Use LDAP for Authentication
Use LDAP for Authentication
In this section, we describe how to use LDAP for authentication that was made available starting with version 3.5.3 of OpenEMPI. Using LDAP for authentication, allows you to use existing LDAP/Active Directory infrastructure to manage the users have access to OpenEMPI. Although authentication is managed through LDAP, access control is still managed through OpenEMPI. The user profiles for a given user are linked through the username which must exist in both repositories (LDAP and OpenEMPI database).
Enabling the use of LDAP for authentication is fairly easy and consists of just a couple of steps.
1. Define the JAAS configuration file
To provide access to authentication through an LDAP server, OpenEMPI makes use of the Java Authentication and Authorization Service (JAAS). The JAAS service is configured through a file specified through a Java runtime parameter. To add the parameter, modify the setenv.sh script in your OpenEMPI server directory and add the following parameter. In the following example, we assume that the JAAS configuration file is stored in the configuration directory of your OpenEMPI server.
-Djava.security.auth.login.config=$OPENEMPI_HOME/conf/openempi-jaas.config
Here is an example JAAS configuration file for LDAP.
OpenEMPIAuth { com.sun.security.auth.module.LdapLoginModule REQUIRED userProvider="ldap://localhost/dc=openempi,dc=org userFilter="(&(userid={USERNAME})(objectClass=inetOrgPerson))" authzIdentity="{sn}" debug=true useSSL=false bindDn="cn=admin,dc=openempi,dc=org" bindPassword="password" authenticationMethod="simple" forceBindingLogin=true; };
- userProvider: specifies the hostname or IP address of the server where the LDAP server that will be used for authentication is located at. It also specifies the root of the directory context under which the list of OpenEMPI users is defined. In this example, the context is set to: dc=openempi,dc=org.
- userFilter: specifies the query that the LDAP provider will use to retrieve the entry for a particular username.
- authzIdentity: specifies the attribute in the LDAP entry that is used as the authentication identity for the user. The expectation is that the value for this attribute must match the username of the user in OpenEMPI.
- bindDn: uses to specify how OpenEMPI will authenticate itself with the LDAP server via binding. The bindPassword parameter specifies the password for the bind operation.
For more information on how to configure the Java LDAP provider that OpenEMPI uses to interact with the LDAP server, you can review the configuration information here.
2. Activate the LDAP Authentication Module
The next step in enabling LDAP for authentication is to enable the LDAP authentication module in OpenEMPI. The LDAP authentication module is part of the security module in OpenEMPI so, this module must first be activated through the openempi-extensions-contexts.properties file.
... # To activate the security module, just make sure that the applicationContext-module-security.xml file is not commented out. applicationContext-module-security.xml #applicationContext-module-rabbitmq-adapter.xml ...
You also need to replace the default authentication handle with the LDAP authentication handles. This involves a change to the configuration file: applicationContext-services.xml. You should modify the reference in the UserManager service to use the jaasAuthenticationHandler in place of the default authentication handler defAuthenticationHandler.
<bean id="userManager" class="org.openhie.openempi.service.impl.UserManagerImpl"> <property name="userDao" ref="userDao" /> <property name="roleDao" ref="roleDao" /> <property name="userSessionDao" ref="userSessionDao" /> <property name="passwordHandler" ref="passwordHandler" /> <property name="authenticationHandler" ref="jaasAuthenticationHandler" /> </bean>
Keep in mind that although you are using LDAP for authentication of users, each user must still have a user profile in OpenEMPI. This allows you to specify the roles and permissions that a particular user is assigned and thereby perform access control using OpenEMPI fine-grained service.