Geronimo
  1. Geronimo
  2. GERONIMO-4818

Can not configure username and password of logging in the server through ldap

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.2
    • Fix Version/s: 2.2
    • Component/s: security, Tomcat
    • Security Level: public (Regular issues)
    • Labels:
      None
    • Environment:

      xp:sp2
      jdk 1.6

      Description

      1.Setup Apache Directory Server
      2.Copy geronimo-real.ldif to your ldap server and run command to import your ldap entries:
      $ ldapmodify -h [your_ldap_server_ip] -p 10389 -D "uid=admin,ou=system" -w secret -a -f [your_geronimo-realm_path]

      aslo you can use other 3-rd party directory client tool such as Apache directory studio to import this ldap file.
      3.Customize ldap server ip : <log:option name="connectionURL">ldap://<your host ip>:10389</log:option> in ldap.xml and copy it to your wasce server , and go to wasce server bin directory and run command:
      deploy.sh/bat --user system --password manager deploy <deployment_plan_home>/ldap.xml
      also you can deploy it via admin console "deploy new"->"achive plan" :ldap.xml
      4.Shutdown wasce server, and modify $your_geronimo_server/var/config/config.xml as below:
      change <module name="org.apache.geronimo.framework/server-security-config/2.1.4/car"/> to
      <module name="org.apache.geronimo.framework/server-security-config/2.1.4/car">
      <gbean name="geronimo-admin" load="false"/>
      </module>
      5.Restart Geronimo server, and login it with username: test, password: manager.
      5.Restart geronimo server, and login it with username: test, password: manager.

      1. geronimo-realm.ldif
        1 kB
        Ben Liang
      2. ldap.xml
        2 kB
        Ben Liang

        Activity

        Hide
        Ben Liang added a comment -

        The file to configure the ldap server and geronimo server

        Show
        Ben Liang added a comment - The file to configure the ldap server and geronimo server
        Hide
        Ivan added a comment -

        There is some changes about the security reference between 2.1.* and 2.2, I think this way will not work now.

        Show
        Ivan added a comment - There is some changes about the security reference between 2.1.* and 2.2, I think this way will not work now.
        Hide
        Ivan added a comment -

        Currently, I think we could configure it ldap in the way below
        1. Just add the configurations to the server-security-config module segment of the config.xml
        <gbean name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car,j2eeType=LoginModule,name=ldap-login" gbeanInfo="org.apache.geronimo.security.jaas.LoginModuleGBean">
        <attribute name="loginModuleClass">org.apache.geronimo.security.realm.providers.LDAPLoginModule</attribute>
        <attribute name="options">roleSearchMatching=uniqueMember=

        {0}
        userSearchMatching=uid={0}

        userBase=ou=users,ou=system
        connectionUsername=uid=admin,ou=system
        roleName=cn
        userSearchSubtree=true
        authentication=simple
        initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
        roleBase=ou=groups,ou=system
        connectionPassword=secret
        connectionURL=ldap://9.186.10.16:10389
        roleSearchSubtree=true</attribute>
        <attribute name="loginDomainName">geronimo-admin</attribute>
        </gbean>
        <gbean name="geronimo-admin">
        <reference name="LoginModuleConfiguration">
        <pattern>
        <name>ldap-login-use</name>
        </pattern>
        </reference>
        </gbean>
        <gbean name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car,j2eeType=LoginModuleUse,name=ldap-login-use" gbeanInfo="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
        <attribute name="controlFlag">REQUIRED</attribute>
        <reference name="LoginModule">
        <pattern>
        <name>ldap-login</name>
        </pattern>
        </reference>
        </gbean>
        </module>

        Not sure whether there is a better way to do it.

