|
|
| (10 intermediate revisions by 3 users not shown) |
| Line 1: |
Line 1: |
| − | == Configuration ==
| + | {{#eclipseproject:technology.higgins|eclipse_custom_style.css}} |
| − | NOTE: The JNDI Context Provider configuration XML file format was designed to be used to configure any number and type of Context Provider. Other Higgins Context Providers contributed by Novell currently use this same format. Work is currently underway which may change or eliminate this method of CP configuration.
| + | The JNDI Context Provider is an implementation of the Higgins IdAS API for JNDI service providers. Currently, the only JNDI service provider supported is LDAP. |
| | | | |
| − | The JNDI Context Provider is configured through an XML file whose format is specified by the following XML schema:
| + | ==Details== |
| | + | * ''Status'': Available from M0.5 |
| | + | * ''Language'': Java |
| | + | * ''Bindings'': Current: Java; Planned: C, C++, WSDL/SOAP |
| | + | * ''Packaging'': JAR |
| | | | |
| − | [https://forgesvn1.novell.com/viewsvn/bandit/trunk/IdentityAbstraction/conf/realms.xsd?content-type=text%2Fplain Configuration XML Schema]
| + | ==Plan== |
| | + | * [[JNDI_CP_ToDo | JNDI CP Roadmap]] |
| | | | |
| − | The JNDI Context Provider allows for the configuration of eight (8) different Policy Decision Points (PDPs) that control mapping of the following items:
| + | ==Service== |
| − | #Subject IDs
| + | * [[JNDI CP Configuration]] |
| − | #Digital Subject Types
| + | |
| − | #Attribute Types
| + | |
| − | #Attribute Values
| + | |
| − | | + | |
| − | The PDPs are defined using JavaScript and examples are shown below and in the JNDI Test example configuration files.
| + | |
| − | | + | |
| − | One example configuration file ([http://dev.eclipse.org/viewcvs/index.cgi/org.eclipse.higgins/plugins/org.eclipse.higgins.idas.cp.jndi.test/context-test.config.xml?root=Technology_Project&view=markup context-test.config.xml]) and one generated configuration file (testRealm.xml) are available in the org.eclipse.higgins.idas.cp.jndi.test project. Instructions on how to access this project is available here: [[JNDI_CP_CVS | JNDI CP Projects]].
| + | |
| − | | + | |
| − | Each Context configuration section is described by a "Realm" definition within the XML file. For purposes of this documentation, the terms "Realm" and "Context" are synonymous.
| + | |
| − | | + | |
| − | ===Realm Configuration Elements===
| + | |
| − | ====realms====
| + | |
| − | This element should encapsulate all realm definitions and other global configuration. This element should also define the namespaces to be used globally throughout the configuration document.
| + | |
| − | | + | |
| − | <pre>
| + | |
| − | <bci:realms
| + | |
| − | xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
| + | |
| − | xmlns:bci="http://www.bandit-project.org/commonidentity"
| + | |
| − | xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
| + | |
| − | xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os:access_control-xacml-2.0-policy-schema-os.xsd">
| + | |
| − | ...
| + | |
| − | </bci:realms>
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | ====SCRIPT====
| + | |
| − | Script tags can be placed within the realms tag (global) or within a specific realm tag (local). This allows any variable or function defined to be referenced or called within the scope in which it was defined.
| + | |
| − | | + | |
| − | Following is an example of an attribute mapping table that could be used to map CardSpace claim types to JNDI provider attribute types:
| + | |
| − | | + | |
| − | <pre>
| + | |
| − | <SCRIPT LANGUAGE="javascript"> <![CDATA[
| + | |
| − | var multimap = {
| + | |
| − | consumer: [],
| + | |
| − | provider: []
| + | |
| − | };
| + | |
| − | | + | |
| − | multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"] =
| + | |
| − | ["givenname", "2.5.4.42"];
| + | |
| − | multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"] =
| + | |
| − | ["sn", "surname", "2.5.4.4"];
| + | |
| − | multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] =
| + | |
| − | ["mail", "email", "emailaddress", "internetaddress",
| + | |
| − | "1.2.840.113549.1.9.1", "rfc822mailbox", "0.9.2342.19200300.100.1.3"];
| + | |
| − | multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress"] =
| + | |
| − | ["street", "streetaddress", "2.5.4.9"];
| + | |
| − | multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality"] =
| + | |
| − | ["localityName", "2.5.4.7"];
| + | |
| − | multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince"] =
| + | |
| − | ["st", "stateprovincename", "2.5.4.8"];
| + | |
| − | multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode"] =
| + | |
| − | ["postalcode", "2.5.4.17"];
| + | |
| − | multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country"] =
| + | |
| − | ["countryname", "2.5.4.6"];
| + | |
| − | multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone"] =
| + | |
| − | ["homephone", "telephonenumber", "2.5.4.20"];
| + | |
| − | multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone"] =
| + | |
| − | ["otherphone"];
| + | |
| − | multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone"] =
| + | |
| − | ["mobilephone"];
| + | |
| − | multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth"] =
| + | |
| − | ["dateofbirth"];
| + | |
| − | multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender"] =
| + | |
| − | ["gender"];
| + | |
| − | multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"] =
| + | |
| − | ["guid", "privatepersonalidentifier"];
| + | |
| − | multimap.consumer["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groupmembership"] =
| + | |
| − | ["groupmembership"];
| + | |
| − | | + | |
| − | for (elem in multimap.consumer)
| + | |
| − | {
| + | |
| − | for (provider in multimap.consumer[elem])
| + | |
| − | multimap.provider[multimap.consumer[elem][provider]] = elem;
| + | |
| − | }
| + | |
| − | ]]>
| + | |
| − | </SCRIPT>
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | ====env====
| + | |
| − | The JNDI CP will attempt to support all java.naming.* environment properties as far as they make sense to support for each JNDI provider supported. Any given environment property may be honored by any number of Context Providers which use this configuration format. Consult the Context Provider specific env element documentation for which env elements are supported. The env elements can be specified at both a global and realm (Context) specific level.
