LDAP login and attribution modules can sometimes share a common
configuration.
LDAPAttributer
can share the configuration properties from the configured LDAP login modules only if no
configuration properties are explicitly configured for LDAPAttributer.
If stacking these
modules,
be aware that authorizers do not inherit configuration properties from the login modules
you configure. Configurations must be explicit. In the case where both LDAPLoginModule
and LDAPAuthorizer are separately configured:
- Matching configuration – LDAPAuthorizer simply skips the role
retrieval.
- Differing configuration – LDAPAuthorizer proceeds with the role
retrieval from the configured backend, and performs the authorization checks
using the complete list of roles (from both the login module and itself).
Only one
attributer instance needs to be configured even when multiple login module instances are
present in the security configuration. The LDAPAttributer attributes an authenticated
subject using the LDAP configuration that was used to authenticate the subject. However,
the list of available roles is computed by the LDAPAttributer by iterating through all
available LDAP configurations.
Regarding LDAPAttributer stacking and configuration:
- LDAPAttributer has maximum functionality when combined with the LDAP
authentication provider; the LDAPAttributer can be configured completely
standalone or with alternate authentication providers.
- If you do not configure an
LDAPLoginModule,
you must define the configure all properties in the attributer.
- If explicit configuration properties are specified for the attributer, then the
properties from the login module are not used for attributer functionality,
including retrieving attributes for authenticated subjects, listing roles, and
more. Sybase recommends you share configuration
rather than try to maintain separate ones.