2 (* Author: Simon Vocella <voxsim@gmail.com> *)
7 This is the JAAS configuration file used by the Shibboleth IdP.
9 A JAAS configuration file is a grouping of LoginModules defined in the following manner:
10 <LoginModuleClass> <Flag> <ModuleOptions>;
12 LoginModuleClass - fully qualified class name of the LoginModule class
13 Flag - indicates whether the requirement level for the modules;
14 allowed values: required, requisite, sufficient, optional
15 ModuleOptions - a space delimited list of name=\"value\" options
17 For complete documentation on the format of this file see:
18 http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
20 For LoginModules available within the Sun JVM see:
21 http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/tutorials/LoginConfigFile.html
23 Warning: Do NOT use Sun's JNDI LoginModule to authentication against an LDAP directory,
24 Use the LdapLoginModule that ships with Shibboleth and is demonstrated below.
26 Note, the application identifier MUST be ShibUserPassAuth
32 // Example LDAP authentication
33 // See: https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass
35 edu.vt.middleware.ldap.jaas.LdapLoginModule required
36 ldapUrl=\"ldap://ldap.example.org\"
37 baseDn=\"ou=people,dc=example,dc=org\"
39 userFilter=\"uid={0}\";
42 // Example Kerberos authentication, requires Sun's JVM
43 // See: https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass
45 com.sun.security.auth.module.Krb5LoginModule required
47 keyTab=\"/path/to/idp/keytab/file\";
50 edu.vt.middleware.ldap.jaas.LdapLoginModule required
51 host = \"ldap://127.0.0.1:389\"
52 base = \"dc=example,dc=com\"
53 serviceUser = \"cn=admin,dc=example,dc=com\"
54 serviceCredential = \"ldappassword\"
57 // Example comment within definition
58 subtreeSearch = \"true\";
62 // Test of optionless flag
63 nz.ac.auckland.jaas.Krb5LoginModule required;
66 com.sun.security.jgss.krb5.initiate {
67 // Test of omitted linebreaks and naked boolean
68 com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
71 test Jaas.lns get conf =
74 { "1" = "This is the JAAS configuration file used by the Shibboleth IdP." }
75 { "2" = "A JAAS configuration file is a grouping of LoginModules defined in the following manner:" }
76 { "3" = "<LoginModuleClass> <Flag> <ModuleOptions>;" }
77 { "4" = "LoginModuleClass - fully qualified class name of the LoginModule class" }
78 { "5" = "Flag - indicates whether the requirement level for the modules;" }
79 { "6" = "allowed values: required, requisite, sufficient, optional" }
80 { "7" = "ModuleOptions - a space delimited list of name=\"value\" options" }
81 { "8" = "For complete documentation on the format of this file see:" }
82 { "9" = "http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html" }
83 { "10" = "For LoginModules available within the Sun JVM see:" }
84 { "11" = "http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/tutorials/LoginConfigFile.html" }
85 { "12" = "Warning: Do NOT use Sun's JNDI LoginModule to authentication against an LDAP directory," }
86 { "13" = "Use the LdapLoginModule that ships with Shibboleth and is demonstrated below." }
87 { "14" = "Note, the application identifier MUST be ShibUserPassAuth" }
91 { "login" = "ShibUserPassAuth"
93 { "#comment" = "Example LDAP authentication" }
94 { "#comment" = "See: https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass" }
96 { "1" = "edu.vt.middleware.ldap.jaas.LdapLoginModule required" }
97 { "2" = "ldapUrl=\"ldap://ldap.example.org\"" }
98 { "3" = "baseDn=\"ou=people,dc=example,dc=org\"" }
99 { "4" = "ssl=\"true\"" }
100 { "5" = "userFilter=\"uid={0}\";" }
103 { "#comment" = "Example Kerberos authentication, requires Sun's JVM" }
104 { "#comment" = "See: https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass" }
106 { "1" = "com.sun.security.auth.module.Krb5LoginModule required" }
107 { "2" = "useKeyTab=\"true\"" }
108 { "3" = "keyTab=\"/path/to/idp/keytab/file\";" }
111 { "loginModuleClass" = "edu.vt.middleware.ldap.jaas.LdapLoginModule"
112 { "flag" = "required"
113 { "host" = "\"ldap://127.0.0.1:389\"" }
114 { "base" = "\"dc=example,dc=com\"" }
115 { "serviceUser" = "\"cn=admin,dc=example,dc=com\"" }
116 { "serviceCredential" = "\"ldappassword\"" }
117 { "ssl" = "\"false\"" }
118 { "userField" = "\"uid\"" }
119 { "#comment" = "Example comment within definition" }
120 { "subtreeSearch" = "\"true\"" }
127 { "login" = "NetAccountAuth"
128 { "#comment" = "Test of optionless flag" }
129 { "loginModuleClass" = "nz.ac.auckland.jaas.Krb5LoginModule"
130 { "flag" = "required" }
136 { "login" = "com.sun.security.jgss.krb5.initiate"
137 { "#comment" = "Test of omitted linebreaks and naked boolean" }
138 { "loginModuleClass" = "com.sun.security.auth.module.Krb5LoginModule"
139 { "flag" = "required"
140 { "useTicketCache" = "true" }