JSPWiki: Web Container Authentication Via LDAP

More...

Web Container Authentication via LDAP

This part of documentation is based on a successful configuration on Tomcat 5.5 under the condition that only JNDIRealm is enabled in Tomcat server.xml.
Configuration for other LDAP servers may just similar, the only difference lies in LDAP attribute names.
BEWARE:

recursive groups are NOT supported by org.apache.catalina.realm.JNDIRealm
your users will NOT inherit from roles (groups) containing the groups within which your users are placed.

Suppose you have two groups wiki-admin and wiki-users and some users in each group in your LDAP server. You now want to apply LDAP authentication through web container.
Before start, you need to make sure the following about your LDAP server:

you already have a valid and running LDAP server
some users and groups are already created
you have a user with search ACI (directory manager, for instance)

Getting information about your LDAP server

To setup LDAP authentication for JSPWiki, you need the following information about your LDAP server:

connectionURL - LDAP host URL and port number (i.e.: ldap://www.example.com:389)
connectionName - LDAP bind user's DN (i.e.: cn=Directory Manager)
connectionPassword - the password for the bind user above
base DN - this works as the base for searching users
group DN - the desired group DN for your LDAP server

You can find more about this while proceeding.

Editing JSPWiki web.xml

Open your wiki's web.xml in an editor, and uncomment the CONTAINER-MANAGED AUTH section like below:

   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Administrative Area</web-resource-name>
           <url-pattern>/Delete.jsp</url-pattern>
       </web-resource-collection>
       <auth-constraint>
           <role-name>wiki-admin</role-name>
       </auth-constraint>
       <!--
       <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
       -->
   </security-constraint>
      
   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Authenticated area</web-resource-name>
           <url-pattern>/Edit.jsp</url-pattern>
           <url-pattern>/Comment.jsp</url-pattern>
           <url-pattern>/Login.jsp</url-pattern>
           <url-pattern>/NewGroup.jsp</url-pattern>
           <url-pattern>/Rename.jsp</url-pattern>
           <url-pattern>/Upload.jsp</url-pattern>
           <http-method>DELETE</http-method>
           <http-method>GET</http-method>
           <http-method>HEAD</http-method>
           <http-method>POST</http-method>
           <http-method>PUT</http-method>
       </web-resource-collection>

       <web-resource-collection>
           <web-resource-name>Read-only Area</web-resource-name>
           <url-pattern>/attach</url-pattern>
           <http-method>DELETE</http-method>
           <http-method>POST</http-method>
           <http-method>PUT</http-method>
       </web-resource-collection>

       <auth-constraint>
           <role-name>wiki-admin</role-name>
           <role-name>wiki-users</role-name>

       </auth-constraint>
	  <!--
       <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
       -->
   </security-constraint>

   <login-config>
       <auth-method>FORM</auth-method>
       <form-login-config>
           <form-login-page>/LoginForm.jsp</form-login-page>
           <form-error-page>/LoginForm.jsp</form-error-page>
       </form-login-config>
   </login-config>

   <security-role>
       <description>
           This logical role includes all authenticated users
       </description>
       <role-name>wiki-users</role-name>
   </security-role>

   <security-role>
       <description>
           This logical role includes all administrative users
       </description>
       <role-name>wiki-admin</role-name>
   </security-role>

I commented the user-data-constraint section since I failed to enable SSL in tomcat.

Configuring jspwiki.properties and jspwiki.policy

You need to uncomment WebContainerAuthorizer property to use web container authorization. see below

#  AUTHORIZATION (EXTERNAL)
#  For authorization, JSPWiki has a two-tier system. When we want to
#  determine whether a user has permission to perform a certain action,
#  we first consult an external "authorizer" to determine if the user
#  is a member of the required role. By default, JSPWiki uses the
#  servlet container's authorization service for this (that is, it
#  calls HttpServletRequest.isUserInRole(String) ).
#  However, you can use another Authorizer if you wish; specify that
#  class here.

jspwiki.authorizer =com.ecyrd.jspwiki.auth.authorize.WebContainerAuthorizer

If you would like to set permissions to LDAP groups, you can simply add policy entries on authorize.Role. The following is an entry for wiki-admin group (from LDAP).

