Package com.sun.enterprise.security.auth.login

Class LDAPLoginModule

java.lang.Object
com.sun.enterprise.security.BasePasswordLoginModule
com.sun.enterprise.security.auth.login.LDAPLoginModule
All Implemented Interfaces:
LoginModule
public class LDAPLoginModule extends BasePasswordLoginModule
GlassFish JAAS LoginModule for an LDAP Realm.

Refer to the LDAPRealm documentation for necessary and optional configuration parameters for the GlassFish LDAP login support.

There are various ways in which a user can be authenticated using an LDAP directory. Currently this login module only supports one mode, 'find and bind'. Other modes may be added as schedules permit.

Mode: find-bind

  1. An LDAP search is issued on the directory starting at base-dn with the given search-filter (having substituted the user name in place of %s). If no entries match this search, login fails and authentication is over.
  2. The DN of the entry which matched the search as the DN of the user in the directory. If the search-filter is properly set there should always be a single match; if there are multiple matches, the first one found is used.
  3. Next an LDAP bind is attempted using the above DN and the provided password. If this fails, login is considered to have failed and authentication is over.
  4. Then an LDAP search is issued on the directory starting at group-base-dn with the given group-search-filter (having substituted %d for the user DN previously found). From the matched entry(ies) all the values of group-target are taken as group names in which the user has membership. If no entries are found, the group membership is empty.