LdapLoginModule
Authenticate Users with Jetty JAAS LdapLoginModule
Configure kPow to read authentication and role information from LDAP.
In Depth: For specifics on JAAS / LDAP configuration see the Jetty LdapLoginModule docs.

Form or Basic Authentication?

kPow supports both form-based and basic authentication.
Form authentication is the default. To basic authentication, set the environment variable:
1
JETTY_AUTH_METHOD=basic
Copied!

Configuration

To enable LdapLoginModule authentication you must:
    Create a JAAS configuration file
    Set the AUTH_PROVIDER_TYPE=jetty environment variable.
    Start the JAR or Docker container with -Djava.security.auth.login.config=/path/to/jaas.conf

JAAS Configuration

Create a JAAS LDAP configuration file (the kpow realm is very important).
1
## Your configuration will vary depending on your LDAP setup
2
3
kpow {
4
org.eclipse.jetty.jaas.spi.LdapLoginModule required
5
useLdaps="false"
6
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
7
hostname="your.ldap.host"
8
port="389"
9
bindDn="CN=Admin_User,OU=Service-Accounts,DC=your-corp,DC=com"
10
bindPassword="********"
11
authenticationMethod="simple"
12
forceBindingLogin="true"
13
userBaseDn="OU=Service-Accounts,DC=your-corp,DC=com"
14
userRdnAttribute="sAMAccountName"
15
userIdAttribute="sAMAccountName"
16
userPasswordAttribute="userPassword"
17
userObjectClass="user"
18
roleBaseDn="OU=Global-Groups,DC=your-corp,DC=com"
19
roleNameAttribute="cn"
20
roleMemberAttribute="member"
21
roleObjectClass="group";
22
};
Copied!

JAAS Debugging

There are three steps to debugging JAAS LDAP connections, first add debug="true" to your config:
1
kpow {
2
org.eclipse.jetty.jaas.spi.LdapLoginModule required
3
debug="true"
4
...
5
...
Copied!
Then turn on Jetty JAAS debug-level logging, see Application Logs for example configuration.
Finally to (optionally) debug LDAP connection errors, enable Jetty IGNORE level logs by starting kPow with the following Java system variable:
1
-Dorg.eclipse.jetty.util.log.IGNORED=true
Copied!
Once configured you will find debug log lines in your application logs that provide insight into how the LdapLoginModule is operating.

Environment Configuration

To activate Jetty JAAS authentication set the environment variable AUTH_PROVIDER_TYPE=jetty

JAR Startup

Specify the JAAS config file by setting the following system property when starting the JAR:
-Djava.security.auth.login.config=/path/to/jaas.conf
Note: System properties must come after java but before -jar.
1
AUTH_PROVIDER_TYPE=jetty \
2
<... more env vars ...> \
3
java -Djava.security.auth.login.config=/opt/kpow/jaas.conf -jar /opt/kpow/latest.jar
Copied!

Docker Container Startup

Note: The JVM provides an environment variable called JAVA_TOOL_OPTIONS that can be used in place of system properties. We use this the thread the JAAS config to Docker.
Set the env var JAVA_TOOL_OPTIONS=-Djava.security.auth.login.config=/path/to/jaas.conf
Note: When your JAAS config is on the host machine and not within the container you will need to configure a docker volume mount so that kPow can read that configuration:
docker run --volume="/config/path:/config/path/" -p 3000:3000 --env-file ...
When starting the docker container you will see logging output similar to:
1
Picked up JAVA_TOOL_OPTIONS: -Djava.security.auth.login.config=/path/to/jaas.conf
Copied!

User Experience

When configured your users will be prompted to authenticate on each new browser session.
Last modified 5mo ago