grant principal com.ecyrd.jspwiki.auth.authorize.Role "wiki-admin" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};

Editing Tomcat server.xml

disable UserDatabaseRealm

In this successful configuration, UserDatabaseRealm needs to be disabled in Tomcat server configuration file. To do this, you need to comment out the UserDatabase resource in <GlobalNamingResources> section.
text before change

  <GlobalNamingResources>

    <!-- Test entry for demonstration purposes -->
    <Environment name="simpleValue" type="java.lang.Integer" value="30"/>

    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
       description="User database that can be updated and saved"
           factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
          pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

text after change

  <GlobalNamingResources>

    <!-- Test entry for demonstration purposes -->
    <Environment name="simpleValue" type="java.lang.Integer" value="30"/>

    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users -->
    <!--
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
       description="User database that can be updated and saved"
           factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
          pathname="conf/tomcat-users.xml" />
    -->
  </GlobalNamingResources>

After this, find the text like below and comment the UserDatabase Realm:

      <!-- This Realm uses the UserDatabase configured in the global JNDI
           resources under the key "UserDatabase".  Any edits
           that are performed against this UserDatabase are immediately
           available for use by the Realm.  -->

      <!-- This Realm uses the UserDatabase configured in the global JNDI
           resources under the key "UserDatabase".  Any edits
           that are performed against this UserDatabase are immediately
           available for use by the Realm.  -->
      <!-- 
           <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase"/>
      -->

Adding LDAP information

Find the following comment in server.xml:

      <!-- Replace the above Realm with one of the following to get a Realm
           stored in a database and accessed via JDBC -->

Adding the following section after the comment text:

<Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
           connectionURL="ldap://localhost:389"
           connectionName="cn=Directory Manager"
           connectionPassword="secret"
           userPassword="userPassword"
           userPattern="uid={0}, ou=People,dc=example,dc=com"
           roleBase="ou=Groups,dc=example,dc=com"
           roleName="cn"
           roleSubtree="true"
           roleSearch="(uniqueMember={0})"
         />

<Realm className="org.apache.catalina.realm.JNDIRealm"
  	 connectionURL="ldap://domaincontroller-host:389"
     	 connectionName="CN=Ldaplogin,OU=EDP Login,OU=All Users XP,DC=poison,DC=in"
         connectionPassword="***secret***" 
         userBase="OU=All Users XP,DC=domain" 
         userSubtree="true"
         userSearch="(userPrincipalName={0}@yourdomain.com)" 
         userRoleName="memberOf"
         roleBase="CN=Groups,DC=domain" 
         roleName="cn" 
         roleSubtree="true"
         roleSearch="(member={0})" 
       />

userSearch can be set to any property that uniquely identifies a user. In this case it is set to identify with your email. It can also be set to

    userSearch="(sAMAccountName={0})"

I am currently trying to figure out a way to authenticate through domain trusts. -JoergMeyer

TO BE ADDED

Where:

connectionURL is the LDAP URL
connectionName is the bind user's DN
connectionPassword is the password for the bind user
userPattern is a pattern for your users' DN. {0} will be replaced with each user's actual ID. And the uid will be the login name for your JSPWiki.
roleBase is the DN for your LDAP group.please note that dynamic group seems not supported by Tomcat
roleName name for the group entry, like: cn=wiki-users,ou=Groups,dc=example,dc=com
roleSubtree indicates to search subtrees or not. I set to true for now. Seems no harm
roleSearch attribute for searching users in a group. {0} is the user's DN (uid=user,ou=People, dc=example,dc=com)

Here we go

Save all your changes and restart Tomcat and enjoy the convenience.

Add new attachment

Only authorized users are allowed to upload new attachments.

« This page (revision-5) was last changed on 24-Jun-2008 05:31 by JoergMeyer

G’day (anonymous guest) My Prefs

This site

JSPWiki

Development

Internet Search

Referenced by
Bug No Acess
Web Container Authentication

JSPWiki v2.8.0-beta-1