You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by Serge Knystautas <se...@lokitech.com> on 2004/04/29 15:52:05 UTC
Linux account integration
Does anyone know a decent way for a Java program to test a username and
password against the local Linux accounts?
I'm thinking of creating another user implementation that extends the
current file one, but when it does the authentication, it will check
against the Linux account.
This is so I don't have to setup an LDAP server but otherwise can let
people use their same passwords. Also, it might be nice for ultimately
splitting the authentication mechanism from the James mailbox/account
storage.
--
Serge Knystautas
President
Lokitech >> software . strategy . design >> http://www.lokitech.com
p. 301.656.5501
e. sergek@lokitech.com
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
RE: Linux account integration
Posted by Intelekia <in...@intelekia.com>.
Hi Serge, sorry for late reply (weekend out... ;-)
I guess you cannot do that (or at least I don't know how) - the whole idea
of using a auth text script to link the auth module to the authenticating
application is to keep a strict independence and code portability (the
authenticating application doesn't know anything - doesn't care - about the
auth method).
Since the auth text script if provided as a java command-line parameter, I
envision two possible solutions:
1) determine the authentication method at compilation (as a parameter to
Jame's build.xml). Of course this can always be changed by editing the auth
text script manually - could be explained in the documentation.
2) determine the authentication method at startup (as a parameter to the
.bat / .sh that starts James, that tells which auth method to select from a
pool of auth text scripts).
Best regards,
Isaac.
-----Original Message-----
From: Serge Knystautas [mailto:sergek@lokitech.com]
Sent: viernes, 30 de abril de 2004 14:51
To: James Developers List
Subject: Re: Linux account integration
Intelekia wrote:
> Hi Serge,
>
> The best option is JAAS (Java Authentication and Authorization Service),
> introduced as an optional package in J2SE 1.3 and integrated into J2SE
1.4.
> It implements a Java Pluggable Authentication Module (PAM) framework to
> provide single authentication against Unix, Windows, Kerberos, etc.
>
> Please check the enclosed very simplified demo code.
Isaac,
Thanks very much for the sample code. Is there any way I can define the
auth module at runtime? I'd like to let a user configure which type of
authentication they're using in our conf file.
--
Serge Knystautas
President
Lokitech >> software . strategy . design >> http://www.lokitech.com
p. 301.656.5501
e. sergek@lokitech.com
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
RE: Linux account integration
Posted by "Noel J. Bergman" <no...@devtech.com>.
Serge Knystautas wrote:
> Noel J. Bergman wrote:
> > FWIW, there is a read-only NIS provider for JNDI. I don't know
> > of a similar one for the Windows login system, but the NIS one
> > can be used to access local login information on linux.
> Wouldn't this require someone running an NIS daemon? As I
> understood it, NIS was a protocol.
I would have to check it, which I haven't, yet. Would be nice if these were
all published as open source, especially the ones that Sun hasn't
maintained, such as the File System provider.
But, yes, NIS is a protocol. Sorry, I think I temporarily confused it with
nsswitch, which has support for NIS, /etc files and others. NIS is
available from http://www.linux-nis.org/nis/ypserv/, which also has a good
man page.
I wonder if the JAAS code is parsing or using JNI? Hopefully the latter,
especially with systems like FreeBSD.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
RE: Linux account integration
Posted by Alex Karasulu <ao...@bellsouth.net>.
Serge,
> > I'm pretty confident this is the case. Perhaps someone else can
> > confirm as well.
>
> Reading the docs for the NIS service provider, one of the docs says it
> requires, "A server that speaks the YP Version 2 protocol, such as the
> Solaris/NIS server, and the Solaris/NIS+ server running in YP-compat
> mode." :(
Shoot I was totally wrong! It does speak directly to a NIS server
after all. My last name might as well have been dumbass like that
commercial.
Sorry for steering you in the wrong direction :(. That's very
lame that SUN took that route though. I guess SUN just wanted it to
be portable across platforms hence the reason why its not bundled with
the JDK. I thought it was.
