Login Modules

Security Guide : Login Modules

Login Modules

This appendix provides a description of the LoginModules provided by VisiSecure for Java.

Basic LoginModule

This LoginModule uses a proprietary schema to store and retrieve user information. It uses standard JDBC to store its data in any relational database. This module also supports the proprietary schema used by the Tomcat JDBC realm.

realm-name {
com.borland.security.provider.authn.BasicLoginModule authentication-requirements-flag
DRIVER=driver-name
URL=database-URL
TYPE=basic|tomcat
LOGINUSERID=user-name
LOGINPASSWORD=password
[USERTABLE=user-table-name]
[GROUPTABLE=group-table-name]
[GROUPNAMEFIELD=group-name-field-of-GROUPTABLE]
[PASSWORDFIELD=field-name]
[USERNAMEFIELDINUSERTABLE=field-name]
[USERNAMEFIELDINGROUPTABLE=field-name]
[DIGEST=digest-name]
};

The elements in square brackets (“[ .. ]”) are used only if authenticating to the Tomcat Realm, where they would be required. Otherwise, the remaining properties are sufficient.

Property

Description

DRIVER

Fully-qualified class name of the database driver to be used with the password backend. For example, com.borland.datastore.jdbc.DataStoreDriver

URL

Fully-qualified URL of the database used for the realm.

TYPE

The schema to use for this realm. This LoginModule supports the schema used by the Tomcat JDBC realm and can be made to use that schema. Set this to “TOMCAT” to use the Tomcat schema. Set this to “basic” to use the default schema.

Note: If this property is set to “TOMCAT,” all other properties in square braces (“[..]”) must also be set.

LOGINUSERID

Username needed to access the password backend database.

LOGINPASSWORD

Password needed to access the password backend database.

[USERTABLE]

Table name under which the username/password to be authenticated is stored.

[USERNAMEFIELDINUSER-TABLE]

The field name in USERTABLE where the userID can be read.

[USERNAMEFIELDIN-GROUPTABLE]

The field name in GROUPTABLE where the userID can be read, different from that in the USERTABLE.

[PASSWORDFIELD]

The field name in USERTABLE containing the password for the username to be authenticated.

[GROUPTABLE]

Table name under where the group information for the user is stored. When TYPE is set to “TOMCAT,” the attribute represented by entries in this table are treated as roles rather than groups.

[GROUPNAMEFIELD]

Name of the field in GROUPTABLE containing the group name to be associated with the user. When TYPE is set to “TOMCAT,” the attributes represented by entries in this table are treated as roles rather than groups.

[DIGEST]

The algorithm to use for digesting the password. This defaults to SHA under basic circumstances, but defaults to MD5 when TYPE is set to “TOMCAT”.

Premium {
com.borland.security.provider.authn.BasicLoginModule required
DRIVER="com.borland.datastore.jdbc.DataStoreDriver"
URL="jdbc:borland:dslocal:/Security/java/prod/userauthinfo1.jds"
Realm="Basic"
LOGINUSERID="CreateTx"
LOGINPASSWORD="";
};

Since passwords should never be stored in clear text, VisiSecure always performs digest on the password and stores the result in a database. The digesttype option defines the digest algorithm for this. By default, an SHA algorithm is used for basic-typed schema, while MD5 is used for tomcat-typed schema. You can change it by including and setting a digesttype option. In the case the corresponding digest type engine cannot be found by the JVM, SHA is used instead. If an SHA engine cannot be found either, the authentication will always fail.

JDBC LoginModule

This LoginModule uses a standard JDBC database interface for authentication.

realm-name {
com.borland.security.provider.authn.JDBCLoginModule authentication-requirements-flag
DRIVER=driver-name
URL=database-URL
[DBTYPE=type]
USERTABLE=user-table-name
USERNAMEFIELD=user-name-field-of-USERTABLE
ROLETABLE=role-table-name
ROLENAMEFIELD=field-name
USERNAMEFIELDINROLETABLE=field-name
};

Property

Description

DRIVER

Fully-qualified class name of the database driver to be used with the realm. For example, com.borland.datastore.jdbc.
DataStoreDriver

URL

Fully-qualified URL of the database used for the password backend.

[DBTYPE=ORACLE|SYBASE|SQLSERVER|INTERBASE]

Supported database types. If this option is specified, the table information is preconfigured and need not be specified. The username/password still need to be specified to allow access to the system tables.

USERTABLE

Table name under where the database stores users.

USERNAMEFIELD

The field name in USERTABLE containing the usernames.

ROLETABLE

Table name where the database stores the roles of users.

ROLENAMEFIELD

Field name in ROLETABLE where role information is stored.

USERNAMEFIELDINROLE-TABLE

The username field name in the ROLETABLE.

USERNAME

The username needed to access the password backend database.

PASSWORD

The password needed to access the password backend database.

LIMS {
com.borland.security.provider.authn.JDBCLoginModule required
DRIVER="com.borland.datastore.jdbc.DataStoreDriver"
URL="jdbc:borland:dslocal:/Security/java/prod/userauthinfo.jds"
USERTABLE=myUserTable
USERNAMEFIELD=userNames
ROLETABLE=myRoles
ROLENAMEFIELD=roleNames
USERNAMEFIELDINROLETABLE=userRole
USERNAME="\n"
PASSWORD="\n";
};

LDAP LoginModule

Similar to the JDBC LoginModule, but using LDAP as its authentication backend.

realm-name {
com.borland.security.provider.authn.LDAPLoginModule authentication-requirements-flag
INITIALCONTEXTFACTORY=connection-factory-name
PROVIDERURL=database-URL
SEARCHBASE=search-start-point
USERATTRIBUTES=attribute1, attribute2, ...
USERNAMEATTRIBUTE=attribute
QUERY=dynamic-query
};

Property

Description

INITIALCONTEXTFACTORY

The InitialContextFactory class that is used by JNDI to bind to LDAP.

PROVIDERURL

The URL to the LDAP server of the form ldap://<servername>:<port> .

SEARCHBASE

The search base for the Directory to lookup.

USERATTRIBUTES

This option controls the attributes that are retrieved for a given user. This is a comma separated list of attributes that will be retrieved and stored for an authenticated user. These attributes can then be used in the authorization rules to determine whether a user belongs to a given role.

USERNAMEATTRIBUTE

This attribute represents what the user types in as the username. If set to uid, it would allow users to type their uid when asked for a username. If set to mail, it would allow users to type their email when asked for a user name. When set to DN, users will type their full DN to authenticate themselves.

QUERY

The Query option provides a mechanism to dynamically query the LDAP for other information and represent the results as attributes. For example, a user can be a member of a set of groups. It is useful to extract this information as the GROUP attribute so that it can be used in rules in the authorization domain. To achieve this, you can specify a query. Queries are of the format:

query.<suffix>="<attrname>=<ldap filter>";

The suffix can be anything that uniquely identifies this entry and there can be any number of queries specified. To insert the user's DN as part of the query, you should use {0}. The LDAPLoginModule will then replace the {0} with the actual DN of the user. For example, to query groups and store the results in the GROUP attribute, you say:

query.1="GROUP=(&(ou=groups)(uniquemember={0}))";

This will select all the groups (whose ou attribute has the value groups) that the user belongs to whose uniquemember attribute contains the user's DN, then stores the CN of the objects returned as the result as the values for the GROUP attribute for that user. If the attribute name specified is ROLE, then this attribute's treatment is exactly like that of the JDBCLoginModule. This mechanism can be used to store user roles in LDAP.

Host LoginModule

The HostLoginModule is used to authenticate to a UNIX or NT-based network.

realm-name {
com.borland.security.provider.authn.HostLoginModule authentication-requirements-flag;
};

No additional properties are necessary for the Host LoginModule.

Snoopy
{com.borland.security.provider.authn.HostLoginModule required;
};

UNIX shadow password for Host LoginModule

UNIX platforms only

The HostLoginModule shipped with VisiSecure for UNIX platforms utilizes simple APIs that are uniform on most UNIX platforms. This is defined in the POSIX standard header file pwd.h. Advanced shadow password APIs are available for deployments that demand higher security measures. However, one problem associated with this is that the process calling the APIs must run as root. Since the APIs are not in POSIX standard, the login module code is less portable.

To write your own custom login module, refer to the ‘customlogin’ example in the VisiSecure example folder. You may then incorporate shadow password APIs in your custom login module. These APIs are available in the system header file shadow.h. Please consult your system manual to find out more about them.

From the user's perspective, as already indicated above, any VisiBroker application (client/server) configured with an authentication realm, employing such a login module, must be invoked with root (or SUID root) system-level privileges.

Creating a user database for the basic login module

As a first step, create and configure the database to store users and roles. Micro Focus provides the userdbadmin tool, run from the command line, to auto-create the required tables, create groups, and associate users with groups.

This example uses JDataStore, though any backend — like Oracle, DB2, Sybase, MS SQL Server, etc — can be used. A sample command is shown below. For JDataStore, the command to be run from the command prompt when the current working directory is:

$BES/var/servers/[server_name]

userdbadmin

-create

-db jdbc:borland:dslocal:adm/security/mydb.jds

-driver com.borland.datastore.jdbc.DataStoreDriver

-user admin

-password admin

-interactive

>addgroups accountant

>addgroups clerk

>adduser krish krishpwd accountant

>adduser john johnpwd accountant

>adduser bill billpwd clerk

>adduser scott scottpwd clerk

>quit

The above commands, typed at the ">" prompt, create two groups 'accountant' and 'clerk' in the database. Two users with usernames krish and john are in an accountant role; while bill and scott are in the role of clerks.

(Type 'help' at the ">" prompt for a list of available commands).

Using the userdbadmin tool

The userdbadmin tool is a command-line tool that can be used to create and manage user databases for the BasicLoginModule. The userdbadmin uses a proprietary schema and can be pointed at any database. Using this tool, you can administer users who can be authenticated using Basic login modules. Though the tool and BasicLoginModule work using various JDBC databases, it is still recommended that you use JDataStore which is shipped with VisiBroker.

To facilitate the use of popular databases, the userdbadmin tool comes pre-configured to recognize database urls and to configure itself to use the appropriate drivers.

If you wish to change that behavior, you may override it by specifying the driver information.

If you do not provide driver information and userdbadmin does not recognize the database, it will prompt for this information. Once it has successfully acquired this information, it will write this information into a file called .userdbadmin.config in the directory corresponding to the user.home system property or to the file specified by the -config command line option.

Future users of userdbadmin will read the config file from either the user.home directory or from the file specified by the -config option and will recognize the new database configuration, so you do not need to type the driver information every time.

Creating a new database

To create a new database, use the commands below.

Usage: userdbadmin [<driver options>] [<userdbadmin options>] [command]

The example below creates a new database namely mydb.jds.

prompt> userdbadmin -db jdbc:borland:dslocal:mydb.jds -driver com.borland.datastore.jdbc.DataStoreDriver -user administrator -password b0rlanD -create

The username/password that you supply in the command line above is used by JDataStore to protect the database as well as to access to the database subsequently.

Note: The username/password is for JDataStore itself. This has nothing to do with the usernames and passwords that you may want to store in the database later.

UserdbAdminTool: Creating database jdbc:borland:dslocal:mydb.jds

JDataStore: Developer's License (no connection limit)

JDataStore: Copyright (c) 1996-2004 Borland Software Corporation. All rights reserved.

JDataStore: License for JDataStore development only - not for redistribution

JDataStore: Registered to:

JDataStore: JDataStore

JDataStore: Developer's license with unlimited connections

Password digest algorithm is SHA1

UserdbAdminTool: Created Database Schema

prompt>

After the execution of the command, in your current directory, a new set of JDataStore database physical files will be created as follows:

mydb.jds

mydb_LOGA_0000000000

mydb_LOGA_ANCHOR

mydb_STATUS_0000000000

Creating groups and associating users with groups

Launch userdbadmin in an interactive mode with the created database. The interactive mode helps you to issue multiple commands. To do this, enter the command as given below at the command prompt.

prompt> userdbadmin -db jdbc:borland:dslocal:mydb.jds -driver com.borland.datastore.jdbc.DataStoreDriver -user administrator -password b0rlanD -interactive

JDataStore: Developer's License (no connection limit)

JDataStore: Copyright (c) 1996-2004 Borland Software Corporation.

All rights reserved.

JDataStore: License for JDataStore development only - not for redistribution

JDataStore: Registered to:

JDataStore: JDataStore

JDataStore: Developer's license with unlimited connections

Password digest algorithm is SHA1

Enter "quit" to quit.

>

Note that you are now in userdbadmin interactive mode, and you can type commands at its '>' prompt.

Adding new users

To add a new user name with password and to make the new user a member of one or more groups, type the following in the command line:

Example 1

> adduser krish krishpwd accountant

Example 2

> adduser bill billpwd clerk

In Example 1, you added a user whose name is Krish and password krishpwd and added him as a member of the group called accountant.

In Example 2, you added a user whose name is bill and password billpwd and added him as a member of the group called clerk.

Listing existing users in the database

To list existing users in the database, type ‘listusers’ in the command line to list all the users and their groups:

> listusers

bill: [ clerk ]

john: [ accountant ]

krish: [ accountant ]

Listing all groups in the database

To list all groups and their membership, enter listgroup at the command prompt.

> listgroups

clerk: [ bill ]

accountant: [ krish john ]

Create a new group

To create new groups and their membership, enter addgroup at the command prompt.

> addgroups dba admin

You can check the newly added group by running the command listgroup. The newly added groups dba and admin would be listed.

> listgroups

dba: [ ]

admin: [ ]

clerk: [ bill ]

Assign groups to existing users

To assign user krish to group dba and group admin, enter the following command at the prompt:

> joingroups krish dba admin

You can check the newly added user by running the command listusers. The newly added group memberships would be listed.

