An Identity Management Solution is no good if you can’t use it from your server applications. Here are the steps you can go through to get your server working along side FreeIPA.
LDAP Approch using Basic Auth:
The JNDI info you need can be found in: /etc/ipa/default.conf
host=ipa-server-3.ayoung.boston.devel.redhat.com basedn=dc=ipa-server-3,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com realm=IPA-SERVER-3.AYOUNG.BOSTON.DEVEL.REDHAT.COM domain=ayoung.boston.devel.redhat.com xmlrpc_uri=https://ipa-server-3.ayoung.boston.devel.redhat.com/ipa/xml ldap_uri=ldapi://%2fvar%2frun%2fslapd-IPA-SERVER-3-AYOUNG-BOSTON-DEVEL-REDHAT-COM.socket enable_ra=True ra_plugin=dogtag mode=production
This should be specified in the IPA server as well as any enrolled IPA client. Notice also the ldap_uri which should give you the information to connect, as well as the host line which tells you the DNS name of IPA server: The most important value is the basedn.
Minor complaint: using an equal sign as the separator between the key and value in this file makes it harder to script than it should be.
I do this to pull out the value for the basedn:
export IPA_BASE_DN=`grep basedn /etc/ipa/default.conf | sed 's/basedn=//'`
To look up the set of groups you are assigned, you can use a simple bind where you are prompted for your password:
ldapsearch -W -D "uid=$USER,cn=users,cn=accounts,$IPA_BASE_DN" \ -b "cn=groups,cn=accounts,$IPA_BASE_DN" \ "(member=uid=$USER,cn=users,cn=accounts,$IPA_BASE_DN)"
You can replace $USER with ‘Admin’ if you are just getting set up. LDAP Configuration means that it finds the host without you having to explicitly specify it.
To set up Tomcat to use LDAP, I tested things out using the manager app that ships with tomcat6. First, add the following stanza to the server.xml file for your tomcat instance. I put it right below the UserDatabase Realm that should be in there.
I’ll use the classis example.com as the basis for the JDNI lookups.
I modified the web application by changing/var/lib/tomcat6/webapps/manager/WEB-INF/web.xml so that it use the Realm as defined here:
In this solution, user groups are used for the roles. Create a group named manager-gui and add it to yourself, or the user that you want to have access to the WebApp. Now Browse http://yourserver:8080/manager/html and authenticate using the User credentials for IPA.
I’d like to point out that this solution does the Bind as the user, not as an administrator. This means that this session is confined by the access control (ACI) enforced by the Directory Server.
This gets you in the door, and will let you test that the LDAP and JNDI approach using Basic Authentication and Simple Bind works. This is fine for testing and development, but I would recommend against it for production. We can do better. In an upcoming article, I show how do the same type of authentication, but using Kerberos credentials and the GSSAPI.