You can configure the Java CAPS Repository to use an LDAP server for user management.
When a user attempts to log into the Repository, the user name and password are checked against the user name and password that are stored in the LDAP server. In addition, the list of roles for the user is retrieved from the server to authorize the user’s access to various objects in the Repository.
The following LDAP servers are supported:
Sun JavaTM System Directory Server versions 5.1, 5.2, and 6.x
Microsoft's Active Directory (the version delivered with Windows Server 2003)
OpenLDAP Directory Server 2.x
First, you must configure the LDAP server. See the appropriate section:
Then, you configure the Repository so that it can locate the LDAP server and find the appropriate information (such as the portion of the directory that contains users). See Configuring the Repository.
If you want to encrypt communications between the Repository and the LDAP server, see SSL Support.
Managing Java CAPS Users provides basic information about Repository user management.
Sun Java System Directory Server versions 5.1 and 5.2 include the following main components:
Directory Server
Administration Server
Directory Server console
The Directory Server console enables you to perform most administrative tasks. The console contains four top-level tabs: Tasks, Configuration, Directory, and Status. The Directory tab displays the directory entries as a tree. You can browse, display, and edit all of the entries and attributes from this tab.
You can also perform administrative tasks manually by editing configuration files or by using command-line utilities.
Sun Java System Directory Server version 6.x provides the following ways for you to manage the entries in a directory:
Directory Editor
ldapmodify and ldapdelete command-line utilities
DSCC is integrated into the Sun JavaTM Web Console. DSCC contains five top-level tabs: Common Tasks, Directory Servers, Proxy Servers, Server Groups, and Settings.
If you click the Directory Servers tab, the name of a server, and the Entry Management tab, then you reach the page that enables you to browse, add, and modify entries. The Directory Information Tree (DIT) appears on the left.
You can also use the Common Tasks tab to create a new entry or browse data.
For detailed information about how to perform the following steps, see the documentation provided with Sun Java System Directory Server.
Create the admin user and the Administrator user under the People directory.
Create the roles all, administration, and management under the top node.
Assign the roles that you created to the admin user and the Administrator user.
Go to Configuring the Repository.
Active Directory is a key part of Windows 2003. It provides a wide variety of manageability, security, and interoperability features. The main administration tool is a snap-in called Active Directory Users and Computers.
Active Directory does not support the concept of roles. Therefore, you must simulate the Java CAPS roles in Active Directory using the concept of groups.
Rather than creating the groups within the Users directory, you create the groups in a new organizational unit called CAPSRoles.
For detailed information about how to perform the following steps, see the documentation provided with Active Directory.
Start the Active Directory Users and Computers administration tool.
Right-click the root node and select New > Organizational Unit.
The New Object - Organization Unit dialog box appears.
In the Name field, enter a value (for example, CAPSRoles).
Click OK.
Under the organizational unit, create the following groups: all, administration, and management. To create a group, you right-click the organizational unit and select New > Group. Use the default values for Group scope and Group type.
After you add the groups, they appear under the organizational unit.
Add the admin user and the Administrator user as members of all the groups that you created by double-clicking each group and selecting admin and Administrator from the dialog box.
Go to Configuring the Repository.
The OpenLDAP Project provides an open source implementation of the LDAP protocol. The LDAP server runs as a stand-alone daemon called slapd. The main configuration file is called slapd.conf. This file contains global, backend-specific, and database-specific information. You can use various approaches to add entries to the database, such as using the slapadd program. To search the database, use the ldapsearch program.
For more information, see http://www.openldap.org.
For detailed information about how to perform the following steps, see the documentation provided with OpenLDAP Directory Server.
Create the admin user and the Administrator user under the node where the users are located.
If you do not have a node for roles in your schema, then create a node for the Java CAPS-specific roles that you will create in the following step. For example:
dn: ou=CAPSRoles, dc=sun, dc=com objectClass: top objectClass: organizationalUnit ou: CAPSRoles |
Create the roles all, administration, and management under the node where the roles are located. Add the admin user and the Administrator user as unique members of each role. For example:
dn: cn=all, ou=CAPSRoles, dc=sun, dc=com objectClass: top objectClass: groupOfUniqueNames cn: all ou: CAPSRoles uniqueMember: uid=admin, ou=People, dc=sun, dc=com uniqueMember: uid=Administrator, ou=People, dc=sun, dc=com dn: cn=administration, ou=CAPSRoles, dc=sun, dc=com objectClass: top objectClass: groupOfUniqueNames cn: administration ou: CAPSRoles uniqueMember: uid=admin, ou=People, dc=sun, dc=com uniqueMember: uid=Administrator, ou=People, dc=sun, dc=com dn: cn=management, ou=CAPSRoles, dc=sun, dc=com objectClass: top objectClass: groupOfUniqueNames cn: management ou: CAPSRoles uniqueMember: uid=admin, ou=People, dc=sun, dc=com uniqueMember: uid=Administrator, ou=People, dc=sun, dc=com |
Add other users to one or more roles, as necessary. For example:
dn: cn=all, ou=CAPSRoles, dc=sun, dc=com objectClass: top objectClass: groupOfUniqueNames cn: all ou: CAPSRoles uniqueMember: uid=admin, ou=People, dc=sun, dc=com uniqueMember: uid=Administrator, ou=People, dc=sun, dc=com uniqueMember: uid=userA, ou=People, dc=sun, dc=com uniqueMember: uid=userB, ou=People, dc=sun, dc=com dn: cn=administration, ou=CAPSRoles, dc=sun, dc=com objectClass: top objectClass: groupOfUniqueNames cn: administration ou: CAPSRoles uniqueMember: uid=admin, ou=People, dc=sun, dc=com uniqueMember: uid=Administrator, ou=People, dc=sun, dc=com uniqueMember: uid=userB, ou=People, dc=sun, dc=com dn: cn=management, ou=CAPSRoles, dc=sun, dc=com objectClass: top objectClass: groupOfUniqueNames cn: management ou: CAPSRoles uniqueMember: uid=admin, ou=People, dc=sun, dc=com uniqueMember: uid=Administrator, ou=People, dc=sun, dc=com |
Go to Configuring the Repository.
