...
http://directory.apache.org/subprojects/apacheds/projects/index.html
At this point in time, Geronimo does not provide LDAP client commands for configuring the server, however only provides LDAP viewing capabilities, editing is not there yet but adding this feature is in plan for the next release releases of Geronimo. Currently, you could use any LDAP client such as ldapbrowser/editor, jxplorer or gq for browsing and editing the configurations of the Directory Server in Geronimo.
In this release of Geronimo, that is v1.1 and v1.1.x, Apache Directory is provided as a security plugin that you need to install in a separated process. This is very simple to accomplish and the steps are described in the following seciton.
Installing Apache Directory in Geronimo
Installing a Geronimo plugin is a relatively simple procedure. In this case, the Apache Directory server is provided as a plugin with all the dependencies included.
- Start Geronimo and log into the Administration Console
- Click on
Create/Install
under thePlugins
folder - If there are no repositories in the list click the
Update Repository List
link - Click on
Search for Plugins
- From the list select
Apache Directory 0.92 for Geronimo (1.1)
- Click on
Install Plugin
All the needed components will be download and, if successful, you will see a message indicating that the plugin was installed. - Click on
Start geronimo/directory/1.1/car
Starting the LDAP server
In Geronimo v1.2 the Apache Directory v0.92 is already included with the distribution although it is not started by default. You can either start the server from command line using the deployer tool or via the Geronimo Administration Console.
Using the Administration Console click on System Modules on the navigation menu from the left and look for the component name org.apache.geronimo.configs/directory in the Installed System Modules portlet. You will see the current status and available commands for this particular component.
As we already mentioned, this component is stopped by default, click on Start to make this service available.
LDAP sample application
For your conveniece we have prodived the sample application and deployment plans packaged into a zip file.
Download the sample application from the following URL:
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
<?xml<module version="1.0" encoding="UTF-8"?> <module xmlns="http:xmlns="http://geronimo.apache.org/xml/ns/deployment-1.12"> <environment> <moduleId> <groupId>samples</groupId> <artifactId>ldap-realm-1</artifactId> <version>1.1</version> </moduleId> <dependencies> <dependency> <groupId>geronimo</groupId> <artifactId>j2ee-security</artifactId> <!-- <version> commented out so it is version independent. That is either v1.1 or v1.1.1 --> <!--<version>1.1.1</version>--> <type>car</type> </dependency> </dependencies> </environment> <gbean name="ldap-login" <moduleId> <groupId>console.realm</groupId> <artifactId>LDAP_Sample_Realm</artifactId> <version>1.0</version> <type>car</type> </moduleId> <dependencies> <dependency> <groupId>org.apache.geronimo.configs</groupId> <artifactId>j2ee-security</artifactId> <type>car</type> </dependency> </dependencies> </environment> <gbean name="LDAP_Sample_Realm" class="org.apache.geronimo.security.jaasrealm.LoginModuleGBeanGenericSecurityRealm"> <attribute name="loginModuleClass">org.apache.geronimo.security.realm.providers.LDAPLoginModule</attribute> <attribute name="serverSide">true</attribute> <attribute name="options"> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connectionURL=ldap://localhost:1389 xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <attribute connectionUsername=uid=admin,ou=systemname="realmName">LDAP_Sample_Realm</attribute> <reference name="ServerInfo"> connectionPassword=secret<name>ServerInfo</name> </reference> connectionProtocol=<reference name="LoginService"> <name>JaasLoginService</name> authentication=simple</reference> <xml-reference name="LoginModuleConfiguration"> userBase=ou=users,ou=system<log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.2"> <log:login-module control-flag="REQUIRED" userSearchMatching=uid={0}server-side="true" wrap-principals="false"> userSearchSubtree=false<log:login-domain-name>LDAP_Sample_Realm</log:login-domain-name> roleBase=ou=groups,ou=system<log:login-module-class>org.apache.geronimo.security.realm.providers.LDAPLoginModule</log:login-module-class> roleName=cn