Home » OpenESB » Instructions for Using LDAP for authenticating Admin

Instructions for Using LDAP for authenticating Admin

This procedure explains how to enable LDAP authentication for logins to the GlassFish ESB Server Domain Administration Server (DAS). Logging in to the DAS is typically only performed by ESB Server administrators who want to use the ESB Server Administration Console or asadmin command.

Environment : Glassfish ESB 2.2

LDAP Server : Apache Directory

At first you need to configure LDAP authentication for admin user using following command,

asadmin configure-ldap-for-admin --basedn "ou=users,ou=system" --url "ldap://localhost:10389"

After this domain.xml will have following entry

 

<auth-realm name="admin-realm" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
 <property name="directory" value="ldap://localhost:10389" />
 <property name="base-dn" value="ou=users,ou=system" />
 <property name="jaas-context" value="ldapRealm" />
 </auth-realm>

 

It’s not complete yet. We need to add few more optional properties. So you need to add following params

 

<auth-realm name="admin-realm" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
 <property name="directory" value="ldap://localhost:10389" />
 <property name="base-dn" value="ou=users,ou=system" />
 <property name="search-bind-dn" value="uid=admin,ou=system" />
 <property name="search-bind-password" value="param" />
 <property name="jndiCtxFactory" value="com.sun.jndi.ldap.LdapCtxFactory" />
 <property name="jaas-context" value="ldapRealm" />
 </auth-realm>

 

It’s done now (90%)… After this authentication will be successful, You can verify from command line and finest logging entries in server.log (In glassfish v3 all asadmin command requires admin password)

 

>asadmin set-log-level com.sun.enterprise.security.auth.realm.param=FINEST
Authentication failed with password from login store: C:\Users\logicoyparam\.asadminpass
Enter admin password for user “admin”> <type LDAP’s admin user password>

Command set-log-level executed successfully.

 

WORK NOT COMPLETE HERE — Same thing when you try from Admin GUI, Finest logging is turned on and it says Login Successful for user admin, But after this you will not get the console, And Glassfish is not showing login screen after this. you need to restart server for login.

This is the Policy issue, to resolve it open domain.xml and add

<property name=”assign-groups” value=”glassfishgroup”></property>

Just below you ldap configuration.

<auth-realm name="admin-realm" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
 <property name="directory" value="ldap://localhost:10389" />
 <property name="base-dn" value="ou=users,ou=system" />
 <property name="search-bind-dn" value="uid=admin,ou=system" />
 <property name="search-bind-password" value="param" />
 <property name="jndiCtxFactory" value="com.sun.jndi.ldap.LdapCtxFactory" />
 <property name="jaas-context" value="ldapRealm" />
<property name="assign-groups" value="glassfishgroup"></property>
</auth-realm>

 

Policy File Changes: 

Append following entry in the policy file placed under following location   glassfish\domains\domain1\generated\policy\__admingui\__admingui\granted.policy

grant principal org.glassfish.security.common.Group “glassfishgroup” {

 permission javax.security.jacc.WebResourcePermission "/*:/resource/*:/theme/com/*:/theme/META-INF/*:/theme/org/*";
 permission javax.security.jacc.WebRoleRefPermission "default", "admin";
 permission javax.security.jacc.WebRoleRefPermission "FacesServlet", "admin";
 permission javax.security.jacc.WebRoleRefPermission "jsp", "admin";
 permission javax.security.jacc.WebRoleRefPermission "ThemeServlet", "admin";
 permission javax.security.jacc.WebRoleRefPermission "DownloadServlet", "admin";
 permission javax.security.jacc.WebRoleRefPermission "", "admin";
 };

Please restart your server and check. Now all authentication will be done using LDAP Server.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*