LDAP authentication in Sun Application server

Today, I would like to describe the steps to enable LDAP authentication in web module that is deployed in Sun Application server. Authentication is the way an entity determines that another entity is who it claims to be.
Very important for understanding security for SJAS is Realm. A realm, also called a security policy domain or security domain, is a scope over which the server defines and enforces a common security policy. In practical terms, a realm is a repository where the server stores user and group information. The Application Server comes pre-configured with three realms: file (the initial default realm), certificate, and admin-realm. In this post we will add and setup new ldap realm.
I will use open source implementation of the Lightweight Directory Access Protocol server that is avalaible here.
  • First, we should create new user. I created users.ldif file with one entry that represents user:
         dn: uid=blaha,ou=people,dc=netbeans,dc=cz
         uid: blaha
         givenName: blaha
         objectClass: top
         objectClass: person
         objectClass: organizationalPerson
         objectClass: inetorgperson
         sn: blaha
         cn: Petr Blaha
         userPassword: {SSHA}Z9RXgOsVA6395NtLw6ot7XjkO3dJAeUIqDdWdA==
       
    The entry should have defined uid attribute. The container will search entry according to this attribute during authentication.
  • Add this entry in ldap server, execute folowing command:
    ldapadd -x -D "cn=Manager,dc=netbeans,dc=cz" -W -f users.ldif
  • Open web admin console (bu default http://localhost:4848) and go to Security -- Realms page and click New button. Specify name, class name should be com.sun.enterprise.security.auth.realm.ldap.LDAPRealm and add these properties:
    directory: ldap://localhost:389 (change to right name)
    base-dn: ou=people,dc=netbeans,dc=cz (base distinguished name it represents from whence the search will start)
    jaas-context: ldapRealm (type of login module to use for this realm. Use ldapRealm)
  • Create new web application. I will use form authentication method. Therefore, I created new login page contains HTML form with these fields:
        <form method="POST" action="j_security_check">
          Username: <input type="text" name="j_username"/>
    Password: <input type="password" name="j_password"/> <input type="submit" value="Submit"/>
  • Update web.xml file according to new realm:
    18 <security-role>
    19     <role-name>USER</role-name>
    20   </security-role>
    21 
    22   <security-constraint>
    23     <web-resource-collection>
    24       <web-resource-name>protected area</web-resource-name>
    25       <url-pattern>/index.jsp</url-pattern>
    26       <http-method>GET</http-method>
    27       <http-method>POST</http-method>
    28     </web-resource-collection>
    29     <auth-constraint>
    30       <role-name>USER</role-name>
    31     </auth-constraint>
    32   </security-constraint>
    33 
    34   <login-config>
    35     <auth-method>FORM</auth-method>
    36     <realm-name>ldaprealmperapp</realm-name><!-- name of LDAP realm-->
    37     <form-login-config>
    38       <form-login-page>/login.jsp</form-login-page>
    39       <form-error-page>/error.jsp</form-error-page>
    40     </form-login-config>
    41   </login-config>
    
  • Now you can test LDAP authentication.
Comments:

Good Tutorial.

Posted by Anu on October 06, 2006 at 01:19 AM CEST #

Thank you, this is article is informative.

Posted by guest on October 07, 2006 at 12:52 PM CEST #

Hi This works fine if you're not using the 'account inactivation' feature of Sun Directory Server. If a user has already logged into my web application, then logs out, then his account gets deactivated, he can still log into the application, because it seems that no further bind occur. If I restart the web container (i.e. recreate all connections to the LDAP server), then it works. Any idea on how to force a re-bind for each login? Cheers

Posted by Jean-Noel Colin on October 11, 2006 at 03:19 AM CEST #

Thank you, this article is really good

Posted by alex on March 24, 2007 at 01:39 PM CET #

thank you for help)

Posted by Alex Connor on April 17, 2007 at 07:15 AM CEST #

you did a great job!Thnks

Posted by Moshe Wasserman on April 17, 2007 at 08:13 AM CEST #

+1

Posted by Gonzolder on April 25, 2007 at 01:57 PM CEST #

+1

Posted by Alex on October 22, 2007 at 03:36 PM CEST #

From my test machine ( Winows XP, Tomcat 5.5.) my application does a JNDI login to an ldap server and returns fine. ( uses simplest form pointing to <j_security_scheck> )

When I have it deployed on a SOLARIS production server the login just hangs for many minutes, (no traffic seen on Ldap server ), finally returns, after which it works fine for all users until there has been a significat usage gap at which point the process is repeated.
The LDAP server shows no input from the calling machine.

My Web.xml does not have a <realm-name> property value as shown in your code ! How is this name derived? and coulud this explain the problem?

The Error in the logfile after the delay is as follows:

29-Aug-2009 14:35:30 org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
javax.naming.ServiceUnavailableException: ldap2.dundee.ac.uk:389; socket
closed; remaining name 'o=
dundee'
at com.sun.jndi.ldap.Connection.readReply(Connection.java:416)
at
com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:611)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:534)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1948)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1810)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1735)

etc.

Posted by Wynne Carter on September 11, 2009 at 07:55 AM CEST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

pblaha

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks