People,dc=example,dc=com";
   };
//
// sun-ldap3 {
//   com.sun.n1.sps.userdb.LdapLoginModule Required
//   userProvider="ldap://ldaphost.example.com/ou=People,dc=example,dc=com"
//   userFilter="(&(uid={USERNAME})(objectClass=inetOrgPerson))"   
//   authIdentity="uid={USERNAME},ou=People,dc=example,dc=com";
// };
//
//
//
// Here are some example entries for authenticating with a
// Microsoft Windows 2000 Active Directory server.
// ads-ldap1 {
//   com.sun.n1.sps.userdb.LdapLoginModule Required
//   userProvider="ldap://ldaphost.example.com/CN=user,DC=example,DC=com"
//   userFilter="(&(userPrincipalName={USERNAME}@example.com)(objectClass=user))"
//   authIdentity="{USERNAME}@example.com"
//   useSSL=false
//   debug=true;
// };
//
// ads-ldap2 {
//  com.sun.n1.sps.userdb.LdapLoginModule Required
//  userProvider="ldap://ldaphost.example.com/CN=user,DC=example,DC=com"
//  userFilter="(&(samAccountName={USERNAME})(objectClass=user))"
//  authIdentity="{USERNAME}@example.com"
//  useSSL=false
//  debug=true;
// };

Example A–2 Section of `config.properties` File Configured for LDAP and Sun Directory Server

...
# A comma separated list of login configurations for authenticating users.
userdb.authModules=internal,corporate-ds,sun-ldap2
...