Wiki Markup |
---|
{scrollbar} |
Anchor | ||||
---|---|---|---|---|
|
Geronimo uses the Apache Directory Server for its directory service, this is part of the Apache Directory Project. Geronimo implements the following two projects from the ApacheDS project.
- ApacheDS Core:
Server's core contains all backend subsystems. It depends on protocol and uses it with seda to service LDAP requests. The core contains the JNDI provider, interceptor framework, interceptor services, the schema subsystem and the database subsystem. Hence the core is the heart of the server.
- ApacheDS Shared:
Created to eliminate cyclic project dependencies between the core and the maven plug-in. Any code shared across modules in general can go here so long as it does not depend on other modules.
More information about these two projects can be found at the ApacheDS project URL:
http://directory.apache.org/subprojects/apacheds/projects/index.html
At this point, Geronimo does not provide LDAP client commands for configuring the server, however this feature is in plan for the next release of Geronimo. Currently, you could use any LDAP client such as ldapbrowser/editor, jxplorer or gq for browsing and editing the configurations of the Directory Server in Geronimo.
In this release of Geronimo, that is v1.1 and v1.1.x, Apache Directory is provided as a security plugin that you need to install in a separated process. This is very simple to accomplish and the steps are described in the following seciton.
Installing Apache Directory in Geronimo
Installing a Geronimo plugin is a relatively simple procedure. In this case, the Apache Directory server is provided as a plugin with all the dependencies included.
- Start Geronimo and log into the Administration Console
- Click on
Create/Install
under thePlugins
folder - If there are no repositories in the list click the
Update Repository List
link - Click on
Search for Plugins
- From the list select
Apache Directory 0.92 for Geronimo
- Click on
Continue
button - Click on
Install Plugin
All the needed components will be download and, if successful, you will see a message indicating that the plugin was installed. - Click the
Start
button to start Apache Directory
LDAP sample application
For your conveniece we have prodived the sample application and deployment plans packaged into a zip file.
Download the sample application from the following URL:
After extracting the zip file a ldap-sample-app
directory is created, from now on this directory will be referred as <ldap_home>.
At this point it is assumed that you have installed an LDAP client and you are capable of exporting/importing an .ldif
file to a directory server.
Add LDAP entries
Ensure that Geronimo is up and running and the Directory service is started. Start your LDAP client and create a new connection profile with the following values:
Host: | <localhost> |
Port: | 1389 |
Base DN: | ou=system |
User DN: | uid=admin,ou=system |
Password: | secret |
Once you connect to the Geronimo Directory server you will see the initial configuration, this configuration can be exported as a backup in a ldif file. Depending the LDAP client you are using the export/import steps will be different. When you export the initial configuration you get an ldif file with a content similar as the one shown in the following example.
No Format | ||||
---|---|---|---|---|
| ||||
dn: ou=system
ou: system
objectClass: organizationalUnit
objectClass: top
dn: uid=admin, ou=system
displayName: Directory Superuser
uid: admin
userPassword:: c2VjcmV0
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: administrator
cn: system administrator
dn: ou=users, ou=system
ou: users
objectClass: organizationalUnit
objectClass: top
dn: ou=groups, ou=system
ou: groups
objectClass: organizationalUnit
objectClass: top
dn: ou=configuration, ou=system
ou: configuration
objectClass: organizationalUnit
objectClass: top
dn: ou=partitions, ou=configuration, ou=system
ou: partitions
objectClass: organizationalUnit
objectClass: top
dn: ou=services, ou=configuration, ou=system
ou: services
objectClass: organizationalUnit
objectClass: top
dn: ou=interceptors, ou=configuration, ou=system
ou: interceptors
objectClass: organizationalUnit
objectClass: top
dn: prefNodeName=sysPrefRoot, ou=system
objectClass: extensibleObject
prefNodeName: sysPrefRoot
|
Now you need to import the entries needed to run the sample application. Packaged with the sample application is a sample .ldif
file with all the entries necessary to run the LDAP sample application, this file is located in <ldap_home>/ldap-sample.ldif.
The following example shows the content of the ldap-sample.ldif file.
