JNDI CP Configuration

From Eclipsepedia

Jump to: navigation, search

Contents

Configuration

The JNDI Context Provider uses an XML file for configuration. The general format of this XML file is defined here: Higgins XML Component Configuration. This configuration is expected to be part of an XRDS document as described here: Higgins Context Discovery Components.

Example configuration files can be found in the org.eclipse.higgins.idas.cp.jndi.test project. Instructions on how to access this project are located here: JNDI CP Projects.

The JNDI Context Provider allows for the configuration of eight (8) different Policy Decision Points (PDPs) that control mapping of the following items (inbound and outbound):

  1. Subject IDs
  2. Digital Subject Types
  3. Attribute Types
  4. Attribute Values

The PDPs are defined using JavaScript and examples are shown below and in the JNDI Test example configuration files.

JNDI Context Provider Settings

Below here is a change in progress ...

Each Context configuration section is described by a "Realm" definition within the XML file. For purposes of this documentation, the terms "Realm" and "Context" are synonymous.

Realm Configuration Elements

realms

This element should encapsulate all realm definitions and other global configuration. This element should also define the namespaces to be used globally throughout the configuration document.

<bci:realms
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:bci="http://www.bandit-project.org/commonidentity"
   xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
   xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os:access_control-xacml-2.0-policy-schema-os.xsd">
   ...
</bci:realms>

SCRIPT

Script tags can be placed within the realms tag (global) or within a specific realm tag (local). This allows any variable or function defined to be referenced or called within the scope in which it was defined.

Following is an example of an attribute mapping table that could be used to map CardSpace claim types to JNDI provider attribute types:

<SCRIPT LANGUAGE="javascript"> <![CDATA[
	 var multimap = {
		consumer: [],
		provider: []
		};

	multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"] =
		["givenname", "2.5.4.42"];
	multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"] =
		["sn", "surname", "2.5.4.4"];
	multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] =
		["mail", "email", "emailaddress", "internetaddress", 
		 "1.2.840.113549.1.9.1", "rfc822mailbox", "0.9.2342.19200300.100.1.3"];
	multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress"] =
		["street", "streetaddress", "2.5.4.9"];
	multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality"] =
		["localityName", "2.5.4.7"];
	multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince"] =
		["st", "stateprovincename", "2.5.4.8"];
	multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode"] =
		["postalcode", "2.5.4.17"];
	multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country"] =
		["countryname", "2.5.4.6"];
	multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone"] =
		["homephone", "telephonenumber", "2.5.4.20"];
	multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone"] =
		["otherphone"];
	multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone"] =
		["mobilephone"];
	multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth"] =
		["dateofbirth"];
	multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender"] =
		["gender"];
	multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"] =
		["guid", "privatepersonalidentifier"];
	multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groupmembership"] =
		["groupmembership"];

	for (elem in multimap.consumer)
	{
		for (provider in multimap.consumer[elem])
			multimap.provider[multimap.consumer[elem][provider]] = elem;
	}
	]]>
</SCRIPT>

env

The JNDI CP will attempt to support all java.naming.* environment properties as far as they make sense to support for each JNDI provider supported. Any given environment property may be honored by any number of Context Providers which use this configuration format. Consult the Context Provider specific env element documentation for which env elements are supported. The env elements can be specified at both a global and realm (Context) specific level.

realm

This element is used to specify an identity source repository (ie. Context) and encapsulates information about how to connect to that repository together with policy and rules about how to access identity information from it.

The connectorType attribute is an artifact that used to be used to specify the connector module to invoke for this realm but it is currently temporarily being used only to identify that this configuration section is meant for this JNDI CP. This will eventually go away. The id attribute is also known as the realm or context selector and is used to uniquely identify this context from any other contexts specified in this realms configuration document.

<bci:realm
   desc="Directory Service: My Test Directory"
   connectorType="org.eclipse.higgins.idas.cp.jndi"
   id="MyUniqueRealmIdentifier">
   ...
</bci:realm>

JavaScript Mapping PDPs

Subject ID Mapping PDP
consumerSubjectIDToProvider

Here's an example of how an IdAS consumer style subject ID might be mapped to a JNDI provider style subject ID:

<JSPolicyAction id="consumerSubjectIDToProvider" evalType="javascript">  <![CDATA[
	RESULT = "cn=" + PARAM + ",ou=people,dc=wag,dc=bandit-project,dc=org"
	]]>
</JSPolicyAction>
providerSubjectIDToConsumer

Here's an example of how a JNDI provider style subject ID would be symmetrically mapped back to an IdAS consumer style subject ID based on the example above:

