...
At this point in time, Geronimo only provides LDAP viewing capabilities, editing is not there yet but adding this feature is in plan for the next releases of Geronimo. You will have to use an external LDAP client such as ldapbrowser/editor, jxplorer or gq for editing the configurations of the Directory Server in Geronimo.
Starting the LDAP server
In Geronimo v1.2 the Apache Directory v0.92 is already included with the distribution although it is not started by default. You can either start the server from command line using the deployer tool or via the Geronimo Administration Console.
...
As we already mentioned, this component is stopped by default, click on Start to make this service available.
LDAP sample application
For your conveniece we have prodived the sample application and deployment plans packaged into a zip file.
Download the sample application from the following URL:
...
At this point it is assumed that you have installed an LDAP client and you are capable of exporting/importing an .ldif
file to a directory server.
Add LDAP entries
Ensure that Geronimo is up and running and the Directory service is started. Start your LDAP client and create a new connection profile with the following values:
...
No Format | ||||
---|---|---|---|---|
| ||||
dn: ou=system ou: system objectClass: organizationalUnit objectClass: top dn: uid=admin, ou=system displayName: Directory Superuser uid: admin userPassword:: c2VjcmV0 objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top sn: administrator cn: system administrator dn: ou=users, ou=system ou: users objectClass: organizationalUnit objectClass: top dn: ou=groups, ou=system ou: groups objectClass: organizationalUnit objectClass: top dn: ou=configuration, ou=system ou: configuration objectClass: organizationalUnit objectClass: top dn: ou=partitions, ou=configuration, ou=system ou: partitions objectClass: organizationalUnit objectClass: top dn: ou=services, ou=configuration, ou=system ou: services objectClass: organizationalUnit objectClass: top dn: ou=interceptors, ou=configuration, ou=system ou: interceptors objectClass: organizationalUnit objectClass: top dn: prefNodeName=sysPrefRoot, ou=system objectClass: extensibleObject prefNodeName: sysPrefRoot |
Now you need to import the entries needed to run the sample application. Packaged with the sample application is a sample .ldif
file with all the entries necessary to run the LDAP sample application, this file is located in <ldap_home>/ldap-sample.ldif.
...
Once the file is imported you should get a confirmation that five entries were successfully imported.
Deploy the LDAP realm
The LDAP sample application provides a security realm that needs to be deployed before the deployment of the application itself. This realm is located in <ldap_home>/ldap-realm.xml and the content is illustrated in the following example.
...
Once deployed you should see a confirmation message similar to the following example:
No Format bgColor #000000 borderStyle solid
D:\geronimo-tomcat-j2ee-1.2\bin>java -jar deployer.jar --user system --password manager deploy \ldap-sample-app\ldap-realm.xml
Deployed console.realm/LDAP_Sample_Realm/1.0/car
Back to Top
For further details refer to the LDAP Realm section.
Deployment plans
The deployment plans are located in the <ldap_home>/WEB-INF directory. Clearly, geronimo-web.xml is the Geronimo specific deployment plan. It provides the details on what security realm to use and user role mappings as well as the Geronimo specific namespace used to identify the elements in the security configuration. Common to other types of applications, not just security, the deployment plan also provides the main namespace for the deployment plan, a module identification (optional), a parent module configuration ID (also optional) and a context root. The following example illustrates the Geronimo specific deployment plan.
...
Note that these role mappings will be overridden by the actual roles (what users pertaining to what groups) defined in the LDAP server. Ultimately it is the realm defined in the application deployment plan who determines the velidation method. Nevertheless, for this particular example, you still need to define principals and role mappings as determined in the XML schemas
The web.xml deployment descriptor shown in the following example (also located in the <ldap_home>/WEB-INF diretory) adds security constraints based on the location of the files.
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
<?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list> <security-constraint> <web-resource-collection> <web-resource-name>Admin Role</web-resource-name> <url-pattern>/protect/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>content-administrator</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>No Access</web-resource-name> <url-pattern>/forbidden/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>ldap-realm-1</realm-name> <form-login-config> <form-login-page>/auth/logon.html?param=test</form-login-page> <form-error-page>/auth/logonError.html?param=test</form-error-page> </form-login-config> </login-config> <security-role> <role-name>content-administrator</role-name> </security-role> </web-app> |
Package the sample application
Now that all the elements have been identified, it is necessary to package the sample application in a Web application Archive (.war). Open a command line window, change directory to <ldap_home> and run the following command:
...
This command will package all the existing files and directories inside <ldap_home>. Although not needed inside the .war file, the ldap-realm.xml and ldap-sample.ldif files will also be included.
Deploy the application
To deploy the LDAP sample application make sure the Geronimo server is up and running. Open a command line window, change directory to <geronimo_home>/bin and run the following command:
...
To further test this example you could now try the different users provided in the ldap-sample.ldif
, use your LDAP client and add/remove users from the different groups. You will notice the changes immediatly (you may need to close your web browser).