External directory password method
The external directory password authentication method allows you to authenticate with username and password when the credentials are stored in an external directory.
The new authentication method needs to be added to Ubisecure SSO, so start by creating an LDIF file password.external.1.ldif
from Listing 1. Edit the dn attribute according to your directory root. Note that the value of the directory parameter stored in the ubiloginConfString attribute should be the same as the value for the java.naming.provider.url
parameter in the JNDI configuration. That is how the JNDI configuration is linked to the authentication method configuration. If you are defining multiple external directory sources then the sequence number can be incremented for each new source.
dn: cn=password.external.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost changetype: add objectClass: top objectClass: ubiloginAuthMethod cn: password.external.1 ubiloginAuthMethodType: SPI Password ubiloginClassname: ubilogin.method.provider.spi.DirectoryPasswordMethod ubiloginConfString: directory ldaps://pdc.example.com/dc=example,dc=com ubiloginConfString: directory.factory com.ubisecure.ubilogin.directory.spi.ldap.LDAPDirectoryFactory ubiloginConfString: directory.account.login uid ubiloginConfString: directory.schema UbiloginAccount ubiloginConfString: policy.password.encoding SSHA ubiloginConfString: policy.lockout.threshold 5 ubiloginConfString: policy.lockout.duration 20 ubiloginConfString: policy.password.expiring 36000 ubiloginConfString: policy.password.max-age 43200 ubiloginConfString: policy.password.min-age 30 ubiloginConfString: policy.password.history 5 ubiloginConfString: policy.password.length 8 ubiloginConfString: policy.password.complexity true ubiloginConfString: policy.password.charset utf-8 ubiloginEnabled: TRUE ubiloginTitle: password.external.1
- dn
→ The distinguished name of the authentication method object in Ubisecure Directory. MANDATORY. - changetype
→ Defines the operation to be performed in Ubisecure Directory pertaining to the data in the LDIF file. MANDATORY. - objectClass
→ Defines the type of the authentication object in Ubisecure Directory. MANDATORY. - cn
→ The common name of the authentication method object in Ubisecure Directory. MANDATORY. - ubiloginAuthMethodType
→ The authentication method type for Ubisecure Management. MANDATORY. - ubiloginClassName
→ The implementation class of the authentication method. MANDATORY. - ubiloginConfString
- directory
→ The URL of the external directory. MANDATORY. - directory.factory
→ The implementation class of the suitable directory factory. MANDATORY. - directory.account.login
→ Specifies the name of the user attribute to be used for the username lookup.Any user attribute which uniquely defines the user may be used. If more than one user has the same value in the attribute, login will fail with an error.
For example, to allow an AD user to login using their email address as the username, set this value to mail.
By default, uid is used. Other typical values include:
For example, to allow an AD user to login using their mobile phone number as the username, set this value to mobile. OPTIONAL.- uid
- samAccountName
- mobile
- directory
- directory.schema
→ Defines the schema used in the external directory. For Ubisecure Schema Enhanced LDAP Integration the correct value is "UbiloginAccount". MANDATORY (in this case). - policy.password.encoding
→ The password encoding algorithm. Default value is SSHA. OPTIONAL.- Supported values: BCRYPT, SSHA512, SHA512, SSHA384, SHA384, SSHA256, SHA256, SSHA, SHA, PKCS5S2, PBKDF2-SHA256, PBKDF2, MD4, PLAIN
- directory.schema
Settings controlling password threat management:
- policy.lockout.threshold
→ The number of tries the user can try to enter the wrong password before the account is locked. The default value is 5 tries. OPTIONAL. - policy.lockout.duration
→ The duration of account locking after too many bad tries in minutes. The default value is 20 minutes. Usually, a longer lockout duration is not recommended. OPTIONAL.
- policy.lockout.threshold
Settings controlling password renewal:
- policy.password.expiring
→ If user's password is older than this he/she is given a chance to change the password. Setting value is in minutes. OPTIONAL. - policy.password.max-age
→ A maximum age for external directory password. User is forced to change password if his/her password is older than this. Setting value is in minutes. OPTIONAL. - policy.password.min-age
→ The external directory password cannot be changed again before password minimum age has passed. Setting value is in minutes. OPTIONAL. - policy.password.history
→ How many previous passwords the system remembers. The user can not change his/her password back to a previous one. OPTIONAL.
- policy.password.expiring
Settings controlling password strength:
- policy.password.length
→ A minimum length for the new password. Setting value is a non negative number of characters. OPTIONAL. - policy.password.complexity
→ If set to true, the user password has to have at least three of the possible character types: letters, capital letters, numbers, and other characters. OPTIONAL. - policy.password.charset
→ Allowed password characters and character set used with password encoding. Use either ASCII or UTF-8, default is UTF-8. OPTIONAL. - policy.password.expiring
→ Policy setting for controlling the pre-expiration password change option. If user's password is older than this he/she is given a chance to change the password. Setting value is in minutes. OPTIONAL.
- policy.password.length
- ubiloginEnabled
→ Defines whether the authentication method is enabled or not. MANDATORY. - ubiloginTitle
→ The name of the authentication method shown by Ubisecure Management. MANDATORY.
Import the LDIF file to Ubisecure Directory by issuing the following command:
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\ldap> adam\import.cmd password.external.1.ldif
/usr/local/ubisecure/ubilogin-sso/ubilogin/ldap# ./openldap/import.sh password.external.1.ldif
You can verify that the import was successful by logging on to Ubisecure Management with administrative privileges and navigating to Home → Global Method Settings. The new authentication method should be listed there.
Finishing the installation of authentication methods
To complete the authentication method installations you need to update the Ubisecure Server in Tomcat.
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin> config\tomcat\update.cmd
/usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server stop /usr/local/ubisecure/ubilogin-sso/ubilogin# ./config/tomcat/update.sh /usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server start
After you have updated the Ubisecure Server, check from the diagnostics log that the added authentication methods have started properly. The uas3_diag.yyyy-mm-dd.log file is found in the ubilogin-sso/ubilogin/logs directory.
2010-07-01 10:29:29,010 tech LDAPDirectory: root=dc=ad,dc=example,dc=com 2010-07-01 10:29:29,011 init password.external.1: ubilogin.method.provider.spi.DirectoryPasswordMethod: started
Then you can use the Ubisecure Server Management application to enable the external directory specific authentication methods in a Web Application and test the authentication using credentials found in the external directory.