User's Manual

122 Chapter 10. Kernel Tutorial

10.4. Extending the Authentication System

The main strength of PAM is that the system may be extended with new authentication technologies.

This is done by implementing new LoginModules. For example, an LDAP server can be used to

authenticate a user by username and password. To integrate this behavior into WAF, a new login

module (for example, LDAPLoginModule) must be deﬁned.

LDAPLoginModule would replace LocalLoginModule in the login conﬁguration. It needs its own

conﬁguration information to determine how to connect to the LDAP server. This information can be

hard-coded into the module, read from a ﬁle, provided by an Initializer, or passed as an option in

the login conﬁguration.

If the LDAP username does not match the WAF username, another login module must

be deﬁned to map the LDAP username to a WAF user ID. This module, (for example,

LDAPUserLoginModule), would replace UserIDLoginModule and must implement

MappingLoginModule.getUserID(username) appropriately.

Changing the authentication recipe involves editing the sequence of login modules in the login conﬁg-

uration. For example, you can create a variety of authentication sequences in the login conﬁguration

by combining various login modules:

• Replace certain modules.

• Change the order of modules.

• Change the control ﬂag on the modules.

Caution

Not all of the combinations will make sense in terms of authentication practices, and may even be

a security risk. As part of your exploration with authentication, you can read up on the speciﬁcs at

http://java.sun.com/security/jaas/apidoc/javax/security/auth/login/Conﬁguration.html.