Presentation Title Goes Here - Krauthammer Lab

Download Report

Transcript Presentation Title Goes Here - Krauthammer Lab 

Custom
Authentication
Services
Jim McCusker (Yale University)
Arch/VCDE F2F
October 29, 2008
Agenda
•
•
•
•
•
Context (Single Sign On at Yale)
JAAS and CSM
A new LDAPLoginModule
HOWTO
Future Directions
Context (Single Sign On at Yale)
• Yale uses CAS (Central Authentication Service).
• http://www.ja-sig.org/products/cas/
• CAS uses Kerberos.
• Kerberos doesn’t have names or email addresses (which
AuthenticationService needs).
• Yale has an LDAP phone book with usernames, names,
and email addresses.
We have the technology. We have the information.
JAAS and CSM
• CSM (Common Security Module) uses JAAS (Java
Authentication and Authorization Service)
• JAAS supports both LDAP and Kerberos for authentication.
Shouldn’t this just work?
JAAS and CSM (cont.)
No, there are some serious obstacles:
• CSM uses it’s own Login Module implementation for LDAP.
• The Login Module will fail if it can’t get username and
password information from the LDAP server.
• The Kerberos Login Module only provides username
information and authenticity, and doesn’t know about the
custom CSM attributes of LN, FN, email.
A New LDAPLoginModule
Code Change!
• Modified LDAPLoginModule (actually LDAPHelper) to allow
configuration to just provide user information. This leaves
the authentication task to Kerberos or PAM or something
else.
• Deployed successfully and was able to authenticate using
the service.
• Download the software at
http://krauthammerlab.med.yale.edu/cabig
HOWTO (On Linux, at least)
• Set up a vanilla AuthenticationService using LDAP
• Download distribution
• http://krauthammerlab.med.yale.edu/wp-content/files/csmjaas1.0.zip
• Add csmjaas-1.0.jar to [tomcat-dir]/webapps/wsrf/WEBINF/lib
(cont.)
HOWTO (On Linux, at least) (cont.)
• Install the kerberos libraries and (on Linux) make
/etc/krb5.conf look like:
[libdefaults]
default_realm = NET.YALE.EDU
NET.YALE.EDU = {
kdc = kserv2.net.yale.edu
admin_server = kserv1.net.yale.edu
}
(cont.)
HOWTO (On Linux, at least) (cont.)
• Make ~/.java.login.config look like csmjaas1.0/java.login.config:
AUTHNSVC{
com.sun.security.auth.module.Krb5LoginModule required;
edu.yale.med.krauthammerlab.csm.LDAPLoginModule
required ldapHost="ldap://directory.yale.edu:389"
ldapInfoOnly="true"
ldapSearchableBase="o=yale.edu"
ldapUserIdLabel="uid"
USER_FIRST_NAME="givenName"
USER_LAST_NAME="sn"
USER_EMAIL_ID="mail";
};
•
(cont.)
HOWTO (On Linux, at least) (cont.)
• Ask Steve Langella really nicely to add you to the training
grid.
Future Directions
• Integrate the patch back into CSM.
• Enable Kerberos extension in installer.
• Use patch as an example on how to create a custom
AuthenticationService LoginModule.