Versions Compared

Old Version 8

changes.mady.by.user Hernan Cunico

Saved on

compared with

New Version 9

changes.mady.by.user Hernan Cunico

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

http://directory.apache.org/subprojects/apacheds/projects/index.html

At this point in time, Geronimo does not provide LDAP client commands for configuring the server, however only provides LDAP viewing capabilities, editing is not there yet but adding this feature is in plan for the next release releases of Geronimo. Currently, you could use any LDAP client such as ldapbrowser/editor, jxplorer or gq for browsing and editing the configurations of the Directory Server in Geronimo.

In this release of Geronimo, that is v1.1 and v1.1.x, Apache Directory is provided as a security plugin that you need to install in a separated process. This is very simple to accomplish and the steps are described in the following seciton.

Installing Apache Directory in Geronimo

Installing a Geronimo plugin is a relatively simple procedure. In this case, the Apache Directory server is provided as a plugin with all the dependencies included.

  1. Start Geronimo and log into the Administration Console
  2. Click on Create/Install under the Plugins folder
  3. If there are no repositories in the list click the Update Repository List link
  4. Click on Search for Plugins
  5. From the list select Apache Directory 0.92 for Geronimo (1.1)
  6. Click on Install Plugin
    All the needed components will be download and, if successful, you will see a message indicating that the plugin was installed.
  7. Click on Start geronimo/directory/1.1/car

Back to Top

Starting the LDAP server

In Geronimo v1.2 the Apache Directory v0.92 is already included with the distribution although it is not started by default. You can either start the server from command line using the deployer tool or via the Geronimo Administration Console.

Using the Administration Console click on System Modules on the navigation menu from the left and look for the component name org.apache.geronimo.configs/directory in the Installed System Modules portlet. You will see the current status and available commands for this particular component.

As we already mentioned, this component is stopped by default, click on Start to make this service available.

LDAP sample application

For your conveniece we have prodived the sample application and deployment plans packaged into a zip file.
Download the sample application from the following URL:

...

Code Block
xml
xml
borderStylesolid
titleldap-realm.xml
<?xml<module version="1.0" encoding="UTF-8"?>
<module xmlns="http:xmlns="http://geronimo.apache.org/xml/ns/deployment-1.12">
	    <environment>
		<moduleId>
			<groupId>samples</groupId>
			<artifactId>ldap-realm-1</artifactId>
			<version>1.1</version>
		</moduleId>

		<dependencies>
			<dependency>
				<groupId>geronimo</groupId>
				<artifactId>j2ee-security</artifactId>
				<!-- <version> commented out so it is version independent. That is either v1.1 or v1.1.1 -->
				<!--<version>1.1.1</version>-->
				<type>car</type>
			</dependency>
		</dependencies>

	</environment>
	
	<gbean name="ldap-login"
		        <moduleId>
            <groupId>console.realm</groupId>
            <artifactId>LDAP_Sample_Realm</artifactId>
            <version>1.0</version>
            <type>car</type>
        </moduleId>
        <dependencies>
            <dependency>
                <groupId>org.apache.geronimo.configs</groupId>
                <artifactId>j2ee-security</artifactId>
                <type>car</type>
            </dependency>
        </dependencies>
    </environment>
    <gbean name="LDAP_Sample_Realm" class="org.apache.geronimo.security.jaasrealm.LoginModuleGBeanGenericSecurityRealm"> 
		<attribute name="loginModuleClass">org.apache.geronimo.security.realm.providers.LDAPLoginModule</attribute>
		<attribute name="serverSide">true</attribute>
		<attribute name="options">
			initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
                                 connectionURL=ldap://localhost:1389
            xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" 
									xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <attribute    connectionUsername=uid=admin,ou=systemname="realmName">LDAP_Sample_Realm</attribute>
        <reference name="ServerInfo">
               connectionPassword=secret<name>ServerInfo</name>
        </reference>
                connectionProtocol=<reference name="LoginService">
            <name>JaasLoginService</name>
            authentication=simple</reference>
        <xml-reference name="LoginModuleConfiguration">
               userBase=ou=users,ou=system<log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.2">
                <log:login-module control-flag="REQUIRED"       userSearchMatching=uid={0}server-side="true" wrap-principals="false">
                        userSearchSubtree=false<log:login-domain-name>LDAP_Sample_Realm</log:login-domain-name>
                        roleBase=ou=groups,ou=system<log:login-module-class>org.apache.geronimo.security.realm.providers.LDAPLoginModule</log:login-module-class>
                        roleName=cn
                        roleSearchMatching=(uniqueMember={0})
                        roleSearchSubtree=false
                        userRoleName=
		</attribute>
		<attribute name="loginDomainName">ldap-realm-1</attribute>
	</gbean>
	
	<gbean name="ldap-realm-1" class="org.apache.geronimo.security.realm.GenericSecurityRealm">
		<attribute name="realmName">ldap-realm-1</attribute>
		<reference name="LoginModuleConfiguration">
			<name>ldap-login</name>
		</reference>
		<reference name="ServerInfo">
		<name>ServerInfo</name>
		</reference>
		
		<reference name="LoginService">
			<name>JaasLoginService</name>
		</reference>
	</gbean>
	
	<gbean name="ldap-login" class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
		<attribute name="controlFlag">REQUIRED</attribute>
		<reference name="LoginModule">
			<name>ldap-login</name>
		</reference>
	<log:option name="initialContextFactory">com.sun.jndi.ldap.LdapCtxFactory</log:option>
					<log:option name="connectionURL">ldap://localhost:1389</log:option>
					<log:option name="connectionUsername">uid=admin,ou=system</log:option>
					<log:option name="connectionPassword">secret</log:option>
					<log:option name="authentication">simple</log:option>
					<log:option name="userBase">ou=users,ou=system</log:option>
					<log:option name="userSearchMatching">uid={0}</log:option>
					<log:option name="userSearchSubtree">false</log:option>
					<log:option name="roleBase">ou=groups,ou=system</log:option>
					<log:option name="roleName">cn</log:option>
					<log:option name="roleSearchMatching">(uniqueMember={0})</log:option>
                    <log:option name="roleSearchSubtree">false</log:option>
                </log:login-module>
                <log:login-module control-flag="OPTIONAL" server-side="true" wrap-principals="false">
                    <log:login-domain-name>LDAP_Sample_Realm-Audit</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
                    <log:option name="file">var/log/login-attempts.log</log:option>
                </log:login-module>
            </log:login-config>
        </xml-reference>
    </gbean>
</module>

To deploy the ldap-realm.xml run the following command from the <geronimo_home>/bin directory:

...

Once deployed you should see a confirmation message similar to the following example:

No Format
bgColor#000000
borderStylesolid
D:\geronimo-tomcat-j2ee-1.1.1-Tomcat2\bin>java -jar deployer.jar --user system --password manager deploy \ldap-sample-app\ldap-realm.xml
    Deployed samples/ldap-realm-1console.realm/LDAP_Sample_Realm/1.10/car

Back to Top

For further details refer to the LDAP Realm section.

...

Code Block
xml
xml
borderStylesolid
titlegeronimo-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.12">
	<environment>
		<moduleId>
			<groupId>samples</groupId>
			<artifactId>ldap-realm-1-app<<artifactId>LDAP_Sample</artifactId>
			<version>1.1<2</version>
		</moduleId>		
	</environment>
    <context-root>/ldap-demo-1<LDAP_Sample</context-root>

    <security-realm-name>ldap-realm-1<name>LDAP_Sample_Realm</security-realm-name>
    <security>
        <default-principal realm-name="ldap-realm-1LDAP_Sample_Realm">
            <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="system"/>
        </default-principal>
        <role-mappings>
            <role role-name="content-administrator">
                <realm realm-name="ldap-realm-1LDAP_Sample_Realm">
                    <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="admin" designated-run-as="true"/>
                    <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="system"/>
                </realm>
            </role>
            <role role-name="guest">
                <realm realm-name="ldap-realm-1LDAP_Sample_Realm">
                    <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="guest" designated-run-as="true"/>
                    <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="user1"/>
                </realm>
            </role>
        </role-mappings>
    </security>
</web-app>

...

No Format
bgColor#000000
borderStylesolid
D:\geronimo-tomcat-j2ee-1.1.1-Tomcat2\bin>java -jar deployer.jar --user system --password manager deploy \ldap-sample-app\ldap-demo.war
    Deployed samples/ldap-realm-1-appLDAP_Sample/1.12/war @
    http://hc2t60phcunico:8080/ldap-demo-1LDAP_Sample

To test the LDAP application open a Web browser and access the following URL:

http://localhost:8080/ldap-demo-1LDAP_Sample

The following figure shows the welcome page for the LDAP sample application.

Click on Protect to validate against the LDAP Directory Server.

...

At this point you have an application that is validating username and passwords against an LDAP Directory Server database based on the security configuration you provided earlier in the LDAP realm. Now, if you go back to the welcome page and click on Forbidden you should receive a 403 - Forbidden HTTP error similar to the one shown in the following figure.

...