- Purpose
- Steps
- Create users in the Directory Server database
- Create JNDI realm in the Tomcat configuration
- Restart Tomcat
- Notes
Tomcat’s manager is not enabled by default. This entry shows a quick setup for the Tomcat manager using LDAP. The steps involved are:
- Create users in the Directory Server database
- Create a JNDIRealm in server.xml
- Restart Tomcat
Create users in the Directory Server database
The following three entries are used by the realm example. Note that the entry "cn=manager,ou=apache,ou=people,dc=example,dc=com" has an attribute objectClass with value extensibleObject. The extensibleObject objectClass allows any attribute to be added to an entry, including attributes that are not defined in the Directory Server schema. The entry "cn=manager,ou=apache,ou=people,dc=example,dc=com" has an attribute "tomcatRole" that is used to contain the role needed by the Tomcat JNDIRealm. Using the extensibleObject objectClass is not the best idea in the world, though, and its use reminds one of the FORTRAN garbage common block. Any legal attribute could have been used and which attribute is used is set in the JNDIRealm.
ldapsearch --propertiesFilePath ds-setup/cfg-connect.properties \
--baseDn ou=people,dc=example,dc=com --searchScope sub '(&)'
dn: ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
userPassword: {SSHA512}pa1nS0ams9V7kmu4WQ6CDZ2iKMwBZhxco7I12+Olb7U4pnS0f6bUHdt2n
27N8My6p3Rwu1aERgza2ihTES1FZSglW1k0rehr
ou: people
description: The ou=people entry is the top of a tree containing user entries.
dn: ou=apache,ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
userPassword: {SSHA512}XhfZEcr/YJI1ZanGYYuycQmHySry8E2nQRuPx9wzcqPmjko+jX2dLNko7
GXKAlzmRJy6juEWHMvTP9QWIw2ilI/BAzxnZlqa
ou: apache
description: The ou=apache entry is used by the Tomcat application server to aut
henticate to the Directory Server
dn: cn=manager,ou=apache,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: extensibleObject
cn: manager
cn: Tomcat manager
sn: Tomcat
userPassword: {SSHA512}nEO6fX0BKVFD0ff1K9Yi/KEA8Kg+iZBkQ5BaRvLUVXb5DQXh9V0XpZsgK
mxcnp0pVesGkjFVZBaM/pxRPx+MgDNROIGniJ56
tomcatRole: manager-gui
description: The cn=manager entry is a user with Tomcat manager-gui access
An access control may also be necessary:
ldapsearch --propertiesFilePath ds-setup/cfg-connect.properties \
--baseDn dc=example,dc=com --searchScope base '(&)' aci
dn: dc=example,dc=com
aci: (targetattr="*")(version 3.0; acl "access to description attribute for tomc
at"; allow(all) userdn="ldap:///ou=apache,ou=people,dc=example,dc=com";)
Create JNDI realm in the Tomcat configuration
The realm below uses:
- hostname ldap.example.com and port 10389
"cn=manager,ou=apache,ou=people,dc=example,dc=com"for the Tomcat server to authenticate to directory server"tomcatRole"as the name of the attribute whose value is the Tomcat role (“manager-gui”)"cn={0},ou=apache,ou=people,dc=example,dc=com"as the pattern for base-level user searches
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://ldap.example.com:10389"
connectionName="ou=apache,ou=people,dc=example,dc=com"
connectionPassword="password"
userPattern="cn={0},ou=apache,ou=people,dc=example,dc=com"
userRoleName="tomcatRole"
/&rt;
</Realm>
Notes
- A pre-encoded password could be used in the realm, but the LDAP server would have to be configured to accept pre-encoded passwords, which is not recommended because the LDAP server could not check pre-encoded passwords for quality and history. The method shown in the realm example is not secure because the password is in the clear and SSL is not used.
- IMPROVEMENT: SSL should be used for the authentication (the sample does not use SSL)
- The LDAP server is configured to use the extremely strong SHA-2 512 salted password storage scheme, which is superior to a reversible scheme such as AES
- IMPROVEMENT: the
"extensibleObject"should not be used unless there is no other way to accomplish the task
