/
Authentication methods for basic LDAP integration - SSO

Authentication methods for basic LDAP integration - SSO

2020-11-05

External directory password method

The external directory password authentication method allows you to authenticate with username and password when the credentials are stored in an external directory.

The new authentication method needs to be added to Ubisecure SSO, so start by creating an LDIF file password.external.1.ldif from Listing 1. Edit the dn attribute according to your directory root. Note that the value of the directory parameter stored in the ubiloginConfString attribute should be the same as the value for the java.naming.provider.url parameter in the JNDI configuration. That is how the JNDI configuration is linked to the authentication method configuration. If you are defining multiple external directory sources then the sequence number can be incremented for each new source.

Listing 1. External Password ldif
dn: cn=password.external.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost changetype: add objectClass: top objectClass: ubiloginAuthMethod cn: password.external.1 ubiloginAuthMethodType: SPI Password ubiloginClassname: ubilogin.method.provider.spi.DirectoryPasswordMethod ubiloginConfString: directory ldaps://pdc.example.com/dc=example,dc=com ubiloginConfString: directory.factory com.ubisecure.ubilogin.directory.spi.ldap.LDAPDirectoryFactory ubiloginConfString: directory.account.login uid ubiloginConfString: directory.schema UbiloginAccount ubiloginConfString: policy.password.encoding SSHA ubiloginConfString: policy.lockout.threshold 5 ubiloginConfString: policy.lockout.duration 20 ubiloginConfString: policy.password.expiring 36000 ubiloginConfString: policy.password.max-age 43200 ubiloginConfString: policy.password.min-age 30 ubiloginConfString: policy.password.history 5 ubiloginConfString: policy.password.length 8 ubiloginConfString: policy.password.complexity true ubiloginConfString: policy.password.charset utf-8 ubiloginEnabled: TRUE ubiloginTitle: password.external.1

  • dn 
    → The distinguished name of the authentication method object in Ubisecure Directory. MANDATORY.

  • changetype 
    → Defines the operation to be performed in Ubisecure Directory pertaining to the data in the LDIF file. MANDATORY.

  • objectClass 
    → Defines the type of the authentication object in Ubisecure Directory. MANDATORY.

  • cn 
    → The common name of the authentication method object in Ubisecure Directory. MANDATORY.

  • ubiloginAuthMethodType 
    → The authentication method type for Ubisecure Management. MANDATORY.

  • ubiloginClassName 
    → The implementation class of the authentication method. MANDATORY.

  • ubiloginConfString

    • directory 
      → The URL of the external directory. MANDATORY.

    • directory.factory 
      → The implementation class of the suitable directory factory. MANDATORY.

    • directory.account.login 
      → Specifies the name of the user attribute to be used for the username lookup.

      Any user attribute which uniquely defines the user may be used. If more than one user has the same value in the attribute, login will fail with an error.

      For example, to allow an AD user to login using their email address as the username, set this value to mail.
      For example, to allow an AD user to login using their mobile phone number as the username, set this value to mobile. OPTIONAL.

      By default, uid is used. Other typical values include:

      • uid

      • samAccountName

      • mobile

      • mail

Settings controlling password threat management:

Settings controlling password renewal:

Settings controlling password strength:

Import the LDIF file to Ubisecure Directory by issuing the following command:

Listing 2. Import LDIF file in Windows
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\ldap> adam\import.cmd password.external.1.ldif

 

Listing 3. Import LDIF file in Linux
/usr/local/ubisecure/ubilogin-sso/ubilogin/ldap# ./openldap/import.sh password.external.1.ldif

You can verify that the import was successful by logging on to Ubisecure Management with administrative privileges and navigating to Home → Global Method Settings. The new authentication method should be listed there.

Finishing the installation of authentication methods

To complete the authentication method installations you need to update the Ubisecure Server in Tomcat.

Listing 4. Update Ubisecure Server in Windows
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin> config\tomcat\update.cmd

 

Listing 5. Update Ubisecure Server in Linux
/usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server stop /usr/local/ubisecure/ubilogin-sso/ubilogin# ./config/tomcat/update.sh /usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server start

 

After you have updated the Ubisecure Server, check from the diagnostics log that the added authentication methods have started properly. The uas3_diag.yyyy-mm-dd.log file is found in the ubilogin-sso/ubilogin/logs directory.

Listing 6. Example lines from uas3_diag.log
2010-07-01 10:29:29,010 tech LDAPDirectory: root=dc=ad,dc=example,dc=com 2010-07-01 10:29:29,011 init password.external.1: ubilogin.method.provider.spi.DirectoryPasswordMethod: started

Then you can use the Ubisecure Server Management application to enable the external directory specific authentication methods in a Web Application and test the authentication using credentials found in the external directory.