TOMCAT LDAP INTEGRATION

Why LDAP?

A common use of LDAP is to provide a central place to store usernames and passwords. This allows many different applications and services to connect to the LDAP server to validate users and groups to provide appropriate access. As security is an important aspect in any area.

 

Pre-requisite 1:

In order to setup the LDAP integration, we have to open necessary firewall ports to the LDAP server.

Pre-requisite 2:

Based on the Ldap Server you calling there may be a need to import the ldap.cert or ldap.crt to our keystore. Below are just a rough example of creating a keystore and import the cert, But you can follow any other way you are comfortable.

Ex:  $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

Ex: keytool -import -alias ALIAS -file public.cert -storetype TYPE -keystore server.truststore

Alternative:

We have a default truststore in {default_JAVA_HOME}/CAcets, so you can just upload the Ldap cert provided by respective team.

Information Needed:

Now gather the below details from both App team and identity team to add that in the Realm (conf/server.xml)

"What groups are going to access the application?
Are those groups declared with certain rules in your code?
If so how many groups/roles?
Does all comes under same service account?
CN is specific to the application, ask user for the CN name and password?
If multiple Roles needed, gather different realm details to make the application login
unique to roles/users? "

TOMCAT Realm

<Realm className="org.apache.catalina.realm.JNDIRealm"

         connectionURL="ldaps://abc.example.com:1636"

         connectionName="uid=****,ou=Service Accounts,dc=****,dc=com"

         connectionPassword="***"

         userbase="dc=*****,dc=com"

         userSubtree="true"

         userSearch="(uid={0})"                                                                           

         userRoleName="ismemberof"

         roleName="cn"

         roleBase="ou=groups,dc=****,dc=com"

         roleSearch="(uniqueMember={0})"

         connectionTimeout="50000"

         readTimeout="50000"

 This screenshot is an example


We can add multiple realms for each application and user/group/role should define within their code as mentioned before.

If this is for the Tomcat manager console administrations, we have to add the roles/group names in the default webapps/manager/web-inf/web.xml as mentioned below.

Check for the security –constraint section and add the group/roles and necessary restrictions if need for any .jsps or .html pages.( as now not created any standard template still working on it) 

<security-constraint>

    <web-resource-collection>    
   <web-resource-name>HTML Manager interface (for humans)</web-resource-name>
      <url-pattern>/html/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>       <role-name>(Group)TomcatAdmins</role-name>
    </auth-constraint>
  <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
   </security-constraint>
  <security-constraint>
       <web-resource-collection>
           <web-resource-name>* area</web-resource-name>
           <url-pattern>/Edit.jsp</url-pattern>
           <url-pattern>/Comment.jsp</url-pattern>
           <url-pattern>/Login.jsp</url-pattern>
           <url-pattern>/NewGroup.jsp</url-pattern>
           <url-pattern>/Rename.jsp</url-pattern>
           <url-pattern>/Upload.jsp</url-pattern>
           <http-method>DELETE</http-method>
           <http-method>GET</http-method>
           <http-method>HEAD</http-method>
           <http-method>POST</http-method>
           <http-method>PUT</http-method>
       </web-resource-collection>
       <web-resource-collection>
           <web-resource-name>Read-only Area</web-resource-name>
           <url-pattern>/attach</url-pattern>
           <http-method>DELETE</http-method>
           <http-method>POST</http-method>
           <http-method>PUT</http-method>
       </web-resource-collection>
       <auth-constraint>
           <role-name>TomcatAdmins</role-name>
           <role-name>TomcatAdmins</role-name>
       </auth-constraint>
       <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
   </security-constraint> 
---------------------------------------------------------------------------------------------------------------

Once all the necessary changes done, it is the time to restart the tomcat.

### Cd / {tomcat}/bin -- ./shutdown.sh and follow up ./startup.sh –

--- test the url it should give you the login prompt and if the login failed enable the debugging as below. 

------------------------------------------------------------------------------------------------------------------------------

Debugs:

### Cd /{tomcat}/conf/logging.Properties

Check for the below entries and make changes to the values are different and append the entries that does not exist.  Check the logs in ${catalina.base}/logs

############################################################

# Facility specific properties.

# Provides extra control for each logger.

############################################################

org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = TRACE

org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.AsyncFileHandler

org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = ALL

org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.AsyncFileHandler

org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO

org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.AsyncFileHandler

# This would turn on trace-level for everything

# the possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL

#org.apache.catalina.level = ALL

#org.apache.catalina.handlers = 2localhost.org.apache.juli.FileHandler

org.apache.catalina.realm.level = ALL

org.apache.catalina.realm.useParentHandlers = true

org.apache.catalina.authenticator.level = ALL

org.apache.catalina.authenticator.useParentHandlers = true

org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO

org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler

NOTE: If any issues other than LDAP you can refer to the tomcat offical page https://tomcat.apache.org/

 issues such as…

1.       Login prompt not coming

2.       Not able to get the manager URL

3.       HTTPS port not accessible

Comments

Popular Posts