| + | |
| − | | + | |
| − | ====realm====
| + | |
| − | This element is used to specify an identity source repository (ie. Context) and encapsulates information about how to connect to that repository together with policy and rules about how to access identity information from it.
| + | |
| − | | + | |
| − | The connectorType attribute is an artifact that used to be used to specify the connector module to invoke for this realm but it is currently temporarily being used only to identify that this configuration section is meant for this JNDI CP. This will eventually go away. The id attribute is also known as the realm or context selector and is used to uniquely identify this context from any other contexts specified in this realms configuration document.
| + | |
| − | | + | |
| − | <pre>
| + | |
| − | <bci:realm
| + | |
| − | desc="Directory Service: My Test Directory"
| + | |
| − | connectorType="org.eclipse.higgins.idas.cp.jndi"
| + | |
| − | id="MyUniqueRealmIdentifier">
| + | |
| − | ...
| + | |
| − | </bci:realm>
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | ====JavaScript Mapping PDPs====
| + | |
| − | =====Subject ID Mapping PDP=====
| + | |
| − | ======consumerSubjectIDToProvider======
| + | |
| − | Here's an example of how an IdAS consumer style subject ID might be mapped to a JNDI provider style subject ID:
| + | |
| − | <pre>
| + | |
| − | <JSPolicyAction id="consumerSubjectIDToProvider" evalType="javascript"> <![CDATA[
| + | |
| − | RESULT = "cn=" + PARAM + ",ou=people,dc=wag,dc=bandit-project,dc=org"
| + | |
| − | ]]>
| + | |
| − | </JSPolicyAction>
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | ======providerSubjectIDToConsumer======
| + | |
| − | Here's an example of how a JNDI provider style subject ID would be symmetrically mapped back to an IdAS consumer style subject ID based on the example above:
| + | |
| − | <pre>
| + | |
| − | <JSPolicyAction id="providerSubjectIDToConsumer" evalType="javascript">
| + | |
| − | <SCRIPT LANGUAGE="javascript"> <![CDATA[
| + | |
| − | var re = new RegExp("^cn=(.*),ou=people,dc=wag,dc=bandit-project,dc=org$", "i");
| + | |
| − | RESULT = String(PARAM.toString()).replace(re, "$1");
| + | |
| − | ]]>
| + | |
| − | </SCRIPT>
| + | |
| − | </JSPolicyAction>
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | =====Digital Subject Type Mapping PDP=====
| + | |
| − | ======consumerDSTypeToProvider======
| + | |
| − | Here's an example of how an IdAS consumer style Digital Subject Type might be mapped to a JNDI provider style Digital Subject Type:
| + | |
| − | <pre>
| + | |
| − | <JSPolicyAction id="consumerDSTypeToProvider" evalType="javascript">
| + | |
| − | <SCRIPT LANGUAGE="javascript"> <![CDATA[
| + | |
| − | var re = new RegExp("^http://www.eclipse.org/higgins/ontologies/2006/higgins/ldap#class_", "i");
| + | |
| − | RESULT = String(PARAM.toString()).replace(re, "");
| + | |
| − | ]]>
| + | |
| − | </SCRIPT>
| + | |
| − | </JSPolicyAction>
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | ======providerDSTypeToConsumer======
| + | |
| − | Here's an example of how a JNDI provider style Digital Subject Type would be symmetrically mapped back to an IdAS consumer style Digital Subject Type based on the example above:
| + | |
| − | <pre>
| + | |
| − | <JSPolicyAction id="providerDSTypeToConsumer" evalType="javascript">
| + | |
| − | <SCRIPT LANGUAGE="javascript"> <![CDATA[
| + | |
| − | RESULT = "http://www.eclipse.org/higgins/ontologies/2006/higgins/ldap#class_"+String(PARAM.toString());
| + | |
| − | ]]>
| + | |
| − | </SCRIPT>
| + | |
| − | </JSPolicyAction>
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | =====Attribute Type Mapping PDP=====
| + | |
| − | ======consumerTypeToProvider======
| + | |
| − | Here's an example of how an IdAS consumer attribute type might be mapped to a JNDI provider attribute type:
| + | |
| − | <pre>
| + | |
| − | <JSPolicyAction id="consumerTypeToProvider" evalType="javascript"> <![CDATA[
| + | |
| − | map = multimap.consumer[String(PARAM.toString())];
| + | |
| − | if (!map)
| + | |
| − | {
| + | |
| − | var re = new RegExp("^http://www.eclipse.org/higgins/ontologies/2006/higgins/ldap#attr_", "i");
| + | |
| − | map = String(PARAM.toString()).replace(re, "");
| + | |
| − | }
| + | |
| − | RESULT = map;
| + | |
| − | ]]>
| + | |
