Question / Problem

It is possible to configure multiple LDAP directories and servers to authenticate against. For this, multiple LDAPLoginModule sections have to be configured.

Starting with CRX2.0, multiple such LDAPLoginModule configurations are not effective anymore, only one configuration is taken. This means that LDAP authentication against multiple directories is not possible.

Answer / Resolution

There is a workaround available to support authentication against multiple LDAP servers. The main issue is that with CRX2.0, the principal_provider.name attribute whcih basically provided the unique ID of an LDAP directory has been deprecated. Instead, the principal_provider.class attribute is used as unique identifier.

As a workaround, unique class names have to be configured for the principal_provider.class attribute for each configured LDAPLoginModule. Attached to this article is a jar-file containing 6 unique classes which merely extend the default com.day.crx.security.principals.LDAPPrincipalProvider class:

  • com.day.daycare.ldap.LDAP1
  • com.day.daycare.ldap.LDAP2
  • com.day.daycare.ldap.LDAP3
  • com.day.daycare.ldap.LDAP4
  • com.day.daycare.ldap.LDAP5
  • com.day.daycare.ldap.LDAP6

Please deploy the multi-ldap-patch.jar file to the CRX webapps' WEB-INF/lib folder, e.g. crx-quickstart/server/runtime/0/_crx/WEB-INF/lib and configure the LoginModules accordingly.

Example:

com.day.crx {
   com.day.crx.security.authentication.CRXLoginModule sufficient;
   com.day.crx.security.ldap.LDAPLoginModule sufficient
       principal_provider.class="com.day.crx.security.principals.LDAPPrincipalProvider"
       host="MyHost1"
       ...;

   com.day.crx.security.ldap.LDAPLoginModule sufficient
       principal_provider.class="com.day.daycare.ldap.LDAP1"
       host="MyHost2"
       ...;

   com.day.crx.security.ldap.LDAPLoginModule sufficient
       principal_provider.class="com.day.daycare.ldap.LDAP2"
       host="MyHost3"
       ...;
}

CRX 2.2 / 2.3

Note: For the current CRX 2.2 release, this issue has been fixed. The principal_provider.name attribute has been added again, thus it is not necessary anymore to have unique class-names configured for the principal_provider.class attribute.

Following is an example that works with CRX 2.2 and multiple LDAP servers:

com.day.crx {
   com.day.crx.security.authentication.CRXLoginModule sufficient;
   com.day.crx.security.ldap.LDAPLoginModule sufficient
       principal_provider.class="com.day.crx.security.principals.LDAPPrincipalProvider"
       principal_provider.name="ldap1"
       host="MyHost1"
       ...;

   com.day.crx.security.ldap.LDAPLoginModule sufficient
       principal_provider.class="com.day.crx.security.principals.LDAPPrincipalProvider"
       principal_provider.name="ldap2"
       host="MyHost2"
       ...;

   com.day.crx.security.ldap.LDAPLoginModule sufficient
       principal_provider.class="com.day.crx.security.principals.LDAPPrincipalProvider"
       principal_provider.name="ldap3"
       host="MyHost3"
       ...;
}

Applies

CRX 2.0 / 2.1 / 2.2 / 2.3

Download

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy