...
The current implementation of the realm has started as a proof of concept, but already works quite well. You can find the sources here:
https://svn.apache.org/repos/asf/directory/sandbox/szoerner/apacheds-tomcatrealm
It is not an official artifact of Apache Directory yet. Although if some people are interested, it soon can be. In the meantime, there are no official releases etc.
How to build it
After checking out the sources from subversion,
Code Block |
---|
mvn install
|
builds a jar file which contains the Realm class. In order to use it, one has to copy it to the Tomcat server lib directory, along with the required ApacheDS and dependency jars.
How to enable and configure it
...
within the context the realm is intended to act.
How to use it
It builds a jar file which contains the Realm class. In order to use it, one has to copy it to the Tomcat server lib directory, along with the required ApacheDS and dependency jars.
Activation in Tomcat server.xml is simply
...
When Tomcat starts up, ApacheDS starts as well and opens an LDAP port which defaults to 10389. You can use any LDAP client to connect to the embedded ApacheDS. We recommend Apache Directory Studio for this tasks.
Within the realm definition in Tomcats server.xml, you can add some attributes to configure ApacheDS:
Parameter | Description | Default value |
---|---|---|
ldapPort | the port number ApacheDS will listen to via LDAP | 10389 |
workingDirectory | the working directory where ApacheDS stores its data | "catalina.home/apacheDsWorkingDir" |
userSearchBase | search base used for user searches | "ou=system" |
userSearchFilter | filter expression used for user searches | "(&(objectClass=inetOrgPerson)(uid={0}))" |
groupSearchBase | search base used for group searches | "ou=system" |
groupSearchFilter | filter expression used for group searches | "(&(objectClass=groupOfNames)(member={0}))" |
Example:
Code Block |
---|
<Realm className="org.apache.directory.tomcatrealm.EmbeddedApacheDsRealm" ldapPort="389" userSearchBase="ou=users,ou=system" groupSearchBase="ou=users,ou=system" /> |
...
You can use Studio to edit your users and groups after Tomcat startup; the embedded ApacheDS opens an LDAP port at 10389.
...
|
How to use it
In order to use the realm, you have to add groups and users to the directory. Apache Directory Studio is a perfect solution for this task.
Connecting to the embedded ApacheDS
There is no difference to connecting to any other LDAP server. By default, the following connection properties will do:
Parameter | value |
---|---|
Hostname | your hostname, e.g. "localhost" |
Port | 10389 |
Bind DN (user) | "uid=admin,ou=system" |
Password | "secret" |
Adding a user
Use Studio to create a new entry with object class inetOrgPerson (plus super classes).
A user tomcat may look like this in LDIF.
Code Block |
---|
dn: uid=tomcat,ou=users,ou=system
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Tomcat Administrator
sn: Tomcat
uid: tomcat
userPassword: tomcat
|
Adding a group
Use Studio to create a new entry with object class groupOfNames.
A group manager, which contains the previous user, may look like this in LDIF.
Code Block |
---|
dn: cn=manager,ou=groups,ou=system
objectClass: groupOfNames
objectClass: top
cn: manager
member: uid=tomcat,ou=users,ou=system
|
Trying it out
Browse to the Manager web application within your Tomcat installation, http://localhost:8080/manager/html
Using the user and password "tomcat" should lead you to the application, all other input should fail (401 or 403).
Next steps
Some ideas I have:
- Make it an official artifact within Apache Directory
- Create a single jar which contains all dependencies necessary for running within Tomcat 5.5 and/or Tomcat 6.0
- Create some users and groups by default (at least "tomcat" within role "admin")
- Add the ability to define your own suffix ("dc=yourcompany,dc=com")
Provide feedback
Feel free to check it out and provide feedback. Further discussions about whether we provide this as official artifact will be on the dev-list, which you hopefully scan as well of Apache Directory project.