roleSearchMatching=(uniqueMember={0}) roleSearchSubtree=false userRoleName= </attribute> <attribute name="loginDomainName">ldap-realm-1</attribute> </gbean> <gbean name="ldap-realm-1" class="org.apache.geronimo.security.realm.GenericSecurityRealm"> <attribute name="realmName">ldap-realm-1</attribute> <reference name="LoginModuleConfiguration"> <name>ldap-login</name> </reference> <reference name="ServerInfo"> <name>ServerInfo</name> </reference> <reference name="LoginService"> <name>JaasLoginService</name> </reference> </gbean> <gbean name="ldap-login" class="org.apache.geronimo.security.jaas.JaasLoginModuleUse"> <attribute name="controlFlag">REQUIRED</attribute> <reference name="LoginModule"> <name>ldap-login</name> </reference> <log:option name="initialContextFactory">com.sun.jndi.ldap.LdapCtxFactory</log:option> <log:option name="connectionURL">ldap://localhost:1389</log:option> <log:option name="connectionUsername">uid=admin,ou=system</log:option> <log:option name="connectionPassword">secret</log:option> <log:option name="authentication">simple</log:option> <log:option name="userBase">ou=users,ou=system</log:option> <log:option name="userSearchMatching">uid={0}</log:option> <log:option name="userSearchSubtree">false</log:option> <log:option name="roleBase">ou=groups,ou=system</log:option> <log:option name="roleName">cn</log:option> <log:option name="roleSearchMatching">(uniqueMember={0})</log:option> <log:option name="roleSearchSubtree">false</log:option> </log:login-module> <log:login-module control-flag="OPTIONAL" server-side="true" wrap-principals="false"> <log:login-domain-name>LDAP_Sample_Realm-Audit</log:login-domain-name> <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class> <log:option name="file">var/log/login-attempts.log</log:option> </log:login-module> </log:login-config> </xml-reference> </gbean> </module> |
To deploy the ldap-realm.xml run the following command from the <geronimo_home>/bin directory:
...
Once deployed you should see a confirmation message similar to the following example:
No Format bgColor #000000 borderStyle solid
D:\geronimo-tomcat-j2ee-1.1.1-Tomcat2\bin>java -jar deployer.jar --user system --password manager deploy \ldap-sample-app\ldap-realm.xml
Deployed samples/ldap-realm-1console.realm/LDAP_Sample_Realm/1.10/car
Back to Top
For further details refer to the LDAP Realm section.
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.12"> <environment> <moduleId> <groupId>samples</groupId> <artifactId>ldap-realm-1-app<<artifactId>LDAP_Sample</artifactId> <version>1.1<2</version> </moduleId> </environment> <context-root>/ldap-demo-1<LDAP_Sample</context-root> <security-realm-name>ldap-realm-1<name>LDAP_Sample_Realm</security-realm-name> <security> <default-principal realm-name="ldap-realm-1LDAP_Sample_Realm"> <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="system"/> </default-principal> <role-mappings> <role role-name="content-administrator"> <realm realm-name="ldap-realm-1LDAP_Sample_Realm"> <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="admin" designated-run-as="true"/> <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="system"/> </realm> </role> <role role-name="guest"> <realm realm-name="ldap-realm-1LDAP_Sample_Realm"> <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="guest" designated-run-as="true"/> <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="user1"/> </realm> </role> </role-mappings> </security> </web-app> |
...
No Format bgColor #000000 borderStyle solid
D:\geronimo-tomcat-j2ee-1.1.1-Tomcat2\bin>java -jar deployer.jar --user system --password manager deploy \ldap-sample-app\ldap-demo.war
Deployed samples/ldap-realm-1-appLDAP_Sample/1.12/war @
http://hc2t60phcunico:8080/ldap-demo-1LDAP_Sample
To test the LDAP application open a Web browser and access the following URL:
http://localhost:8080/ldap-demo-1LDAP_Sample
The following figure shows the welcome page for the LDAP sample application.
Click on Protect to validate against the LDAP Directory Server.
...
At this point you have an application that is validating username and passwords against an LDAP Directory Server database based on the security configuration you provided earlier in the LDAP realm. Now, if you go back to the welcome page and click on Forbidden you should receive a 403 - Forbidden HTTP error similar to the one shown in the following figure.
...