2.4.2.2. Defining DN Search
After the module has created the LDAP initial context, it takes the provided username and searches for the user DN. To define the properties of the search, provide the following properties:
- baseCtxDN
- defines the fixed DN of the context to search for the user; consider that this is not the Distinguished Name of the location where the actual users are located but DN of the location where the objects containing the users are located (that is, for Active Directory, this is the DN with the user account).
- baseFilter
- defines the search filter used to locate the context of the user to authenticate; the input username/userDN as obtained from the login module callback substitutes the
{0}
expression. This substitution behavior comes from the standard DirContext?.search(Name, String, Object[], SearchControls? cons) method. A common example search filter is(uid={0})
- searchTimeLimit
- defines the timeout for the user and role search in milliseconds (defaults to 10000, that is 10 seconds).
Note
To disable the user DN search, omit the
baseCtxDN
property; the provided username will be used as the DN in the login module.
2.4.2.2.1. User Authentication
If the AdvancedLdapLoginModule is not the first login module and a previous login module has already authenticated the user, user authentication is skipped.
For user authentication, you can define the following property:
- allowEmptyPassword
- If empty (length==0) passwords are passed to the LDAP server. An empty password is treated as an anonymous login by an LDAP servers. Set the property to
false
to reject empty passwords or totrue
to allow the LDAP server to validate an empty password (the default isfalse
).