Using the GUI (
http://localhost:4848) to
configure LDAP Authenication Realm
The following steps are based on GlassFish v2.1
1) After you login to the admin server, expand Configuration->Security->Realms
2) Click New... to create a new realm with the following information:
Name : ABCLdap
Class Name : com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
JAAS context : IdapRealm
Directory : ldaps://abc.com:636
Base DN : ou=people,dc=abc,dc=com
3) Add two Additional Properities:
group-search-filter : cn=*
group-base-dn : ou=groups,dc=abc,dc=com
and then click on save button.
The following lines were added to the domain.xml file
<auth-realm classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm" name="ABCLdap">
<property name="directory" value="ldaps://abc.com:636"/>
<property name="base-dn" value="ou=people,dc=abc,dc=com"/>
<property name="group-search-filter" value="cn=*"/>
<property name="group-base-dn" value="ou=groups,dc=abc,dc=com"/>
<property name="jaas-context" value="ldapRealm"/>
</auth-realm>
Everyone was able to login successfully through userid and password authentication.
But when we used the command create-auth-realm as follows:
/opt/SDK/bin/asadmin create-auth-realm --port 4848 --user admin --passwordfile /tmp/passwordfile --classname com.sun.enterprise.security.auth.realm.ldap.LDAPRealm \
--property "directory=ldaps\://abc.com\:636:base-dn=ou\=people,dc\=abc,dc\=com:group-serach-filter=cn\=*:group-base-dn=ou\=groups,dc\=abc,dc\=com:jaas-context=ldapRealm" ABCLdap
The following lines were added to the domain.xml
<auth-realm classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm" name="ABCLdap">
<property name="directory" value="ldaps://abc.com:636"/>
<property name="base-dn" value="ou=people,dc=abc,dc=com"/>
<property name="group-search-filter" value="cn=*"/>
<property name="jaas-context" value="ldapRealm"/>
<property name="group-base-dn" value="ou=groups,dc=abc,dc=com"/>
</auth-realm>
Then we have seen one issue here is that not everyone could login successfully which means some people could login successfully through userid and password authentication but some people couldn't login successfully through userid and password authentication.
For those people who couldn't login, they got the following error messages:
HTTP Status 403 - Access to the requested resource has been denied
It seems to us that the order of the properties added to the domain.xml did make differences.
These lines added to the domain.xml by GUI worked for everyone but these lines added to the domain.xml by the command line (create-auth-realm) did not work for everyone.
We prefer to use the command line (create-auth-realm) to configure LDAP Authenication Realm.
Is there a solution for this issue related to the command line (create-auth-realm) ?
Thank you so much !
[Message sent by forum member 'pschi' (pschi)]
http://forums.java.net/jive/thread.jspa?messageID=343728