Configure LDAP authentication (Apache Tomcat)
Define the users who can access the Application Center console and the users who can log in with the mobile client by mapping Enterprise Edition (Java EE) , Enterprise Edition roles to LDAP roles.
Purpose
To configure ACL management of the Application Center; configure LDAP for user authentication, map the Enterprise Edition (Java EE) , Enterprise Edition (JEE) roles of the Application Center to the LDAP roles, and configure the Application Center properties for LDAP authentication. Only the simple type of LDAP authentication is supported.We configure the Apache Tomcat server for LDAP authentication and configure security (Enterprise Edition (Java EE) , Enterprise Edition) in the web.xml file of the Application Center Services web application (applicationcenter.war) and of the Application Center Console web application (appcenterconsole.war).
LDAP user authentication
We must configure a JNDIRealm in the server.xml file in the <Host> element. See the Realm Component on the Apache Tomcat website.about configuring a realm.
Example of configuration on Apache Tomcat to authenticate against an LDAP server
This example shows how to configure user authentication on an Apache Tomcat server by comparing with the authorization of these users on a server enabled for LDAP authentication.<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true"> ... <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://bluepages.ibm.com:389" userSubtree="true" userBase="ou=bluepages,o=ibm.com" userSearch="(emailAddress={0})" roleBase="ou=ibmgroups,o=ibm.com" roleName="cn" roleSubtree="true" roleSearch="(uniqueMember={0})" allRolesMode="authOnly" commonRole="appcenter"/> ... </Host>The value of connectionURL is the LDAP URL of the LDAP server.
UserSubtree, userBase, and userSearch attributes define how to use the name given to the Application Center in login form (in the browser message box) to match an LDAP user entry.
In the example, the definition of userSearch specifies that the user name is used to match the email address of an LDAP user entry.
The basis or scope of the search is defined by the value of the userBase attribute. In LDAP, an information tree is defined; the user base indicates a node in that tree.
The value of userSubtree should be set to true; if it is false, the search is performed only on the direct child nodes of the user base. It is important that the search penetrates the subtree and does not stop at the first level.
For authentication, you define only the userSubtree, userBase, and userSearch attributes. The Application Center also uses JEE security roles. Therefore, map LDAP attributes to some JEE roles. These attributes are used for mapping LDAP attributes to security roles:
- roleBase
- roleName
- roleSubtree
- roleSearch
In this example, the value of the roleSearch attribute matches all LDAP entries with a uniqueMember attribute whose value is the Distinguished Name (DN) of the authenticated user.
The roleBase attribute specifies a node in the LDAP tree below which the roles are defined.
The roleSubtree attribute indicates whether the LDAP search should search the entire subtree, whose root is defined by the value of roleBase, or only the direct child nodes.
The roleName attribute defines the name of the LDAP attribute.
The allRolesMode attribute specifies we can use the asterisk (*) character as the value of role-name in the web.xml file. This attribute is optional.
The commonRole attribute adds a role shared by all authenticated users. This attribute is optional.
Mapping the JEE roles of the Application Center to LDAP roles
After you define the LDAP request for the JEE roles, we must change the web.xml file of the Application Center Services web application (applicationcenter.war) and of the Application Center Console web application (appcenterconsole.war) to map the JEE roles of "appcenteradmin" and "appcenteruser" to the LDAP roles.
These examples, where LDAP users have LDAP roles called "MyLdapAdmin" and "MyLdapUser", show where and how to change the web.xml file.
The security-role-ref element in the JAX_RS servlet
<servlet> <servlet-name>MobileServicesServlet</servlet-name> <servlet-class>org.apache.wink.server.internal.servlet.RestServlet</servlet-class> <init-param> <param-name>javax.ws.rs.Application</param-name> <param-value>com.ibm.puremeap.services.MobileServicesServlet</param-value> </init-param> <load-on-startup>1</load-on-startup> <security-role-ref> <role-name>appcenteradmin</role-name> <role-link>MyLdapAdmin</role-link> </security-role-ref> <security-role-ref> <role-name>appcenteruser</role-name> <role-link>MyLdapUser</role-link> </security-role-ref> </servlet>
The security-role element
<security-role> <role-name>MyLdapAdmin</role-name> </security-role>
The auth-constraint element
After you edit the security-role-ref and the security-role elements, we can use the roles defined in the auth-constraint elements to protect the web resources. See the appcenteradminConstraint element and the appcenteruserConstraint element in this example for definition of the web resource collection to be protected by the role defined in the auth-constraint element.
<security-constraint> <display-name>appcenteruserConstraint</display-name> <web-resource-collection> <web-resource-name>appcenteruser</web-resource-name> <url-pattern>/installers.html</url-pattern> <url-pattern>/service/device/*</url-pattern> <url-pattern>/service/directory/*</url-pattern> <url-pattern>/service/plist/*</url-pattern> <url-pattern>/service/auth/*</url-pattern> <url-pattern>/service/application/*</url-pattern> <url-pattern>/service/desktop/*</url-pattern> <url-pattern>/service/principal/*</url-pattern> <url-pattern>/service/acl/*</url-pattern> <url-pattern>/service/userAndConfigInfo</url-pattern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>HEAD</http-method> </web-resource-collection> <auth-constraint> <role-name>MyLdapUser</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
Parent topic: LDAP with Apache Tomcat