...
The external directory password authentication method allows you to authenticate with username and password when the credentials are stored in an external directory.
The new authentication method needs to be added to Ubisecure SSO, so start by creating an LDIF file password.external.1.ldif
from Listing 1. Edit the dn attribute according to your directory root. Note that the value of the directory parameter stored in the ubiloginConfString attribute should be the same as the value for the java.naming.provider.url
parameter in the JNDI configuration. That is how the JNDI configuration is linked to the authentication method configuration. If you are defining multiple external directory sources then the sequence number can be incremented for each new source.
Code Block |
---|
language | text |
---|
theme | RDark |
---|
title | Listing 1. External Password ldif |
---|
|
dn: cn=password.external.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost
changetype: add
objectClass: top
objectClass: ubiloginAuthMethod
cn: password.external.1
ubiloginAuthMethodType: SPI Password
ubiloginClassname: ubilogin.method.provider.spi.DirectoryPasswordMethod
ubiloginConfString: directory ldaps://pdc.example.com/dc=example,dc=com
ubiloginConfString: directory.factory com.ubisecure.ubilogin.directory.spi.ldap.LDAPDirectoryFactory
ubiloginConfString: directory.account.login uid
ubiloginConfString: directory.schema UbiloginAccount
ubiloginConfString: policy.password.encoding SSHA
ubiloginConfString: policy.lockout.threshold 5
ubiloginConfString: policy.lockout.duration 20
ubiloginConfString: policy.password.expiring 36000
ubiloginConfString: policy.password.max-age 43200
ubiloginConfString: policy.password.min-age 30
ubiloginConfString: policy.password.history 5
ubiloginConfString: policy.password.length 8
ubiloginConfString: policy.password.complexity true
ubiloginConfString: policy.password.charset utf-8
ubiloginEnabled: TRUE
ubiloginTitle: password.external.1 |
...
Import the LDIF file to Ubisecure Directory by issuing the following command:
Code Block |
---|
language | text | theme | RDark |
---|
title | Listing 2. Import LDIF file in Windows |
---|
|
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\ldap> adam\import.cmd password.external.1.ldif |
Code Block |
---|
language | text | theme | RDark |
---|
title | Listing 3. Import LDIF file in Linux |
---|
|
/usr/local/ubisecure/ubilogin-sso/ubilogin/ldap# ./openldap/import.sh password.external.1.ldif |
You can verify that the import was successful by logging on to Ubisecure Management with administrative privileges and navigating to Home → Methods → Global Method Settings. The new authentication method should be listed there.
...
To complete the authentication method installations you need to update the Ubisecure Server in Tomcat.
Code Block |
---|
language | text | theme | RDark |
---|
title | Listing 4. Update Ubisecure Server in Windows |
---|
|
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin> config\tomcat\update.cmd |
Code Block |
---|
language | text | theme | RDark |
---|
title | Listing 5. Update Ubisecure Server in Linux |
---|
|
/usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server stop
/usr/local/ubisecure/ubilogin-sso/ubilogin# ./config/tomcat/update.sh
/usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server start |
...
After you have updated the Ubisecure Server, check from the diagnostics log that the added authentication methods have started properly. The uas3_diag.yyyy-mm-dd.log file is found in the ubilogin-sso/ubilogin/logs directory.
Code Block |
---|
language | text | theme | RDark |
---|
title | Listing 6. Example lines from uas3_diag.log |
---|
|
2010-07-01 10:29:29,010 tech LDAPDirectory: root=dc=ad,dc=example,dc=com
2010-07-01 10:29:29,011 init password.external.1: ubilogin.method.provider.spi.DirectoryPasswordMethod: started |
Then you can use the Ubisecure Server Management application to enable the external directory specific authentication methods in a Web Agent Application and test the authentication using credentials found in the external directory.