Re: EPICS CSS JAAS Authentication with LDAP

["Kasemir, Kay" <kasemirk@ornl.gov>]

Hi:

>I was able to get things working using preference page configuration.
>But for easy deployment configuration, I would like to configure using
>the FIle option.
You got it to function OK by entering the desired LDAP configuration via
the preference page, i.e. by using the preference GUI.
Obviously you don't want to require from every user with every new
workspace to first manually configure LDAP via the preference GUI.

You can accomplish that via the plugin_customization mechanism (see
Hierarchical Preferences,
http://cs-studio.sourceforge.net/docbook/ch06.html).

You would put something like this into your settings file:

org.csstudio.platform.jaasAuthentication/jaas_config_source=PreferencePage
#The format should be:
#	ModuleClass|Flag|option1=value1|option2=value2|...;
ModuleClass|Flag|ModuleOptions; ...
#In which the ModuleClass, Flag and value of option are in the same format
as in auth.conf.
#The value string must be quoted if it includes one of these characters:
'|', '=', ";".
org.csstudio.platform.jaasAuthentication/jaas_prefs_config=org.csstudio.pla
tform.internal.jaasauthentication.LDAPBindLoginModule|required|debug=true|u
ser.dn.format="CN={0},DC=csiro,DC=au";


The nomenclature may be misleading. It still says "PreferencePage", but
you're no longer entering that manually via the preference page GUI. You
can see/review/change it there, but the settings come from the settings
file when you start CSS as


  css -pluginCustomization /path/to/your/settings.ini


When you use the File option, i.e.
org.csstudio.platform.jaasAuthentication/jaas_config_source=File
org.csstudio.platform.jaasAuthentication/jaas_config_file_entry=LDAPLoginMo
dule

then you would have to define "LDAPLoginModule" as per your example within
the file org.csstudio.platform.jaasAuthentication/conf/auth.conf.
Meaning: You need to update the source code (at least the auth.conf) of
the plugin org.csstudio.platform.jaasAuthentication, and you might have to
do that every time you get a new snapshot of the CSS sources from the GIT
repository.
That's probably not what you want.

It's better to use 
org.csstudio.platform.jaasAuthentication/jaas_config_source=PreferencePage
and then define the settings that you need via the usual Eclipse
Hierarchical Preference mechanism.


Thanks,
Kay






From:  "Xinyu.Wu@csiro.au" <Xinyu.Wu@csiro.au>
Date:  Friday, March 15, 2013 07:20
To:  "tech-talk@aps.anl.gov" <tech-talk@aps.anl.gov>
Subject:  EPICS CSS JAAS Authentication with LDAP


Hi,

I am trying to configure CSS JAAS authentication with our LDAP server. I
was able to get things working using preference page configuration. See
attached screen shot for my configuration.


But for easy deployment configuration, I would like to configure using the
FIle option. But I kept on getting the following exception:

2013-03-15 23:18:28.736 WARNING [Thread 10]
org.csstudio.platform.internal.jaasauthentication.JaasLoginModule (login)
- Login error: cannot create a JAAS LoginContext. Using anonymously.
javax.security.auth.login.LoginException: No LoginModules configured for
/Users/wu049/ASKAPsoft/Code/Components/CSS/current/files/css-config/LDAP_Au
thentication.config




Here is content of my config file:

LDAPLoginModule {
        
org.csstudio.platform.internal.jaasauthentication.LDAPBindLoginModule
required
                debug=true
                user.provider.url="ldap://xxxu:999/";
                user.dn.format="CN={0},DC=csiro,DC=au";
};



So I think my config file is incorrect, but I have no idea what the
correct file should look like. Can someone send me a sample JAAS
authentication file please.


Thanks,

Xinyu WU
ASKAP Computing    
Australia Telescope National Facility
CSIRO Astronomy and Space Science
phone: +61 2 9372 4727
postal: PO Box 76 Epping, NSW. 1710