To use an LDAP server for Repository user management, you must add a <Realm> element to the Repository’s server.xml file, which is located in the JavaCAPS-install-dir/repository/repository/server/conf directory.
The server.xml file contains a default <Realm> element that specifies a flat file implementation of the user database. The flat file implementation uses the tomcat-users.xml file in the JavaCAPS-install-dir/repository/repository/data/files directory.
The following table describes the attributes used by the LDAP versions of the <Realm> element. For a detailed description of all the possible attributes, see the Tomcat documentation for the org.apache.catalina.realm.JNDIRealm class.
Open the server.xml file in the JavaCAPS-install-dir/repository/repository/server/conf directory.
Remove or comment out the default <Realm> element.
If you are using Sun Java System Directory Server, add the following <Realm> element inside the <Engine> tag. Change the default values as necessary. The preceding table describes the attributes.
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://localhost:489" userBase="cn=People,dc=sun,dc=com" userSearch="(uid={0})" userSubtree="true" userRoleName="nsroledn" userRoleNamePattern="cn={0},dc=sun,dc=com" roleSubtree="true" /> |
If you are using Active Directory, add the following <Realm> element inside the <Engine> tag. Change the default values as necessary. The preceding table describes the attributes.
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://localhost:389" userBase="cn=Users,dc=sun,dc=com" userSearch="(cn={0})" userSubtree="true" roleBase="ou=CAPSRoles,dc=sun,dc=com" roleName="cn" roleSearch="(member={0})" roleSubtree="true" /> |
If you are using OpenLDAP Directory Server, add the following <Realm> element inside the <Engine> tag. Change the default values as necessary. The preceding table describes the attributes.
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://localhost:389" userBase="ou=People,dc=sun,dc=com" userSearch="(uid={0})" userSubtree="true" roleBase="ou=CAPSRoles,dc=sun,dc=com" roleName="cn" roleSearch="(uniquemember={0})" roleSubtree="true" /> |
If your LDAP server is not configured for anonymous read access, add the connectionName and connectionPassword attributes to the <Realm> element. Set the first attribute to the DN of the Administrator user. Set the second attribute to the user’s encrypted password. Refer to the following examples.
Sun Java System Directory Server:
connectionName="cn=Directory Manager" connectionPassword="E451KDVb0OPcH+GN46OZcg==" |
Active Directory:
connectionName="Administrator@sun.com" connectionPassword="geEiVIbtO+DcH+GN46OZcg==" |
OpenLDAP Directory Server:
connectionName="cn=Manager,dc=sun,dc=com" connectionPassword="l/ZRt1cfNKc=" |
To encrypt the password, use the encrypt utility in the JavaCAPS-install-dir/repository/repository/util directory. The file extension of the utility depends on your platform. This utility takes the unencrypted password as an argument. For example:
C:\JavaCAPS6\repository\repository\util>encrypt mypwd LCUApSkYpuE |
Save and close the server.xml file.
Start the LDAP server.
Shut down and restart the Repository.
By default, communications between the Repository and the LDAP server are unencrypted.
To encrypt communications between the Repository and the LDAP server, make the following additions and modifications to the procedures described earlier in this topic.
Ensure that the LDAP server is configured to use the Secure Sockets Layer (SSL). For detailed instructions, see the documentation provided with the LDAP server.
In preparation for the next step, export the LDAP server’s certificate to a file.
You must add the LDAP server’s certificate to the Repository’s list of trusted certificates. The list is located in a file called cacerts.
In the following procedure, you use the keytool program. This program is included with the Java SDK.
Navigate to the JDK-install-dir/jre/bin directory.
Use the JDK that was specified during the installation of the Repository.
Run the following command:
keytool -import -trustcacerts -alias alias -file certificate_filename -keystore cacerts_filename |
For the -alias option, you can assign any value.
For the -file option, specify the fully qualified name of the LDAP server’s certificate. For example:
C:\mycertificate.cer |
For the -keystore option, specify the fully qualified name of the cacerts file. The cacerts file is located in the JDK-install-dir/jre/lib/security directory. For example:
C:\Java\jdk1.6.0_06\jre\lib\security\cacerts |
When prompted, enter the keystore password. The default password is changeit.
When prompted to trust this certificate, enter yes.
The following message appears:
Certificate was added to keystore |
In the <Realm> element of the server.xml file, modify the URL of the LDAP server as follows:
Set the port number to the port number that the LDAP server listens on for SSL requests. Typically, this number is 636.
For example:
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldaps://myldapserver:636" ... |