TOMCAT LDAP INTEGRATION
Why LDAP?
A common use of LDAP is to provide a central place to store usernames and passwords. This allows many different applications and services to connect to the LDAP server to validate users and groups to provide appropriate access. As security is an important aspect in any area.
Pre-requisite 1:
In order to setup the LDAP integration, we have to open necessary firewall ports to the LDAP server.
Pre-requisite 2:
Based on the Ldap Server you calling there may be a need to import
the ldap.cert or ldap.crt to our keystore. Below are just a rough example of creating a keystore and import the cert, But you can follow any other way you are comfortable.
Ex: $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
Ex: keytool -import -alias ALIAS -file public.cert -storetype TYPE -keystore server.truststore
Alternative:
We have a default truststore in {default_JAVA_HOME}/CAcets, so you can just upload the Ldap cert provided by respective team.
Information Needed:
Now gather the below details from both App team and identity team to add that in the Realm (conf/server.xml)
"What groups are going to access the application?
Are those groups declared with certain rules in your code?
If so how many groups/roles?
Does all comes under same service account?
CN is specific to the application, ask user for the CN name and password?
If multiple Roles needed, gather different realm details to make the application login
unique to roles/users? "
TOMCAT Realm
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://abc.example.com:1636"
connectionName="uid=****,ou=Service Accounts,dc=****,dc=com"
connectionPassword="***"
userbase="dc=*****,dc=com"
userSubtree="true"
userSearch="(uid={0})"
userRoleName="ismemberof"
roleName="cn"
roleBase="ou=groups,dc=****,dc=com"
roleSearch="(uniqueMember={0})"
connectionTimeout="50000"
readTimeout="50000"
This screenshot is an example
We can add multiple realms for each application and user/group/role should define within their code as mentioned before.
If this is for the Tomcat manager console administrations, we have to add the roles/group names in the default webapps/manager/web-inf/web.xml as mentioned below.
Check for the security –constraint section and add the
group/roles and necessary restrictions if need for any .jsps or .html pages.(
as now not created any standard template still working on it)
<security-constraint>
<url-pattern>/html/*</url-pattern>
</web-resource-collection>
<auth-constraint> <role-name>(Group)TomcatAdmins</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>* area</web-resource-name>
<url-pattern>/Edit.jsp</url-pattern>
<url-pattern>/Comment.jsp</url-pattern>
<url-pattern>/Login.jsp</url-pattern>
<url-pattern>/NewGroup.jsp</url-pattern>
<url-pattern>/Rename.jsp</url-pattern>
<url-pattern>/Upload.jsp</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Read-only Area</web-resource-name>
<url-pattern>/attach</url-pattern>
<http-method>DELETE</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>TomcatAdmins</role-name>
<role-name>TomcatAdmins</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Once all the necessary changes done, it is the time to restart the tomcat.
### Cd / {tomcat}/bin -- ./shutdown.sh and follow up ./startup.sh –
--- test the url it should give you the login prompt and if the login failed enable the debugging as below.
------------------------------------------------------------------------------------------------------------------------------
Debugs:
### Cd /{tomcat}/conf/logging.Properties
Check for the below entries and make changes to the values are different and append the entries that does not exist. Check the logs in ${catalina.base}/logs
############################################################
# Facility specific properties.
# Provides extra control for each logger.
############################################################
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = TRACE
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.AsyncFileHandler
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = ALL
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.AsyncFileHandler
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFOorg.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.AsyncFileHandler
# This would turn on trace-level for everything
# the possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL
#org.apache.catalina.level = ALL
#org.apache.catalina.handlers = 2localhost.org.apache.juli.FileHandler
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
NOTE: If any issues other than LDAP you can refer to the tomcat offical page https://tomcat.apache.org/
issues such as…
1. Login prompt not coming
2. Not able to get the manager URL
3. HTTPS port not accessible
Comments
Post a Comment