My Sincerest Appologies,
Alex
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: Linux account integration
Posted by Serge Knystautas <se...@lokitech.com>.
Alex Karasulu wrote:
> Actually I think the NIS provider talks to the underlying NSS
> libraries which abstract away the exact mechanism. So underneath the
> hood the OS can be configured to be using LDAP or NIS or even NIS+
> for the NSS and the API would remain the same - the user wouldn't
> have to worry about that.
>
> I'm pretty confident this is the case. Perhaps someone else can
> confirm as well.
Reading the docs for the NIS service provider, one of the docs says it
requires, "A server that speaks the YP Version 2 protocol, such as the
Solaris/NIS server, and the Solaris/NIS+ server running in YP-compat
mode." :(
--
Serge Knystautas
President
Lokitech >> software . strategy . design >> http://www.lokitech.com
p. 301.656.5501
e. sergek@lokitech.com
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: Linux account integration
Posted by Serge Knystautas <se...@lokitech.com>.
Alex Karasulu wrote:
> Actually I think the NIS provider talks to the underlying NSS
> libraries which abstract away the exact mechanism. So underneath the
> hood the OS can be configured to be using LDAP or NIS or even NIS+
> for the NSS and the API would remain the same - the user wouldn't
> have to worry about that.
>
> I'm pretty confident this is the case. Perhaps someone else can
> confirm as well.
Sweet, that sounds perfect.
I'll give it a whirl soon... looks like JDK 1.4 comes bundled with the
NIS impl, so James would need to include those service providers
separately. Anyway, thanks, I'll see if I can do it without any extra
daemons running.
--
Serge Knystautas
President
Lokitech >> software . strategy . design >> http://www.lokitech.com
p. 301.656.5501
e. sergek@lokitech.com
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
RE: Linux account integration
Posted by Alex Karasulu <ao...@bellsouth.net>.
Serge,
> -----Original Message-----
> From: Serge Knystautas [mailto:sergek@lokitech.com]
> Sent: Friday, April 30, 2004 2:35 PM
> To: James Developers List
> Cc: Alex Karasulu
> Subject: Re: Linux account integration
>
> Noel J. Bergman wrote:
> > FWIW, there is a read-only NIS provider for JNDI. I don't know of a
> similar
> > one for the Windows login system, but the NIS one can be used to access
> > local login information on linux. I just downloaded it to take a look
> > (http://java.sun.com/products/jndi/serviceproviders.html).
>
> Wouldn't this require someone running an NIS daemon? As I understood
> it, NIS was a protocol.
>
Actually I think the NIS provider talks to the underlying NSS
libraries which abstract away the exact mechanism. So underneath the
hood the OS can be configured to be using LDAP or NIS or even NIS+
for the NSS and the API would remain the same - the user wouldn't
have to worry about that.
I'm pretty confident this is the case. Perhaps someone else can
confirm as well.
Alex
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: Linux account integration
Posted by Serge Knystautas <se...@lokitech.com>.
Noel J. Bergman wrote:
> FWIW, there is a read-only NIS provider for JNDI. I don't know of a similar
> one for the Windows login system, but the NIS one can be used to access
> local login information on linux. I just downloaded it to take a look
> (http://java.sun.com/products/jndi/serviceproviders.html).
Wouldn't this require someone running an NIS daemon? As I understood
it, NIS was a protocol.
--
Serge Knystautas
President
Lokitech >> software . strategy . design >> http://www.lokitech.com
p. 301.656.5501
e. sergek@lokitech.com
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
RE: Linux account integration
Posted by Alex Karasulu <ao...@bellsouth.net>.
> -----Original Message-----
> From: Noel J. Bergman [mailto:noel@devtech.com]
> Sent: Friday, April 30, 2004 2:03 PM
> To: James Developers List
> Cc: Alex Karasulu
> Subject: RE: Linux account integration
>
> FWIW:
> http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/secur
> it
> y/auth/module/package-summary.html
>
> JAAS can access anything that is supported by JNDI, plus NT, NIS (as well
> as
> NIS through JNDI), etc.
