Ceptor - Get a Free Trial

SPNEGO Authentication Properties

Owned by Kim Rasmussen
Last updated: Jan 31, 2017 by Kim Rasmussen (Unlicensed)
2 min read

Contains configuration for setting up SPNEGO authentication between clients and dispatcher. This configuration resides in the session controller.

Property

Value

spnego.ad.servers

<ip address or hostname:port> - Default: localhost:389

IP addres or hostname of the LDAP server, and port

spnego.ad.systemuser

<userid fully qualified>

Userid of "technical" user which is used to bind to LDAP in order to get read user records

spnego.ad.systempassword

<password>

Password to use when binding to the LDAP server.
The password can optionally be obfuscated or encrypted, by using the command "java dk.itp.security.utils.PasswordUtils" with the original password as parameter.

spnego.ad.useridName

<attribute name> - Default userPrincipalName

Name of the attribute used when searching for a user – default is "uid".

spnego.ad.usersRDN

<RDN name> - Default "CN=Users"

Name of the RDN (LDAP group) where users are stored.

spnego.ad.userattributes

<List of attributes – separated with comma or semicolon>

List of LDAP attributes to read when fetching a user from the AD server – can be left blank to signify all non-operational attributes. The LDAP RFC states that an LDAP server should only return "normal" attributes unless they are specifically named, so this is a way of querying operational attributes for a user.

If you change it from the default, make sure that you do include the default ones in the new configuration property, or they will not be retrieved from LDAP.

All attributes (except memberOf) will be added to the session of the authenticated user as state variables, and are thus accessible to the applications, or can e.g. be forwarded to an application in an HTTP header.

Default is "cn,userPrincipalName,memberOf".

spnego.ad.enabled

<true | false> - Default "true"

If true, AD lookups will be done to read user name, groups etc. after obtaining the userid of the user using SPNEGO/GSS.

spnego.preauth.username

<userid>

Fully qualified userid (userid@domain.name) of GSS preauthentication user. If left blank, keytab file specified in krb5.conf will be used instead.

spnego.preauth.password

<password>

Password to the username, can optionally be encrypted/obfuscated.

spnego.krb5.conf

<krb5.conf file location>

Must point to a kerberos5 configuration file, refer to Java 1.6 documentation for format of it.

spnego.login.conf

<login.conf file location>

Login module configuration file, refer to Java 1.6 documentation for details about the format.

spnego.login.server.module

<Server module name>

Name of server module within login.conf to use.

© Ceptor ApS. All Rights Reserved.