Tuesday, 29 September 2015

Integrating Tomcat with Microsoft Active Directory (AD)

Pre-requiste for Integrating LDAP with Tomcat:

Operating System : Windows with Active Directory 2003 and above
Java : Jdk 1.6 and above
Application Server : Tomcat 6.0 and above

Populate LDAP

We will set the security to permit a specific group of users to access Webapps Deployed. This group needs a name, which is configured within LDAP. You may already have an appropriate group.
  1. Create users in Active Directory for Application to validate.
  2. Create a group eg: TomcatUsersGroup and Associate users with this group in Active Directory using the wizard.

Configuring Tomcat to Use LDAP

Next, we need to configure tomcat to connect to ldap. This is specified in this document : http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm
This is the difficult step. It requires adding an entry to server.xml, found in the conf folder for Tomcat. For our example, the entry is as follows:

Comment the following lines in the server.xml:
<!-- <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
-->
To comment native Tomcat-users.xml and to use LDAP Credentials:
<!-- <GlobalNamingResources>
Editable user database that can also be used by
UserDatabaseRealm to authenticate users
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
-->

Add the Following Line to the Server.xml for LDAP Configuration:

        <Realm className="org.apache.catalina.realm.JNDIRealm"

                connectionURL="ldap://ldapserver.somedomain.com:389"
                authentication="simple"
                referrals="follow"

                connectionName="ldapuser@somedomain.com"
                connectionPassword="enter password here"

                userSearch="(sAMAccountName={0})"
                userBase="CN=Users,DC=somedomain,DC=com"
                userSubtree="true"

                roleSearch="(member={0})"
                roleName="cn"
                roleSubtree="true"
                roleBase="CN=Users,DC=somedomain,DC=com"
              
        />

Configuring Application in deployed Webapps Folder to Use AD (or) LDAP Settings:

Finally, add a security constraint to application in the web.xml file:

eg: Tomcat_Installed_Directory\webapps\application\web.xml
<security-constraint>
  <display-name>Example Security Constraint</display-name>

  <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected --> 
      <url-pattern>/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
      <http-method>DELETE</http-method>

      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
  </web-resource-collection>

  <auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
      <role-name>TomcatUsersGroup</role-name>
  </auth-constraint>
</security-constraint>

<!-- Default login configuration uses basic authentication -->

<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>Tomcat LDAP Integrated Applicaiton</realm-name>
</login-config>
       
<!-- Security roles referenced by this web application -->

<security-role>
  <descriptions>LDAP Users</descriptions>
  <role-name>TomcatUsersGroup</role-name>
</security-role>

Test your users is getting validated by login to application with LDAP (or) AD Credentials after 
restarting the Tomcat Server 

Refer the following URL for additional Details:

http://www.topquadrant.com/docs/tbl/42install/ldap.html#integration-instructions

No comments:

Post a Comment