...
A guide to deploying LDAP realms in Geronimo. The samples reflect settings that are valid for the default ApacheDS setup.
...
Geronimo can be configured to use the Apache Directory Server for its directory service. As of Geronimo 1.1 ApacheDS is not installed by default. If you do not have ApacheDS installed in your environment here are a serie of quick steps to install it as a Geronimo Plugin.
...
Installing ApacheDS
...
in Geronimo
To set up ApacheDS in Geronimo install the plugin as follows:
- Log into the Geronimo Console
- Click on Create/Install under Plugins on the
Plugins
folderleft menu. - If there are no repositories in the list click the
Update Repository List
link. - Select a Repository to search.
- Click the Search for Plugins button.
- In the list select Apache Directory 0.92 for Geronimo (1.12)
- Click the Continue button on the next page.
- Click the Install Plugin button on the next page.
All the needed components will be download downloaded and, if successful, you will see a message indicating that the plugin was installed. - Click the Start button to start ApacheDS
Deploying LDAP Realms
...
From the Security Realms portlet:
- Click Add new security realm.
- Name the realm and select LDAP_Realm in the Realm Type box and then click Next.
At this point you are presented with a list of the LDAP Login Module's settings (see Ldap Login Module Configuration). - Enter settings corresponding to your LDAP configuration and click Next.
- Select Advanced Settings as desired.
- To verify the settings are correct click Test a Login.
- Enter a known username and password then click Next.
If the settings are correct you will see a page displaying the the Principles retrieved for the user. - Click Deploy Realm.
The LDAP realm is ready for use and should be listed in your Security Realms portlet view.
...
Once deployed you should see a confirmation message similar to the following example:
noformat
bgColor#000000borderStylesolid
LDAP Deployment XML Example AnchorXmlExampleXmlExample
The following XML example uses parameters that are valid for the default ApacheDS server setup.
...
...
LDAPLoginModule Configuration Anchor LdapLoginModuleConfigLdapLoginModuleConfig
The following section is a reference for users needing to deploy custom LDAP realms and outlines the LDAP Login Module configuration parameters as well as different possible configurations for retrieving LDAP user roles.
...
Tip: The key to working with the LDAP module is: KNOW YOUR LDAP SCHEMA.
...
Retrieving LDAP User Roles Anchor LdapUserRolesLdapUserRoles
The LDAPLoginModule can be configured to find user roles (group memberships) using two different methods:
Find the roles using a group entry's attribute that contains user members (e.g. a member attribute).
To use this method the roleName and roleSearchMatching options must be set. The LDAPLoginModule will perform an LDAP search using the roleSearchMatching filter to search for the authenticating user's distinguished name within each group entry's roleName
attribute. To skip this method the roleName
option MUST be left unset. If the roleName
option is set and the roleSearchMatching
option is left unset then the LDAPLoginModule
will attempt to perform the search and throw an exception.
. Find the roles using a user entry's attribute that contains the groups a user is a member of (e.g. a (memberOf* attribute).
To use this method the userRoleName option must be set with the name of the user entry's attribute that contains the group membership list. To skip this method the userRoleName should be unset.