Using stacked authentication

The Java version of the Endeca Access Control System also supports stacked authentication.

With stacked authentication, an Endeca implementation may be configured to use both the LDAPLoginModule and the FileLoginModule plug-ins.

How stacked authentication works

Stacking allows a subject to authenticate to multiple services at the same time, in cases where the integrated use of these services is necessary or desired.

For example, assume that an LDAP directory is used to store user names and passwords, but does not maintain information about a user’s groups. The user group information is provided in a locally configurable password file (analogous to /etc/passwd on a UNIX system). This password file (which is used by the FileLoginModule plug-in) does not replace the LDAP authentication, but rather augments it. As the Presentation API constructs a user’s corresponding Principal based on his LDAP entry, it will fill in any missing fields based on the values stored in the password file. Note that in this example, no passwords are needed in the FileLoginModule file because only group information is stored there.

The ability to use separate sources to gather the information for a user offers important flexibility. For example, it makes it easy to deploy an application to a small group of users supported by a single administrator within a larger organization that maintains a master LDAP directory. The administrator can easily support the application using the local password file to define group membership. Meanwhile, the central LDAP directory continues to be the basis for more fundamental user information.

Configuration file for stacking

To enable stacked authentication, you must put both LoginModule entries in the Access Control System configuration file. The order in which you place the entries is the order in which they are used for authentication.

The following is an example of a configuration file with two stacked LoginModules: 
Endeca {
   //First use the LDAP module for user name authentication
   com.endeca.navigation.LDAPLoginModule required
   ldapBindAuthentication="false"
   serviceUsername="cn=Manager,dc=endeca,dc=com"
   servicePassword="nosecret"
   checkPasswords="false"
   groupTemplate="%{cn}"
   useSSL="true"
   serverInfo.0="ldap://web01.qa.endeca.com:1234"
   serverInfo.1="ldap://corona.dev.endeca.com:1234"
   serverInfo.2="ldap://web02.qa.endeca.com:1234"
   userPath="/ou=People,dc=endeca,dc=com??sub?(cn=%{#username:1})"
   groupPath="/ou=Groups,dc=endeca,dc=com?sub?(uniqueMember=%{#dn})";

   //Now get the group info from the password file
   com.endeca.navigation.FileLoginModule required
   passwordFile="c:/Endeca/PlatformServices/workspace/etc/passwd"
   checkPasswords="false";
};

Authenticating users

You authenticate users in a stacked configuration in the same way as you would if you were using the LDAPLoginModule plug-in alone. That is, you use only one AuthHttpENEConnection.login() method.

Related concepts
File-based User Authentication