test

Using LDAP with Java CAPS

Configuring the Repository

To use an LDAP server for Repository user management, you must add a <Realm> element to the Repository’s server.xml file, which is located in the JavaCAPS-install-dir/repository/repository/server/conf directory.

The server.xml file contains a default <Realm> element that specifies a flat file implementation of the user database. The flat file implementation uses the tomcat-users.xml file in the JavaCAPS-install-dir/repository/repository/data/files directory.

The following table describes the attributes used by the LDAP versions of the <Realm> element. For a detailed description of all the possible attributes, see the Tomcat documentation for the org.apache.catalina.realm.JNDIRealm class.

Attribute 

Description 

className 

Always use the following value: org.apache.catalina.realm.JNDIRealm

connectionURL 

Identifies the location of the LDAP server. Includes the LDAP server name and the port that the LDAP server listens on for requests. 

roleBase 

The base entry for the role search. If this attribute is not specified, then the search base is the top-level directory context. 

roleName 

The attribute in a role entry containing the name of the role. 

roleSearch 

The LDAP search filter for selecting role entries. It optionally includes pattern replacements {0} for the Distinguished Name and/or {1} for the user name of the authenticated user. In certain cases of an authenticated user (for example, Administrator), option {0} should be selected.

roleSubtree 

By default, the Roles portion of the LDAP directory is searched only one level below the root entry. To enable searches of the entire subtree, set the value to true.

userBase 

The entry that is the base of the subtree containing users. If this attribute is not specified, then the search base is the top-level context. 

userPattern 

A pattern for the Distinguished Name (DN) of the user’s directory entry, following the syntax supported by the java.text.MessageFormat class with {0} indicating where the actual user name should be inserted.

userRoleName 

The name of an attribute in the user’s directory entry containing zero or more values for the names of roles assigned to this user. In addition, you can use the roleName attribute to specify the name of an attribute to be retrieved from individual role entries found by searching the directory. If userRoleName is not specified, then all roles for a user derive from the role search.

userRoleNamePattern 

A pattern for the Distinguished Name (DN) of the role’s directory entry, following the syntax supported by the java.text.MessageFormat class with {0} indicating the actual role name. This pattern is used to parse the DN to get the actual role name for authorization purposes in Java CAPS, where the actual user name should be inserted.

userSearch 

The LDAP search filter to use for selecting the user entry after substituting the user name in {0}.

userSubtree 

By default, the Users portion of the LDAP directory is searched only one level below the root entry. To enable searches of the entire subtree, set the value to true.

ProcedureTo Configure the Repository

  1. Open the server.xml file in the JavaCAPS-install-dir/repository/repository/server/conf directory.

  2. Remove or comment out the default <Realm> element.

  3. If you are using Sun Java System Directory Server, add the following <Realm> element inside the <Engine> tag. Change the default values as necessary. The preceding table describes the attributes.


    <Realm className="org.apache.catalina.realm.JNDIRealm"
    connectionURL="ldap://localhost:489"
    userBase="cn=People,dc=sun,dc=com"
    userSearch="(uid={0})"
    userSubtree="true"
    userRoleName="nsroledn"
    userRoleNamePattern="cn={0},dc=sun,dc=com"
    roleSubtree="true"
/>

  4. If you are using Active Directory, add the following <Realm> element inside the <Engine> tag. Change the default values as necessary. The preceding table describes the attributes.


    <Realm className="org.apache.catalina.realm.JNDIRealm"
    connectionURL="ldap://localhost:389"
    userBase="cn=Users,dc=sun,dc=com"
    userSearch="(cn={0})"
    userSubtree="true"
    roleBase="ou=CAPSRoles,dc=sun,dc=com"
    roleName="cn"
    roleSearch="(member={0})"
    roleSubtree="true"
/>

  5. If you are using OpenLDAP Directory Server, add the following <Realm> element inside the <Engine> tag. Change the default values as necessary. The preceding table describes the attributes.


    <Realm className="org.apache.catalina.realm.JNDIRealm"
    connectionURL="ldap://localhost:389"
    userBase="ou=People,dc=sun,dc=com"
    userSearch="(uid={0})"
    userSubtree="true"
    roleBase="ou=CAPSRoles,dc=sun,dc=com"
    roleName="cn"
    roleSearch="(uniquemember={0})"
    roleSubtree="true"
/>

  6. If your LDAP server is not configured for anonymous read access, add the connectionName and connectionPassword attributes to the <Realm> element. Set the first attribute to the DN of the Administrator user. Set the second attribute to the user’s encrypted password. Refer to the following examples.

    Sun Java System Directory Server:


    connectionName="cn=Directory Manager"
connectionPassword="E451KDVb0OPcH+GN46OZcg=="

    Active Directory:


    connectionName="Administrator@sun.com"
connectionPassword="geEiVIbtO+DcH+GN46OZcg=="

    OpenLDAP Directory Server:


    connectionName="cn=Manager,dc=sun,dc=com"
connectionPassword="l/ZRt1cfNKc="

    To encrypt the password, use the encrypt utility in the JavaCAPS-install-dir/repository/repository/util directory. The file extension of the utility depends on your platform. This utility takes the unencrypted password as an argument. For example:


    C:\JavaCAPS6\repository\repository\util>encrypt mypwd
LCUApSkYpuE

  7. Save and close the server.xml file.

  8. Start the LDAP server.

  9. Shut down and restart the Repository.