>
> --- Noel
Yep stick to JAAS as the interface but use which ever login module provider
best fits your needs.
Alex
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
RE: Linux account integration
Posted by "Noel J. Bergman" <no...@devtech.com>.
FWIW:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/securit
y/auth/module/package-summary.html
JAAS can access anything that is supported by JNDI, plus NT, NIS (as well as
NIS through JNDI), etc.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
RE: Linux account integration
Posted by "Noel J. Bergman" <no...@devtech.com>.
Serge,
> I'm thinking of creating another user implementation that extends the
> current file one, but when it does the authentication, it will check
> against the Linux account.
> This is so I don't have to setup an LDAP server but otherwise can let
> people use their same passwords.
FWIW, there is a read-only NIS provider for JNDI. I don't know of a similar
one for the Windows login system, but the NIS one can be used to access
local login information on linux. I just downloaded it to take a look
(http://java.sun.com/products/jndi/serviceproviders.html).
> > The best option is JAAS (Java Authentication and Authorization Service)
There is code in the Directory project that would help for this, where we
are integrating AAA (RMS, JAAS, and Janus) with JNDI/LDAP. Alex can explain
the roadmap best, and how we can use these components to handle user
repositories. He had I were discussing this earlier, and he's reading the
thread in the archives.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: Linux account integration
Posted by Serge Knystautas <se...@lokitech.com>.
Intelekia wrote:
> Hi Serge,
>
> The best option is JAAS (Java Authentication and Authorization Service),
> introduced as an optional package in J2SE 1.3 and integrated into J2SE 1.4.
> It implements a Java Pluggable Authentication Module (PAM) framework to
> provide single authentication against Unix, Windows, Kerberos, etc.
>
> Please check the enclosed very simplified demo code.
Isaac,
Thanks very much for the sample code. Is there any way I can define the
auth module at runtime? I'd like to let a user configure which type of
authentication they're using in our conf file.
--
Serge Knystautas
President
Lokitech >> software . strategy . design >> http://www.lokitech.com
p. 301.656.5501
e. sergek@lokitech.com
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
RE: Linux account integration
Posted by Intelekia <in...@intelekia.com>.
Hi Serge,
The best option is JAAS (Java Authentication and Authorization Service),
introduced as an optional package in J2SE 1.3 and integrated into J2SE 1.4.
It implements a Java Pluggable Authentication Module (PAM) framework to
provide single authentication against Unix, Windows, Kerberos, etc.
Please check the enclosed very simplified demo code.
>From the command line:
java -Djava.security.auth.login.config=./demoJAAS.config DemoJAAS
If you replace com.sun.security.auth.module.UnixLoginModule by
com.sun.security.auth.module.NTLoginModule in demoJAAS.config will allow you
tu run the sample on Windows platforms (2k, XP, etc...).
Normally there should be a -Djava.security.manager loaded as well to limit
the permissions of the application, but that would do for a demo.
I will be happy to work with you on implementing this extension to James;
let's work out the requirements.
Best regards,
Isaac.
-----Original Message-----
From: Serge Knystautas [mailto:sergek@lokitech.com]
Sent: jueves, 29 de abril de 2004 16:52
To: server-dev@james.apache.org
Subject: Linux account integration
Does anyone know a decent way for a Java program to test a username and
password against the local Linux accounts?
I'm thinking of creating another user implementation that extends the
current file one, but when it does the authentication, it will check
against the Linux account.
This is so I don't have to setup an LDAP server but otherwise can let
people use their same passwords. Also, it might be nice for ultimately
splitting the authentication mechanism from the James mailbox/account
storage.
--
Serge Knystautas
President
Lokitech >> software . strategy . design >> http://www.lokitech.com
p. 301.656.5501
e. sergek@lokitech.com
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org