Available realms - 6.5

Talend ESB Container Administration Guide

EnrichVersion
6.5
EnrichProdName
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
task
Administration and Monitoring
Design and Development
Installation and Upgrade
EnrichPlatform
Talend ESB

Karaf comes with several login modules that can be used to integrate into your environment.

PropertiesLoginModule

This login module is the one configured by default. It uses a properties text file to load the users, passwords and roles from. This file uses the properties file format. The format of the properties are as follows, each line defining a user, its password and the associated roles: user=password[,role][,role]...

<jaas:config name="karaf">
   <jaas:module className=
   "org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" 
      flags="required">
      users = $[karaf.base]/etc/users.properties
   </jaas:module>
</jaas:config>

OsgiConfigLoginModule

The OsgiConfigLoginModule uses the OSGi ConfigurationAdmin service to provide the users, passwords and roles. Instead of users for the PropertiesLoginModule, this configuration uses a pid value for the process ID of the configuration containing user definitions.

JDBCLoginModule

The JDBCLoginModule uses a database to load the users, passwords and roles from, provided a data source (normal or XA). The data source and the queries for password and role retrieval are configurable, with the use of the following parameters.

NameDescription
datasourceThe datasource as on OSGi ldap filter or as JDNI name
query.passwordThe SQL query that retries the password of the user
query.roleThe SQL query that retries the roles of the user
Passing a data source as an OSGi ldap filter

To use an OSGi ldap filter, the prefix osgi: needs to be provided. See the example below:

<jaas:config name="karaf">
   <jaas:module 
      className="org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule" 
      flags="required">
      datasource = osgi:javax.sql.DataSource/   \\
         (osgi.jndi.service.name=jdbc/karafdb)
      query.password = SELECT PASSWORD FROM USERS WHERE USERNAME=?
      query.role = SELECT ROLE FROM ROLES WHERE USERNAME=?
   </jaas:module>
</jaas:config>
Passing a data source as a JNDI name

To use an JNDI name, the prefix jndi: needs to be provided. The example below assumes the use of Aries JNDI to expose services via JNDI.

<jaas:config name="karaf">
   <jaas:module 
      className="org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule" 
      flags="required">
      datasource = jndi:aries:services/javax.sql.DataSource/   \\
         (osgi.jndi.service.name=jdbc/karafdb)
         query.password = SELECT PASSWORD FROM USERS WHERE USERNAME=?
         query.role = SELECT ROLE FROM ROLES WHERE USERNAME=?
   </jaas:module>
</jaas:config>

LDAPLoginModule

The LDAPLoginModule uses a LDAP to load the users and roles, bind the users on the LDAP to check passwords. The LDAPLoginModule supports the following parameters:

NameDescription
connection.urlThe LDAP connection URL, e.g. ldap://hostname
connection.usernameAdmin username to connect to the LDAP. This parameter is optional, if it's not provided, the LDAP connection will be anonymous.
connection.passwordAdmin password to connect to the LDAP. Only used if the connection.username is specified.
user.base.dnThe LDAP base DN used to looking for user, e.g. ou=user,dc=apache,dc=org
user.filterThe LDAP filter used to looking for user, e.g. (uid=%u) where %u will be replaced by the username.
user.search.subtreeIf "true", the user lookup will be recursive (SUBTREE). If "false", the user lookup will be performed only at the first level (ONELEVEL).
role.base.dnThe LDAP base DN used to looking for roles, e.g. ou=role,dc=apache,dc=org
role.filterThe LDAP filter used to looking for user's role, e.g. (member:=uid=%u)
role.name.attributeThe LDAP role attribute containing the role string used by Karaf, e.g. cn
role.search.subtreeIf "true", the role lookup will be recursive (SUBTREE). If "false", the role lookup will be performed only at the first level (ONELEVEL).
authenticationDefine the authentication backend used on the LDAP server. The default is simple.
initial.context.factoryDefine the initial context factory used to connect to the LDAP server. The default is com.sun.jndi.ldap.LdapCtxFactory
sslIf "true" or if the protocol on the connection.url is ldaps, an SSL connection will be used
ssl.providerThe provider name to use for SSL
ssl.protocolThe protocol name to use for SSL (SSL for example)
ssl.algorithmThe algorithm to use for the KeyManagerFactory and TrustManagerFactory (PKIX for example)
ssl.keystoreThe key store name to use for SSL. The key store must be deployed using a jaas:keystore configuration.
ssl.keyalias The key alias to use for SSL
ssl.truststoreThe trust store name to use for SSL. The trust store must be deployed using a jaas:keystore configuration.

An example of LDAPLoginModule usage follows:

<jaas:config name="karaf">
   <jaas:module 
      className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" 
      flags="required">
      connection.url = ldap://localhost:389
      user.base.dn = ou=user,dc=apache,dc=org
      user.filter = (cn=%u)
      user.search.subtree = true
      role.base.dn = ou=group,dc=apache,dc=org
      role.filter = (member:=uid=%u)
      role.name.attribute = cn
      role.search.subtree = true
      authentication = simple
   </jaas:module>
</jaas:config>

If you want to use an SSL connection, the following configuration can be used as an example:

<ext:property-placeholder />

<jaas:config name="karaf" rank="1">
   <jaas:module 
   className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" 
   flags="required">
   connection.url = ldaps://localhost:10636
   user.base.dn = ou=users,ou=system
   user.filter = (uid=%u)
   user.search.subtree = true
   role.base.dn = ou=groups,ou=system
   role.filter = (uniqueMember=uid=%u)
   role.name.attribute = cn
   role.search.subtree = true
   authentication = simple
   ssl.protocol=SSL
   ssl.truststore=ks
   ssl.algorithm=PKIX
   </jaas:module>
</jaas:config>

<jaas:keystore name="ks"
   path="file:///${karaf.home}/etc/trusted.ks"
   keystorePassword="secret" />