| − | </JSPolicyAction>
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | ======providerTypeToConsumer======
| + | |
| − | Here's an example of how a JNDI provider attribute type would be symmetrically mapped to an IdAS consumer attribute type based on the example above:
| + | |
| − | <pre>
| + | |
| − | <JSPolicyAction id="providerTypeToConsumer" evalType="javascript"> <![CDATA[
| + | |
| − | map = multimap.provider[String(PARAM.toString())];
| + | |
| − | if (!map)
| + | |
| − | map = "http://www.eclipse.org/higgins/ontologies/2006/higgins/ldap#attr_" + PARAM.toString();
| + | |
| − | RESULT = map;
| + | |
| − | ]]>
| + | |
| − | </JSPolicyAction>
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | =====Attribute Value Mapping PDP=====
| + | |
| − | Example to come ...
| + | |
| − | | + | |
| − | ======consumerValueToProvider======
| + | |
| − | ======providerValueToConsumer======
| + | |
| − | | + | |
| − | ====env====
| + | |
| − | This elment is used to specify parameters to be passed to the connector during initialization.
| + | |
| − | <pre>
| + | |
| − | <bci:env prop="java.naming.ldap.attributes.binary" value="objectGUID" />
| + | |
| − | <bci:env prop="java.naming.security.authentication" value="simple" />
| + | |
| − | <bci:env prop="java.naming.security.principal" value="Administrator@gumbo.oakland.acme.com" />
| + | |
| − | <bci:env prop="java.naming.security.credentials" value="test" />
| + | |
| − | </pre>
| + | |
| − | Above are some examples of environment properties that are supported by the Higgins JNDI Context Provider.
| + | |
| − | | + | |
| − | ====connection====
| + | |
| − | This element is used to specify connector specific configuration information. The realms XML Schema file designates this element as an xsd:anyType attribute. The instance documents should specify a type defined in the realms XML Schema mentioned above (such as "bci:JNDIConnector") for the connection information to be properly handled by a given Higgins Context Provider which uses this format.
| + | |
| − | | + | |
| − | <pre>
| + | |
| − | <bci:connection xsi:type="bci:SomeConnectorConfigType">
| + | |
| − | ...
| + | |
| − | </bci:connection>
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | ====JNDI Connector====
| + | |
| − | The instance type for JNDI connector configuration is bci:JNDIConnector and the allowed elements are documented in the realms XML Schema file.
| + | |
| − | | + | |
| − | <pre>
| + | |
| − | <bci:connection xsi:type="bci:JNDIConnector">
| + | |
| − | <bci:address>ldap://gumbo.oakland.acme.com:389/dc=gumbo,dc=oakland,dc=acme,dc=com</bci:address>
| + | |
| − | </bci:connection>
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | ======address======
| + | |
| − | This element is used to specify the connection address of the desired JNDI backing agent. Multiple addresses are allowed to be configured for failover and fallback. Each address is expected to point to the same view of the desired identity information.
| + | |
| − | | + | |
| − | ======jndiProvider======
| + | |
| − | This element is used to specify the JNDI Provider library to invoke within the Higgins JNDI CP. If not specified, the default JNDI provider used is "com.sun.jndi.ldap.LdapCtxFactory".
| + | |
| − | | + | |
| − | ======searchBase======
| + | |
| − | This element is used to specify the base DN to be searched from for search operations invoked by the JNDI CP.
| + | |
| − | | + | |
| − | == Deployment Notes ==
| + | |
| − | For deployments where the backing store is an LDAP store and is to support AuthNSelfIssuedMaterials for CardSpace, the LDAP directory schema must be modified with the following schema, cardSpacePerson auxiliary class, and cardKeyHash attribute, documented here:
| + | |
| − | http://wiki.eclipse.org/index.php/Object_Identifier_1.3.6.1.4.1.28392.1.1
| + | |
| | | | |
| | == See Also == | | == See Also == |
| | * [http://www.eclipse.org/higgins Higgins Home] | | * [http://www.eclipse.org/higgins Higgins Home] |
| | * [[Components]] | | * [[Components]] |
| | + | [[Category:Higgins Components]] |
{{#eclipseproject:technology.higgins|eclipse_custom_style.css}}
The JNDI Context Provider is an implementation of the Higgins IdAS API for JNDI service providers. Currently, the only JNDI service provider supported is LDAP.