        Show
        Ivan added a comment - Currently, I think we could configure it ldap in the way below 1. Just add the configurations to the server-security-config module segment of the config.xml <gbean name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car,j2eeType=LoginModule,name=ldap-login" gbeanInfo="org.apache.geronimo.security.jaas.LoginModuleGBean"> <attribute name="loginModuleClass">org.apache.geronimo.security.realm.providers.LDAPLoginModule</attribute> <attribute name="options">roleSearchMatching=uniqueMember= {0} userSearchMatching=uid={0} userBase=ou=users,ou=system connectionUsername=uid=admin,ou=system roleName=cn userSearchSubtree=true authentication=simple initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory roleBase=ou=groups,ou=system connectionPassword=secret connectionURL=ldap://9.186.10.16:10389 roleSearchSubtree=true</attribute> <attribute name="loginDomainName">geronimo-admin</attribute> </gbean> <gbean name="geronimo-admin"> <reference name="LoginModuleConfiguration"> <pattern> <name>ldap-login-use</name> </pattern> </reference> </gbean> <gbean name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car,j2eeType=LoginModuleUse,name=ldap-login-use" gbeanInfo="org.apache.geronimo.security.jaas.JaasLoginModuleUse"> <attribute name="controlFlag">REQUIRED</attribute> <reference name="LoginModule"> <pattern> <name>ldap-login</name> </pattern> </reference> </gbean> </module> Not sure whether there is a better way to do it.
        Hide
        David Jencks added a comment -

        1. If possible, could you re-attach your patches granting license to use them to asf (check box on attach file form). Then we can try to set up an integration test or sample showing how to do this. I failed the last time I looked at this because I couldn't determine a reasonable ldap schama, a problem you have apparently solved

        2. I _STRONGLY_ recommend approaching this by replacing server-security-config entirely with a new plugin with the actual server security setup you want: server-security-config as shipped is a toy example to demonstrate that the server works.

        3. If you build the plugin with maven and the car-maven-plugin you can include an artifact-alias so your plugin will replace the server-security-config plugin the next time the server starts.

        There is some advice on how to do (3) in slides from a presentation, http://people.apache.org/~djencks/AdministeringGeronimo.pdf. I had a sample project working at one point but I can't find it right now.

        Show
        David Jencks added a comment - 1. If possible, could you re-attach your patches granting license to use them to asf (check box on attach file form). Then we can try to set up an integration test or sample showing how to do this. I failed the last time I looked at this because I couldn't determine a reasonable ldap schama, a problem you have apparently solved 2. I _ STRONGLY _ recommend approaching this by replacing server-security-config entirely with a new plugin with the actual server security setup you want: server-security-config as shipped is a toy example to demonstrate that the server works. 3. If you build the plugin with maven and the car-maven-plugin you can include an artifact-alias so your plugin will replace the server-security-config plugin the next time the server starts. There is some advice on how to do (3) in slides from a presentation, http://people.apache.org/~djencks/AdministeringGeronimo.pdf . I had a sample project working at one point but I can't find it right now.
        Hide
        viola.lu added a comment -

        I think we should update doc also.

        Show
        viola.lu added a comment - I think we should update doc also.
        Hide
        Chi Runhua added a comment -

        I think Liangkun was using a sample application from 2.1.x and encountered the problem. And I believe the sample should be updated as well if it's not working on G2.2.

        Here is the linkage for reference.

        http://cwiki.apache.org/GMOxDOC22/ldap-sample-app-ldap-sample-application.html

        Jeff C

        Show
        Chi Runhua added a comment - I think Liangkun was using a sample application from 2.1.x and encountered the problem. And I believe the sample should be updated as well if it's not working on G2.2. Here is the linkage for reference. http://cwiki.apache.org/GMOxDOC22/ldap-sample-app-ldap-sample-application.html Jeff C
        Hide
        Chi Runhua added a comment -

        Doc for G2.2 updated accordingly.

        http://cwiki.apache.org/GMOxDOC22/replacing-default-realm-in-geronimo.html

        Any questions, please let me know.

        Jeff C

        Show
        Chi Runhua added a comment - Doc for G2.2 updated accordingly. http://cwiki.apache.org/GMOxDOC22/replacing-default-realm-in-geronimo.html Any questions, please let me know. Jeff C

          People

          • Assignee:
            Unassigned
            Reporter:
            Ben Liang
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development