Anchor | ||||
---|---|---|---|---|
|
Article donated by: Hernan Cunico
Geronimo uses the Apache Directory Server for its directory service, this is part of the Apache Directory Project. Geronimo implements the following two projects from the ApacheDS project.
...
More information about these two projects can be found at the ApacheDS project URL:
http://directory.apache.org/subprojects/apacheds/projects/index.html
At this point, Geronimo does not provide a LDAP client commands for configuring the server. You can use any LDAP client such as ldapbrowser/editor, jxplorer or gq for browsing and editing the configurations of the Directory Server in Geronimo.
...
No Format | ||||
---|---|---|---|---|
| ||||
dn: ou=system
ou: system
objectClass: organizationalUnit
objectClass: top
dn: uid=admin, ou=system
displayName: Directory Superuser
uid: admin
userPassword:: c2VjcmV0
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: administrator
cn: system administrator
dn: ou=users, ou=system
ou: users
objectClass: organizationalUnit
objectClass: top
dn: ou=groups, ou=system
ou: groups
objectClass: organizationalUnit
objectClass: top
dn: ou=configuration, ou=system
ou: configuration
objectClass: organizationalUnit
objectClass: top
dn: ou=partitions, ou=configuration, ou=system
ou: partitions
objectClass: organizationalUnit
objectClass: top
dn: ou=services, ou=configuration, ou=system
ou: services
objectClass: organizationalUnit
objectClass: top
dn: ou=interceptors, ou=configuration, ou=system
ou: interceptors
objectClass: organizationalUnit
objectClass: top
dn: prefNodeName=sysPrefRoot, ou=system
objectClass: extensibleObject
prefNodeName: sysPrefRoot
|
Now you need to import the entries needed to run the sample application. Packaged with the sample application is a sample .ldif file with all the entries necessary to run the LDAP sample application, this file is located in <ldap_home>/ldap-sample.ldif.
...
No Format | ||||
---|---|---|---|---|
| ||||
# User: system
dn: uid=system,ou=users,ou=system
cn: John Doe
sn: Doe
givenname: John
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Las Vegas
uid: system
mail: system@apachecon.comm
telephonenumber: +1 408 555 5555
facsimiletelephonenumber: +1 408 555 5556
roomnumber: 4613
userPassword: manager
# User: user1
dn: uid=user1,ou=users,ou=system
cn: User
sn: One
givenname: User1
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Las Vegas
uid: user1
mail: user1@apachecon.comm
telephonenumber: +1 408 555 5555
facsimiletelephonenumber: +1 408 555 5556
roomnumber: 4613
userPassword: p1
# User: user2
dn: uid=user2,ou=users,ou=system
cn: User
sn: Two
givenname: User2
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Las Vegas
uid: user2
mail: user2@apachecon.comm
telephonenumber: +1 408 555 5555
facsimiletelephonenumber: +1 408 555 5556
roomnumber: 4613
userPassword: p2
# Group: admin
dn: cn=admin,ou=groups,ou=system
objectClass: groupOfUniqueNames
uniqueMember: uid=system,ou=users,ou=system
cn: admin
# Group: guest
dn: cn=guest,ou=groups,ou=system
objectClass: groupOfUniqueNames
uniqueMember: uid=user1,ou=users,ou=system
uniqueMember: uid=user2,ou=users,ou=system
cn: guest
|
Once the file is imported you should get a confirmation that five entries were successfully imported.
