Creating an ldap Realm (Sun Java System Application Server Platform Edition 8.2 Administration Guide)

Sun Java System Application Server Platform Edition 8.2 Administration Guide

Creating an ldap Realm

The ldap realm performs authentication using information from an LDAP server. User information includes user name, password, and the groups to which the user belongs. To use an LDAP realm, the users and groups must already be defined in your LDAP directory.

To create an LDAP realm, follow the steps in To create a realm for adding a new realm, and add the properties shown in the following table.

Table 9–2 Required properties for ldap realm


Property Name	Description	Value
directory	LDAP URL of the directory server.	LDAP URL of the form `ldap://`hostname`:`portFor example, `ldap://myldap.foo.com:389`.
base-dn	Base Distinguished Name (DN) for the location of user data, which can be at any level above the user data, since a tree scope search is performed. The smaller the search tree, the better the performance.	Domain for the search, for example: `dc=siliconvalley, dc=BayArea, dc=sun, dc=com`.
jaas-context	Type of login module to use for this realm.	Must be `ldapRealm`.

Optional properties for the ldap realm are shown in the following table.

Table 9–3 Optional properties for ldap realm


Property Name	Description	Default
search-filter	Search filter to use to find the user.	`uid=%s` (`%s` expands to the subject name).
group-base-dn	Base DN for the location of group data.	Same as the `base-dn`, but it can be tuned if necessary.
group-search-filter	Search filter to find group memberships for the user.	`uniquemember=%d` (`%d` expands to the user element DN).
group-target	LDAP attribute name that contains group name entries.	CN
search-bind-dn	Optional DN used to authenticate to the directory for performing the search-filter lookup. Only required for directories that do not allow anonymous search.
search-bind-password	LDAP password for the DN given in `search-bind-dn`.

Example

For example, suppose an LDAP user, Joe Java, is defined in the LDAP directory as follows:

uid=jjava,ou=People,dc=acme,dc=com
uid=jjava
givenName=joe
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=inetorgperson
sn=java
cn=Joe Java

Using the example code, when creating or editing the ldap realm, you can enter the values as shown in the following table.

Table 9–4 Example ldap realm values


Property Name	Property Value
`directory`	LDAP URL to your server, for example: `ldap://ldap.acme.com:389`
`base-dn`	`ou=People,dc=acme,dc=com`. Can be rooted higher, for example `dc=acme`, `dc=com`, but searches would traverse a larger part of the tree, reducing performance.
`jaas-context`	`ldapRealm`