Tomcat Simple Bind to FreeIPA

An Identity Management Solution is no good if you can’t use it from your server applications.  Here are the steps you can go through to get your server working along side FreeIPA.

LDAP Approch  using Basic Auth:

The JNDI info you need can be found in: /etc/ipa/default.conf

 

host=ipa-server-3.ayoung.boston.devel.redhat.com
basedn=dc=ipa-server-3,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
realm=IPA-SERVER-3.AYOUNG.BOSTON.DEVEL.REDHAT.COM
domain=ayoung.boston.devel.redhat.com
xmlrpc_uri=https://ipa-server-3.ayoung.boston.devel.redhat.com/ipa/xml
ldap_uri=ldapi://%2fvar%2frun%2fslapd-IPA-SERVER-3-AYOUNG-BOSTON-DEVEL-REDHAT-COM.socket
enable_ra=True
ra_plugin=dogtag
mode=production

 

This should be specified in the IPA server as well as any enrolled IPA client.  Notice also the ldap_uri which should give you the information to connect, as well as the host line which tells you the DNS name of IPA server:  The most important value is the basedn.

Minor complaint:  using an equal sign as the separator between the key and value in this file makes it harder to script than it should be.

I do this to pull out the value for the basedn:

export  IPA_BASE_DN=`grep basedn /etc/ipa/default.conf | sed 's/basedn=//'`

To look up the set of groups you are assigned, you can use a simple bind where you are prompted for your password:

ldapsearch -W -D "uid=$USER,cn=users,cn=accounts,$IPA_BASE_DN" \
           -b "cn=groups,cn=accounts,$IPA_BASE_DN"  \
              "(member=uid=$USER,cn=users,cn=accounts,$IPA_BASE_DN)"

You can replace $USER with ‘Admin’ if you are just getting set up.  LDAP Configuration means that it finds the host  without you having to explicitly specify it.

To set up Tomcat to use LDAP, I tested things out using the manager app that ships with tomcat6. First, add the following stanza to the server.xml file for your tomcat instance. I put it right below the UserDatabase Realm that should be in there.

 
      


I’ll use the classis example.com as the basis for the JDNI lookups.

I modified the web application by changing/var/lib/tomcat6/webapps/manager/WEB-INF/web.xml so that it use the Realm as defined here:

 
    BASIC
    org.apache.catalina.realm.JNDIRealm

In this solution, user groups are used for the roles. Create a group named manager-gui and add it to yourself, or the user that you want to have access to the WebApp. Now Browse http://yourserver:8080/manager/html and authenticate using the User credentials for IPA.

I’d like to point out that this solution does the Bind as the user, not as an administrator. This means that this session is confined by the access control (ACI) enforced by the Directory Server.

This gets you in the door, and will let you test that the LDAP and JNDI approach using Basic Authentication and Simple Bind works.  This is fine for testing and development, but I would recommend against it for production.  We can do better. In an upcoming article, I show how do the same type of authentication, but using Kerberos credentials and the GSSAPI.

One thought on “Tomcat Simple Bind to FreeIPA

  1. Hi

    Do you have a newer/other solution for Tomcat 7/8 and IPA 4.x to? These solution doesnt work…

    Greetz

Leave a Reply

Your email address will not be published. Required fields are marked *