LDAP login and attribution modules can sometimes share a common
configuration.
LDAPAttributer
can share the configuration properties from the configured LDAP login modules only if no
configuration properties are explicitly configured for LDAPAttributer.
When stacking these modules, be aware that authorizers do not inherit
configuration properties from the login modules you configure. Configurations must be
explicit. In the case where both LDAPLoginModule and LDAPAuthorizer are separately
configured in a :
- Matching configuration, then LDAPAuthorizer simply skips the role
retrieval.
- Differing configuration, then LDAPAuthorizer proceeds with the
role retrieval from the configured back-end, and performs the authorization
checks using the complete list of roles (from both the login module and itself).
Only one attributer instance needs to be configured even when multiple login module
instances are present in the security configuration. The LDAPAttributer attributes an
authenticated subject using the LDAP configuration that was used to authenticate the
subject. However, the list of available roles is computed by the LDAPAttributer by
iterating through all available LDAP configurations.
When using LDAPAttributer stacking and configuration, keep in mind:
- LDAPAttributer has maximum functionality when combined with the
LDAP authentication provider; the LDAPAttributer can be configured completely
standalone or with alternate authentication providers.
- If you do not configure an LDAPLoginModule, you must define the
configure all properties in the attributer.
- If explicit configuration properties are specified for the
attributer, then the properties from the login module are not used for
attributer functionality, including retrieving attributes for authenticated
subjects, listing roles, and more. SAP recommends that you share configurations rather
than trying to maintain separate configurations.