FAQs

Frequently Asked Questions - ldap

FAQs - ldap
Q: How can I use JNDISecurityRealm to authenticate users against a directory service (LDAP)?

QuartzDesk Web application comes with a ready-to-use and highly configurable JNDISecurityRealm implementation that allows you to authenticate users against a configured directory service.

For an explanation of what  QuartzDesk Web Application security realms are, please see here.

To use JNDISecurityRealm, please add the following configuration properties to your quartzdesk-web.properties:

PropertyValue
Description
security.realm.implementationcom.quartzdesk.core.security.realm.jndi.JNDISecurityRealm

The security realm implementation class suitable for all directory services accessed through JNDI.

security.realm.param.connectionUrlThe directory service connection URL, e.g. ldap://localhost:389.
security.realm.param.connectionUsernameThe username to use to connect to the directory service.
security.realm.param.connectionPasswordThe password to use to connect to the directory service.
security.realm.param.connectTimeoutThe connection timeout in milliseconds. If not specified, the timeout value is set to 10000 (10 seconds).
security.realm.param.readTimeoutThe read timeout in milliseconds. If not specified, the timeout value is set to 10000 (10 seconds).
security.realm.param.userBase

The distinguished name (DN) of the directory branch underneath which users are stored.

Example: ou=Departments,dc=MyCompany,dc=com

security.realm.param.userSearchQuery

The search query used to locate a user entry by the username. {0} in the query is automatically replaced with the username before the search is executed.

Example: (uid={0})

security.realm.param.userSearchSubtree

The user entry search scope. If set to true, the entire subtree rooted at userBase is searched. Otherwise, only the first level under userBase is searched.

security.realm.param.authCheckMethod

The user authentication method to use. The following two methods are supported:

BIND
The security realm attempts to bind with the DN of the user directory entry found by the configured userSearchQuery query and the user-provided password.

COMPARE
The security realm reads the user's password digest from the user directory entry found by the configured userSearchQuery query and compares this digest with the digest of the user-provided password.
security.realm.param.passwordMatcherImplementationcom.quartzdesk.core.security.realm.jndi.JNDIPasswordMatcher

The password matcher implementation class that is used to match the user-entered password with its digest stored in the directory. The password matcher is used only if the configured authCheckMethod is set to COMPARE.

security.realm.param.passwordMatcherImplementation implementation supports all of the following password digest algorithms used by popular directory services:

  • Unsalted MD5 digests. Digest format: {MD5}<digest>
  • Unsalted SHA-1 digests. Digest format: {SHA}<digest>
  • Unsalted SHA-256 digests. Digest format: {SHA256}<digest>
  • Unsalted SHA-384 digests. Digest format: {SHA384}<digest>
  • Unsalted SHA-512 digests. Digest format: {SHA512}<digest>
  • Salted MD5 digests. Digest format: {SMD5}<digest><salt>
  • Salted SHA-1 digests. Digest format: {SSHA}<digest><salt>
  • Salted SHA-256 digests. Digest format: {SSHA256}<digest><salt>
  • Salted SHA-384 digests. Digest format: {SSHA384}<digest><salt>
  • Salted SHA-512 digests. Digest format: {SSHA512}<digest><salt>
security.realm.param.authCheckCompareAttrPassword

The name of a required directory user entry attribute that contains the user's password digest. This attribute name is used only if the configured authCheckMethod is set to COMPARE.

Example: userPassword

security.realm.param.attrFirstName

The name of a required directory user entry attribute that contains the user's first name.

Example: givenName

security.realm.param.attrSurname

The name of a required directory user entry attribute that contains the user's first name.

Example: sn

security.realm.param.attrEmail

The name of a required directory user entry attribute that contains the user's email address.

Example: email

security.realm.param.attrWorkPhoneNumber

The name of an optional directory user entry attribute that contains the user's work phone number.

Example: telephoneNumber

security.realm.param.attrMobilePhoneNumber

The name of an optional directory user entry attribute that contains the user's mobile phone number.

Example: mobile

security.realm.param.attrAvatarUrl

The name of an optional directory user entry attribute that contains the URL of the user's avatar image.

Example: photoUrl

security.realm.param.phoneNumberParserImplementation

The name of an optional phone number parser implementation that parses phone number strings in user directory entries and produces com.quartzdesk.domain.model.common.PhoneNumber instances. The following phone number parser implementations are available out-of-the-box:

com.quartzdesk.core.security.realm.SimplePhoneNumberParser
A trivial implementation that interprets the phone number string as a subscriber number.

com.quartzdesk.core.security.realm.GooglePhoneNumberParser
An implementation that uses the Google libphonenumber library. Please note that this phone parser implementation is locale-sensitive and as such you need to specify the locale to be used. See the phoneNumberParserLocale parameter.

If no phone number parser implementation is specified, then the SimplePhoneNumberParser implementation is used.

security.realm.param.phoneNumberParserLocale

The name of the Java locale used by the phone number parser. If no locale is specified, then the en_US locale is assumed. For the list of all supported Java locales, please see here.

Examples: en_GB (for UK), en_CA (for Canada), nl_NL (for Netherlands), etc.

TAGS: directory, jndi, jndi-security-realm, ldap, realm, security, security-realm