It is possible to configure multiple LDAP directories and servers to authenticate against. For this, multiple LDAPLoginModule sections have to be configured.
Starting with CRX2.0, multiple such LDAPLoginModule configurations are not effective anymore, only one configuration is taken. This means that LDAP authentication against multiple directories is not possible.
There is a workaround available to support authentication against multiple LDAP servers. The main issue is that with CRX2.0, the principal_provider.name attribute whcih basically provided the unique ID of an LDAP directory has been deprecated. Instead, the principal_provider.class attribute is used as unique identifier.
As a workaround, unique class names have to be configured for the principal_provider.class attribute for each configured LDAPLoginModule. Attached to this article is a jar-file containing 6 unique classes which merely extend the default com.day.crx.security.principals.LDAPPrincipalProvider class:
- com.day.daycare.ldap.LDAP1
- com.day.daycare.ldap.LDAP2
- com.day.daycare.ldap.LDAP3
- com.day.daycare.ldap.LDAP4
- com.day.daycare.ldap.LDAP5
- com.day.daycare.ldap.LDAP6
Please deploy the multi-ldap-patch.jar file to the CRX webapps' WEB-INF/lib folder, e.g. crx-quickstart/server/runtime/0/_crx/WEB-INF/lib and configure the LoginModules accordingly.
Example:
com.day.crx {
com.day.crx.security.authentication.CRXLoginModule sufficient;
com.day.crx.security.ldap.LDAPLoginModule sufficient
principal_provider.class="com.day.crx.security.principals.LDAPPrincipalProvider"
host="MyHost1"
...;
com.day.crx.security.ldap.LDAPLoginModule sufficient
principal_provider.class="com.day.daycare.ldap.LDAP1"
host="MyHost2"
...;
com.day.crx.security.ldap.LDAPLoginModule sufficient
principal_provider.class="com.day.daycare.ldap.LDAP2"
host="MyHost3"
...;
}
Note: For the current CRX 2.2 release, this issue has been fixed. The principal_provider.name attribute has been added again, thus it is not necessary anymore to have unique class-names configured for the principal_provider.class attribute.
Following is an example that works with CRX 2.2 and multiple LDAP servers:
com.day.crx {
com.day.crx.security.authentication.CRXLoginModule sufficient;
com.day.crx.security.ldap.LDAPLoginModule sufficient
principal_provider.class="com.day.crx.security.principals.LDAPPrincipalProvider"
principal_provider.name="ldap1"
host="MyHost1"
...;
com.day.crx.security.ldap.LDAPLoginModule sufficient
principal_provider.class="com.day.crx.security.principals.LDAPPrincipalProvider"
principal_provider.name="ldap2"
host="MyHost2"
...;
com.day.crx.security.ldap.LDAPLoginModule sufficient
principal_provider.class="com.day.crx.security.principals.LDAPPrincipalProvider"
principal_provider.name="ldap3"
host="MyHost3"
...;
}
Scarica
I post su Twitter™ e Facebook non sono coperti dai termini di Creative Commons.