/
Authentication methods for basic LDAP integration - SSO

Authentication methods for basic LDAP integration - SSO

External directory password method

The external directory password authentication method allows you to authenticate with username and password when the credentials are stored in an external directory.

The new authentication method needs to be added to Ubisecure SSO, so start by creating an LDIF file password.external.1.ldif from Listing 1. Edit the dn attribute according to your directory root. Note that the value of the directory parameter stored in the ubiloginConfString attribute should be the same as the value for the java.naming.provider.url parameter in the JNDI configuration. That is how the JNDI configuration is linked to the authentication method configuration. If you are defining multiple external directory sources then the sequence number can be incremented for each new source.

Listing 1. External Password ldif
dn: cn=password.external.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost
changetype: add
objectClass: top
objectClass: ubiloginAuthMethod
cn: password.external.1
ubiloginAuthMethodType: SPI Password
ubiloginClassname: ubilogin.method.provider.spi.DirectoryPasswordMethod
ubiloginConfString: directory ldaps://pdc.example.com/dc=example,dc=com
ubiloginConfString: directory.factory com.ubisecure.ubilogin.directory.spi.ldap.LDAPDirectoryFactory
ubiloginConfString: directory.account.login uid
ubiloginConfString: directory.schema UbiloginAccount
ubiloginConfString: policy.password.encoding SSHA
ubiloginConfString: policy.lockout.threshold 5
ubiloginConfString: policy.lockout.duration 20
ubiloginConfString: policy.password.expiring 36000
ubiloginConfString: policy.password.max-age 43200
ubiloginConfString: policy.password.min-age 30
ubiloginConfString: policy.password.history 5
ubiloginConfString: policy.password.length 8
ubiloginConfString: policy.password.complexity true
ubiloginConfString: policy.password.charset utf-8
ubiloginEnabled: TRUE
ubiloginTitle: password.external.1
  • dn 
    → The distinguished name of the authentication method object in Ubisecure Directory. MANDATORY.
  • changetype 
    → Defines the operation to be performed in Ubisecure Directory pertaining to the data in the LDIF file. MANDATORY.
  • objectClass 
    → Defines the type of the authentication object in Ubisecure Directory. MANDATORY.
  • cn 
    → The common name of the authentication method object in Ubisecure Directory. MANDATORY.
  • ubiloginAuthMethodType 
    → The authentication method type for Ubisecure Management. MANDATORY.
  • ubiloginClassName 
    → The implementation class of the authentication method. MANDATORY.
  • ubiloginConfString
    • directory 
      → The URL of the external directory. MANDATORY.
    • directory.factory 
      → The implementation class of the suitable directory factory. MANDATORY.
    • directory.account.login 
      → Specifies the name of the user attribute to be used for the username lookup.

      Any user attribute which uniquely defines the user may be used. If more than one user has the same value in the attribute, login will fail with an error.

      For example, to allow an AD user to login using their email address as the username, set this value to mail.
      For example, to allow an AD user to login using their mobile phone number as the username, set this value to mobile. OPTIONAL.

      By default, uid is used. Other typical values include:
      • uid
      • samAccountName
      • mobile
      • mail
    • directory.schema 
      → Defines the schema used in the external directory. For Ubisecure Schema Enhanced LDAP Integration the correct value is "UbiloginAccount". MANDATORY (in this case).
    • policy.password.encoding 
      → The password encoding algorithm. Default value is SSHA. OPTIONAL.
      • Supported values: SSHA512, SHA512, SSHA384, SHA384, SSHA256, SHA256, SSHA, SHA, PKCS5S2, PBKDF2, MD4, BCRYPT ,PLAIN

Settings controlling password threat management:

    • policy.lockout.threshold 
      → The number of tries the user can try to enter the wrong password before the account is locked. The default value is 5 tries. OPTIONAL.
    • policy.lockout.duration 
      → The duration of account locking after too many bad tries in minutes. The default value is 20 minutes. Usually, a longer lockout duration is not recommended. OPTIONAL.

Settings controlling password renewal:

    • policy.password.expiring 
      → If user's password is older than this he/she is given a chance to change the password. Setting value is in minutes. OPTIONAL.
    • policy.password.max-age 
      → A maximum age for external directory password. User is forced to change password if his/her password is older than this. Setting value is in minutes. OPTIONAL.
    • policy.password.min-age 
      → The external directory password cannot be changed again before password minimum age has passed. Setting value is in minutes. OPTIONAL.
    • policy.password.history 
      → How many previous passwords the system remembers. The user can not change his/her password back to a previous one. OPTIONAL.

Settings controlling password strength:

    • policy.password.length 
      → A minimum length for the new password. Setting value is a non negative number of characters. OPTIONAL.
    • policy.password.complexity 
      → If set to true, the user password has to have at least three of the possible character types: letters, capital letters, numbers, and other characters. OPTIONAL.
    • policy.password.charset 
      → Allowed password characters and character set used with password encoding. Use either ASCII or UTF-8, default is UTF-8. OPTIONAL.
    • policy.password.expiring 
      → Policy setting for controlling the pre-expiration password change option. If user's password is older than this he/she is given a chance to change the password. Setting value is in minutes. OPTIONAL.
  • ubiloginEnabled 
    → Defines whether the authentication method is enabled or not. MANDATORY.
  • ubiloginTitle 
    → The name of the authentication method shown by Ubisecure Management. MANDATORY.

Import the LDIF file to Ubisecure Directory by issuing the following command:

Listing 2. Import LDIF file in Windows
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\ldap> adam\import.cmd password.external.1.ldif


Listing 3. Import LDIF file in Linux
/usr/local/ubisecure/ubilogin-sso/ubilogin/ldap# ./openldap/import.sh password.external.1.ldif

You can verify that the import was successful by logging on to Ubisecure Management with administrative privileges and navigating to Home → Global Method Settings. The new authentication method should be listed there.

Finishing the installation of authentication methods

To complete the authentication method installations you need to update the Ubisecure Server in Tomcat.

Listing 4. Update Ubisecure Server in Windows
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin> config\tomcat\update.cmd


Listing 5. Update Ubisecure Server in Linux
/usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server stop
/usr/local/ubisecure/ubilogin-sso/ubilogin# ./config/tomcat/update.sh
/usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server start


After you have updated the Ubisecure Server, check from the diagnostics log that the added authentication methods have started properly. The uas3_diag.yyyy-mm-dd.log file is found in the ubilogin-sso/ubilogin/logs directory.

Listing 6. Example lines from uas3_diag.log
2010-07-01 10:29:29,010 tech LDAPDirectory: root=dc=ad,dc=example,dc=com
2010-07-01 10:29:29,011 init password.external.1: ubilogin.method.provider.spi.DirectoryPasswordMethod: started

Then you can use the Ubisecure Server Management application to enable the external directory specific authentication methods in a Web Application and test the authentication using credentials found in the external directory.