<JSPolicyAction id="providerSubjectIDToConsumer" evalType="javascript">
	<SCRIPT LANGUAGE="javascript">  <![CDATA[
		var re = new RegExp("^cn=(.*),ou=people,dc=wag,dc=bandit-project,dc=org$", "i");
		RESULT = String(PARAM.toString()).replace(re, "$1");
		]]>
	</SCRIPT>
</JSPolicyAction>
Digital Subject Type Mapping PDP
consumerDSTypeToProvider

Here's an example of how an IdAS consumer style Digital Subject Type might be mapped to a JNDI provider style Digital Subject Type:

<JSPolicyAction id="consumerDSTypeToProvider" evalType="javascript">
	<SCRIPT LANGUAGE="javascript">  <![CDATA[
		var re = new RegExp("^http://www.eclipse.org/higgins/ontologies/2006/higgins/ldap#class_", "i");
		RESULT = String(PARAM.toString()).replace(re, "");
		]]>
	</SCRIPT>
</JSPolicyAction>
providerDSTypeToConsumer

Here's an example of how a JNDI provider style Digital Subject Type would be symmetrically mapped back to an IdAS consumer style Digital Subject Type based on the example above:

<JSPolicyAction id="providerDSTypeToConsumer" evalType="javascript"> 
	<SCRIPT LANGUAGE="javascript">  <![CDATA[
		RESULT = "http://www.eclipse.org/higgins/ontologies/2006/higgins/ldap#class_"+String(PARAM.toString());
		]]>
	</SCRIPT>
</JSPolicyAction>
Attribute Type Mapping PDP
consumerTypeToProvider

Here's an example of how an IdAS consumer attribute type might be mapped to a JNDI provider attribute type:

<JSPolicyAction id="consumerTypeToProvider" evalType="javascript"> <![CDATA[
	map = multimap.consumer[String(PARAM.toString())];
	if (!map)
	{
		var re = new RegExp("^http://www.eclipse.org/higgins/ontologies/2006/higgins/ldap#attr_", "i");
		map = String(PARAM.toString()).replace(re, "");
	}
	RESULT = map;
	]]>
</JSPolicyAction>
providerTypeToConsumer

Here's an example of how a JNDI provider attribute type would be symmetrically mapped to an IdAS consumer attribute type based on the example above:

<JSPolicyAction id="providerTypeToConsumer" evalType="javascript">  <![CDATA[
	map = multimap.provider[String(PARAM.toString())];
	if (!map)
		map = "http://www.eclipse.org/higgins/ontologies/2006/higgins/ldap#attr_" + PARAM.toString();			
	RESULT = map;
	]]>
</JSPolicyAction>
Attribute Value Mapping PDP

Example to come ...

consumerValueToProvider
providerValueToConsumer

env

This elment is used to specify parameters to be passed to the connector during initialization.

   <bci:env prop="java.naming.ldap.attributes.binary" value="objectGUID" />
   <bci:env prop="java.naming.security.authentication" value="simple" />
   <bci:env prop="java.naming.security.principal" value="Administrator@gumbo.oakland.acme.com" />
   <bci:env prop="java.naming.security.credentials" value="test" />

Above are some examples of environment properties that are supported by the Higgins JNDI Context Provider.

connection

This element is used to specify connector specific configuration information. The realms XML Schema file designates this element as an xsd:anyType attribute. The instance documents should specify a type defined in the realms XML Schema mentioned above (such as "bci:JNDIConnector") for the connection information to be properly handled by a given Higgins Context Provider which uses this format.

<bci:connection xsi:type="bci:SomeConnectorConfigType">
   ...
</bci:connection>

JNDI Connector

The instance type for JNDI connector configuration is bci:JNDIConnector and the allowed elements are documented in the realms XML Schema file.

<bci:connection xsi:type="bci:JNDIConnector">
   <bci:address>ldap://gumbo.oakland.acme.com:389/dc=gumbo,dc=oakland,dc=acme,dc=com</bci:address>
</bci:connection>
address

This element is used to specify the connection address of the desired JNDI backing agent. Multiple addresses are allowed to be configured for failover and fallback. Each address is expected to point to the same view of the desired identity information.

jndiProvider

This element is used to specify the JNDI Provider library to invoke within the Higgins JNDI CP. If not specified, the default JNDI provider used is "com.sun.jndi.ldap.LdapCtxFactory".

searchBase

This element is used to specify the base DN to be searched from for search operations invoked by the JNDI CP.

Deployment Notes

For deployments where the backing store is an LDAP store and is to support AuthNSelfIssuedMaterials for CardSpace, the LDAP directory schema must be modified with the following schema, cardSpacePerson auxiliary class, and cardKeyHash attribute, documented here: http://wiki.eclipse.org/index.php/Object_Identifier_1.3.6.1.4.1.28392.1.1

See Also