No Format | ||||
---|---|---|---|---|
| ||||
# User: system
dn: uid=system,ou=users,ou=system
cn: John Doe
sn: Doe
givenname: John
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Las Vegas
uid: system
mail: system@apachecon.comm
telephonenumber: +1 408 555 5555
facsimiletelephonenumber: +1 408 555 5556
roomnumber: 4613
userPassword: manager
# User: user1
dn: uid=user1,ou=users,ou=system
cn: User
sn: One
givenname: User1
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Las Vegas
uid: user1
mail: user1@apachecon.comm
telephonenumber: +1 408 555 5555
facsimiletelephonenumber: +1 408 555 5556
roomnumber: 4613
userPassword: p1
# User: user2
dn: uid=user2,ou=users,ou=system
cn: User
sn: Two
givenname: User2
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Las Vegas
uid: user2
mail: user2@apachecon.comm
telephonenumber: +1 408 555 5555
facsimiletelephonenumber: +1 408 555 5556
roomnumber: 4613
userPassword: p2
# Group: admin
dn: cn=admin,ou=groups,ou=system
objectClass: groupOfUniqueNames
uniqueMember: uid=system,ou=users,ou=system
uniqueMember: uid=user2,ou=users,ou=system
cn: admin
# Group: guest
dn: cn=guest,ou=groups,ou=system
objectClass: groupOfUniqueNames
uniqueMember: uid=user1,ou=users,ou=system
cn: guest
|
Once the file is imported you should get a confirmation that five entries were successfully imported.
Deploy the LDAP realm
The LDAP sample application provides a security realm that needs to be deployed before the deployment of the application itself. This realm is located in <ldap_home>/ldap-realm.xml and the content is illustrated in the following example.
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.1">
<environment>
<moduleId>
<groupId>samples</groupId>
<artifactId>ldap-realm-1</artifactId>
<version>1.1</version>
</moduleId>
<dependencies>
<dependency>
<groupId>geronimo</groupId>
<artifactId>j2ee-security</artifactId>
<!-- <version> commented out so it is version independent. That is either v1.1 or v1.1.1 -->
<!--<version>1.1.1</version>-->
<type>car</type>
</dependency>
</dependencies>
</environment>
<gbean name="ldap-login"
class="org.apache.geronimo.security.jaas.LoginModuleGBean">
<attribute name="loginModuleClass">org.apache.geronimo.security.realm.providers.LDAPLoginModule</attribute>
<attribute name="serverSide">true</attribute>
<attribute name="options">
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL=ldap://localhost:1389
connectionUsername=uid=admin,ou=system
connectionPassword=secret
connectionProtocol=
authentication=simple
userBase=ou=users,ou=system
userSearchMatching=uid={0}
userSearchSubtree=false
roleBase=ou=groups,ou=system
roleName=cn
roleSearchMatching=(uniqueMember={0})
roleSearchSubtree=false
userRoleName=
</attribute>
<attribute name="loginDomainName">ldap-realm-1</attribute>
</gbean>
<gbean name="ldap-realm-1" class="org.apache.geronimo.security.realm.GenericSecurityRealm">
<attribute name="realmName">ldap-realm-1</attribute>
<reference name="LoginModuleConfiguration">
<name>ldap-login</name>
</reference>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
<reference name="LoginService">
<name>JaasLoginService</name>
</reference>
</gbean>
<gbean name="ldap-login" class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
<attribute name="controlFlag">REQUIRED</attribute>
<reference name="LoginModule">
<name>ldap-login</name>
</reference>
</gbean>
</module>
|
To deploy the ldap-realm.xml run the following command from the <geronimo_home>/bin directory:
java -jar deployer.jar --user system --password manager deploy <ldap_home>/ldap-realm.xml
Once deployed you should see a confirmation message similar to the following example:
No Format bgColor #000000 borderStyle solid
D:\geronimo-1.1.1-Tomcat\bin>java -jar deployer.jar --user system --password manager deploy \ldap-sample-app\ldap-realm.xml
Deployed samples/ldap-realm-1/1.1/car
Back to Top
For further details refer to the LDAP Realm section.