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
<?xml version="1.0" encoding="UTF-8"?> <configuration xmlns="http://geronimo.apache.org/xml/ns/deployment" configId="org/apache/geronimo/ldap-secure" parentId="org/apache/geronimo/Server"> <gbean name="ldap-login" class="org.apache.geronimo.security.jaas.LoginModuleGBean"> <attribute name="loginModuleClass">org.apache.geronimo.security.realm.providers.LDAPLoginModule</attribute> <attribute name="serverSide">true</attribute> <attribute name="options"> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connectionURL=ldap://localhost:1389 connectionUsername=uid=admin connectionUsername=uid=admin,ou=system connectionPassword=secret connectionProtocol= authentication=simple connectionProtocol= authentication=simple userBase=ou=users,ou=system userSearchMatching=uid={0} userSearchSubtree=false roleBase=ou=groups,ou=system roleName=cn roleSearchMatching=(uniqueMember={0}) roleSearchSubtree=false userRoleName= roleSearchMatching=(uniqueMember={0}) roleSearchSubtree=false userRoleName= </attribute> <attribute name="loginDomainName">ldap-realm</attribute> </gbean> <gbean name="ldap-realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm"> <attribute name="realmName">ldap-realm</attribute> <reference name="LoginModuleConfiguration"> <name>ldap-login</name> </reference> <reference name="ServerInfo"> <module>org/apache/geronimo/System</module> <name>ServerInfo</name> </reference> <!-- Add --> <reference name="LoginService"> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=org/apache/geronimo/Security, J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService </gbean-name> </reference> </gbean> <gbean name="ldap-login" class="org.apache.geronimo.security.jaas.JaasLoginModuleUse"> <attribute name="controlFlag">REQUIRED</attribute> <reference name="LoginModule"> <name>ldap-login</name> </reference> </gbean> <gbean name="ldaptest" class="org.apache.geronimo.security.jaas.ServerRealmConfigurationEntry"> <attribute name="applicationConfigName">ldaptest</attribute> <attribute name="realmName">ldap-realm</attribute> <reference name="LoginService"> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=org/apache/geronimo/Security, J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService </gbean-name> </reference> </gbean> </configuration> |
To deploy the ldap-realm.xml run the following command from the <geronimo_home>/bin directory:
java -jar deployer.jar --user system --password manager deploy <ldap_home>/ldap-realm.xml
Once deployed you should see a confirmation message similar to the following example:
No Format | ||||
---|---|---|---|---|
| ||||
E:\geronimo\bin>java -jar deployer.jar --user system --password manager deploy e:/ldap-jetty/ldap-realm.xml Deployed org/apache/geronimo/ldap-secure |
Deployment plans
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
<?xml version="1.0" encoding="UTF-8"?>
<web-app
xmlns="http://geronimo.apache.org/xml/ns/web"
xmlns:sec="http://geronimo.apache.org/xml/ns/security"
configId="org/apache/geronimo/ldap-secure-demo"
parentId="org/apache/geronimo/ldap-secure">
<context-root>/ldap-demo</context-root>
<context-priority-classloader>false</context-priority-classloader>
<security-realm-name>ldap-realm</security-realm-name>
<security>
<default-principal realm-name="ldap-realm">
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="system"/>
</default-principal>
<role-mappings>
<role role-name="content-administrator">
<realm realm-name="ldap-realm">
<principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="admin" designated-run-as="true"/>
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="system"/>
</realm>
</role>
<role role-name="guest">
<realm realm-name="ldap-realm">
<principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="guest" designated-run-as="true"/>
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="user1"/>
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="user2"/>
</realm>
</role>
</role-mappings>
</security>
</web-app>
|
The web.xml deployment descriptor shown in the following example (also located in the <ldap_home>/WEB-INF diretory) adds security constraints based on the location of the files.
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
<?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list> <security-constraint> <web-resource-collection> <web-resource-name>Admin Role</web-resource-name> <url-pattern>/protect/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>content-administrator</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>No Access</web-resource-name> <url-pattern>/forbidden/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>MYREALM</realm-name> <form-login-config> <form-login-page>/auth/logon.html?param=test</form-login-page> <form-error-page>/auth/logonError.html?param=test</form-error-page> </form-login-config> </login-config> <security-role> <role-name>content-administrator</role-name> </security-role> </web-app> |
Package the sample application
Now that all the elements have been identified, it is necessary to package the sample application in a Web application Archive (.war). Open a command line window, change directory to <ldap_home> and run the following command:
*jar -cvf ldap-demo.war **
This command will package all the existing files and directories inside <ldap_home>. Although not needed inside the .war file, the ldap-realm.xml and ldap-sample.ldif files will also be included.
...
To deploy the LDAP sample application make sure the Geronimo server is up and running. Open a command line window, change directory to <geronimo_home>/bin and run the following command:
java -jar deployer.jar --user system --password manager deploy <ldap_home>/ldap-demo.war
Once the Web application is successfully deployed you should see a confirmation message similar as the one shown in the following example:
No Format | ||||
---|---|---|---|---|
| ||||
E:\geronimo\bin>java -jar deployer.jar --user system --password manager deploy e:/ldap-jetty/ldap-demo.war Deployed org/apache/geronimo/ldap-secure-demo @ http://hcunico:8080/ldap-demo |
To test the LDAP application open a Web browser and access the following URL:
http://localhost:8080/ldap-demo
The following figure shows the welcome page for the LDAP sample application.
...