I recently posted a pretty comprehensive set of notes on using LDAP based authentication and authorization to control access to the ControlTier server applications (Workbench, WebDAV, and Jobcenter).
It turns out that, more often than not, our clients have a Microsoft Active Directory server to provide enterprise-wide authentication and authorization services. Fortunately, AD is an excellent LDAP compliant directory server, and so it is possible to configure ControlTier to directly us it as follows.
It turns out that, more often than not, our clients have a Microsoft Active Directory server to provide enterprise-wide authentication and authorization services. Fortunately, AD is an excellent LDAP compliant directory server, and so it is possible to configure ControlTier to directly us it as follows.
The key thing to note is that not possible to authenticate the AD using "bind mode" as described on the Tomcat 4.1 JNDI realm documentation. For this reason it is necessary explicitly setup an AD account to serve as the "connectionName" for "comparison mode" authentication. (Note that as a side benefit, this account can be used as the ControlTier client framework account if it is given "admin" role membership - see below).
(By the way, this screencast posted by Alex Tcherniakhovski provides an excellent overview of hooking up Tomcat to Active Directory - you'll need a Microsoft viewer to see it).
Note that these instructions only work with ControlTier 3.1.5 or later.
Active Directory configuration
(By the way, this screencast posted by Alex Tcherniakhovski provides an excellent overview of hooking up Tomcat to Active Directory - you'll need a Microsoft viewer to see it).
Note that these instructions only work with ControlTier 3.1.5 or later.
Active Directory configuration
- Create a simple user account (e.g. "controltier") with a non-expiring password and minimal Domain access rights and delegate "Read all user information" to it using the delegation control wizard of the "Active Directory Users and Computers" management utility.
- Make sure to take a note of the distinguished name ("DN") of the account (e.g. "CN=controltier,OU=Users,OU=MyBusiness,DC=mycompany,DC=com").
- Create "admin" and "manager" groups using the AD management utility to enable Tomcat administration.
- Also add "user" and "architect" groups to complete the minimal set up roles necessary to support the ControlTier server.
- Add user accounts to the various groups to assign authority as required. (Make sure that the simple user account created above is in the "admin" role so that it can serve as the ControlTier framework account).
- Switch the realm configuration in "$CATALINA_BASE/conf/server.xml" to use the JNDIRealm with attributes appropriate for your AD setup (note that the "role" groups have been established under their own organizational unit - OU - called "ControlTierRoles" in this case):
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="4"
connectionURL="ldap://ad.mycompany.com:389/"
connectionName="CN=controltier,OU=Users,OU=MyBusiness,DC=mycompany,DC=com"
connectionPassword="********"
roleBase="OU=ControlTierRoles,OU=Users,OU=MyBusiness,DC=mycompany,DC=com"
roleName="CN"
roleSearch="member={0}"
userPattern="CN={0},OU=Users,OU=MyBusiness,DC=mycompany,DC=com"/>
- Update "$CATALINA_BASE/webapps/itnav/WEB-INF/classes/auth.properties" to facilitate Workbench role administration:
ngps.workbench.auth.type=jndi
ngps.workbench.auth.jndi.connectionName=CN=controltier,OU=Users,OU=MyBusiness,DC=mycompany,DC=com
ngps.workbench.auth.jndi.connectionPassword=********
ngps.workbench.auth.jndi.connectionUrl=ldap://ad.mycompany.com:389/
ngps.workbench.auth.jndi.roleBase=OU=ControlTierRoles,OU=Users,OU=MyBusiness,DC=mycompany,DC=com
ngps.workbench.auth.jndi.roleNameRDN=CN
ngps.workbench.auth.jndi.roleMemberRDN=member
ngps.workbench.auth.jndi.userBase=OU=Users,OU=MyBusiness,DC=mycompany,DC=com
ngps.workbench.auth.jndi.userNameRDN=CN
- Update "$CATALINA_BASE/webapps/itnav/WEB-INF/classes/runtime.properties" and set the "dav.user" and "dav.password" properties to the credentials of the account setup above.
- Update "$CATALINA_BASE/webapps/webdav/WEB-INF/web.xml" to configure BASIC authentication and general access for "admin" role/group members (per the original posting).
- Update "$JOBCENTER_HOME/bin/start-jobcenter.sh" and switch the "java.security.auth.login.config" Java option to use "jaas-jndi.conf" (per the original posting).
- Update "$JOBCENTER_HOME/webapps/jobcenter/WEB-INF/jaas-jndi.properties" with the AD connection information:
jobcenter.auth.jndi.authType=bind
jobcenter.auth.jndi.connectionName=CN=controltier,OU=Users,OU=MyBusiness,DC=mycompany,DC=com
jobcenter.auth.jndi.connectionPassword=********
jobcenter.auth.jndi.connectionUrl=ldap://ad.mycompany.com:389/
jobcenter.auth.jndi.roleBase=OU=ControlTierRoles,OU=Users,OU=MyBusiness,DC=mycompany,DC=com
jobcenter.auth.jndi.roleNameRDN=CN
jobcenter.auth.jndi.roleMemberRDN=member
jobcenter.auth.jndi.userBase=OU=SBSusers,OU=Users,OU=MyBusiness,DC=mycompany,DC=com
jobcenter.auth.jndi.userNameRDN=CN
- Update "$ANTDEPO_BASE/etc/framework.properties" and set the framework user name and password on every client system:
framework.server.username = controltier
framework.server.password = ********
framework.webdav.username = controltier
framework.webdav.password = ********
Anthony Shortland,
anthony@controltier.com
1 comment:
I’d passion to plenty stay with that too!
Post a Comment