> listusers

bill: [ clerk ]

john: [ accountant ]

krish: [ accountant dba admin ]

Remove a group from the database

To remove group accountant from the database permanently, enter the following command removegroups at the prompt.

> removegroups accountant

You can check the newly removed group by running the command listusers. The newly removed group accountant will not be listed.

> listusers

bill: [ clerk ]

john: [ ]

krish: [ dba admin ]

Add a new user without any group

You can add a new user without adding him to any specific group. enter the command adduser at the command prompt

> adduser jack jackpwd

You can check the newly added user by running the command listusers. The newly added user jack would be listed.

> listusers

bill: [ clerk ]

jack: [ ]

john: [ ]

krish: [ dba admin ]

Remove a group from a user

To remove the group from the user, enter the command leavegroup at the command prompt.

> leavegroups krish admin

You can check the newly removed user by running the command listusers. The user krish would be listed without the removed membership.

> listusers

bill: [ clerk ]

jack: [ ]

john: [ ]

krish: [ dba ]

Remove a user from the group

To remove the user from the group, enter the command removeuser at the command prompt.

> removeuser bill

You can check the newly removed user by running the command listusers. The newly removed user would be listed.

> listusers

jack: [ ]

john: [ ]

krish: [ dba ]

Exiting the userdbadmin program

To exit the userdbadmin program, enter the command quit at the command prompt.

> quit

Property	Description
DRIVER	Fully-qualified class name of the database driver to be used with the password backend. For example, com.borland.datastore.jdbc.DataStoreDriver
URL	Fully-qualified URL of the database used for the realm.
TYPE	The schema to use for this realm. This LoginModule supports the schema used by the Tomcat JDBC realm and can be made to use that schema. Set this to “TOMCAT” to use the Tomcat schema. Set this to “basic” to use the default schema. Note: If this property is set to “TOMCAT,” all other properties in square braces (“[..]”) must also be set.
LOGINUSERID	Username needed to access the password backend database.
LOGINPASSWORD	Password needed to access the password backend database.
[USERTABLE]	Table name under which the username/password to be authenticated is stored.
[USERNAMEFIELDINUSER-TABLE]	The field name in USERTABLE where the userID can be read.
[USERNAMEFIELDIN-GROUPTABLE]	The field name in GROUPTABLE where the userID can be read, different from that in the USERTABLE.
[PASSWORDFIELD]	The field name in USERTABLE containing the password for the username to be authenticated.
[GROUPTABLE]	Table name under where the group information for the user is stored. When TYPE is set to “TOMCAT,” the attribute represented by entries in this table are treated as roles rather than groups.
[GROUPNAMEFIELD]	Name of the field in GROUPTABLE containing the group name to be associated with the user. When TYPE is set to “TOMCAT,” the attributes represented by entries in this table are treated as roles rather than groups.
[DIGEST]	The algorithm to use for digesting the password. This defaults to SHA under basic circumstances, but defaults to MD5 when TYPE is set to “TOMCAT”.

Property	Description
INITIALCONTEXTFACTORY	The InitialContextFactory class that is used by JNDI to bind to LDAP.
PROVIDERURL	The URL to the LDAP server of the form ldap://<servername>:<port> .
SEARCHBASE	The search base for the Directory to lookup.
USERATTRIBUTES	This option controls the attributes that are retrieved for a given user. This is a comma separated list of attributes that will be retrieved and stored for an authenticated user. These attributes can then be used in the authorization rules to determine whether a user belongs to a given role.
USERNAMEATTRIBUTE	This attribute represents what the user types in as the username. If set to uid, it would allow users to type their uid when asked for a username. If set to mail, it would allow users to type their email when asked for a user name. When set to DN, users will type their full DN to authenticate themselves.
QUERY	The Query option provides a mechanism to dynamically query the LDAP for other information and represent the results as attributes. For example, a user can be a member of a set of groups. It is useful to extract this information as the GROUP attribute so that it can be used in rules in the authorization domain. To achieve this, you can specify a query. Queries are of the format: query.<suffix>="<attrname>=<ldap filter>"; The suffix can be anything that uniquely identifies this entry and there can be any number of queries specified. To insert the user's DN as part of the query, you should use {0}. The LDAPLoginModule will then replace the {0} with the actual DN of the user. For example, to query groups and store the results in the GROUP attribute, you say: query.1="GROUP=(&(ou=groups)(uniquemember={0}))"; This will select all the groups (whose ou attribute has the value groups) that the user belongs to whose uniquemember attribute contains the user's DN, then stores the CN of the objects returned as the result as the values for the GROUP attribute for that user. If the attribute name specified is ROLE, then this attribute's treatment is exactly like that of the JDBCLoginModule. This mechanism can be used to store user roles in LDAP.