I am configuring spengo/tomcat/sso/ on windows 7.
I dont understand what is a Realm and where it is configured !
From reading the following guides:
https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html
https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w
I understand a realm is a DB of users/password, This DB data can be taken from several places, DB, Active directory, users.xml file, etc..
When configuring krb5.ini and jaas.config I need to provide a realm name, Where do i find this Realm name, On our Active Directory machine - No system admin ever created a Realm object, So how do i know what is the Realm name to enter in configuration ?
Spengo w/ SSO require JAASRealm, So why I need to setup
Realm className="org.apache.catalina.realm.JNDIRealm In the server.xml ?
Does JAASRealm is a wrappher that uses JNDI in order to work with AD?
Thanks
I understand a realm is a DB of users/password, This DB data can be taken from several places, DB, Active directory, users.xml file, etc.
It is a service, not just a database. It can be implemented via an XML file, a JNDI interface, a JDBC interface, JAAS, several others.
When configuring krb5.ini and jaas.config I need to provide a realm name. Where do i find this Realm name
You configure it, in a Realm entry in either your context.xml file or, if you want it global across webapps, in server.xml. Then you refer to that name in the files you mention.
On our Active Directory machine - No system admin ever created a Realm object,
Of course not. They don't exist in AD servers. You're looking in the wrong place.
So how do i know what is the Realm name to enter in configuration ?
In this case you would use a JNDI or JAAS realm.
Spengo w/ SSO require JAASRealm
So there's your answer.
So why I need to setup
Realm className="org.apache.catalina.realm.JNDIRealm In the server.xml?
You don't. You need to configure a JAAS realm, as you just said above. Unclear why you think a JNDI realm is required here.
Does JAASRealm is a wrappher that uses JNDI in order to work with AD?
You need to look some of these things up. JAAS is a service that can use any combination of login modules, including some you can write yourself. What they do is up to them, and to you if you write them. Too broad to answer here.
Related
I have setup three node secure NIFI cluster and integrated with LDAP for user login .
my doubts
In login-identity-providers.xml can we add multiple USER Search Base of ldap.(i tried by adding multiple usersearchbase but failed)
In LDAP user search should happen on multiple sub domains eg : DC=example1,dc=example,dc=com
DC=example2,dc=example,dc=com
on User-search-base in login-identity-providers.xml
TO achieve mutitenancy in ldap what is the configuration changes we need to make in identity provider.xml
tenant1 user should access process group define for tenant 1 itself and its not access for tenant2 users
From what I can tell, AND Assuming you are using Microsoft Active Directory if you use:
FOLLOW
It may work.
We also sometimes might use the Global Catalog (as then there are no referrals)
I also am guessing that the "empty" parameters should be removed (but I do NOT know how NIFI works).
I would suggest you also do tests with a LDAP Browser to make sure you know what your LDAP tree looks like. We use Apache Studio, but there are others.
More data on if it is Microsoft Active Directory and refer to https://stackoverflow.com/help/how-to-ask
Is it possible in any of the existing LDAP servers to edit a schema in one of the editors available? Like JXplorer, Apache Directory Studio, LDAP Admin?
I tried with OpenLDAP and all of the above tools (I run the server with -F option) but it looks like it's not possible to modify schema - add new attributes, add descriptions etc.
I would be grateful if any of you have some experience with this.
Cheers
Some LDAP servers allow (authorized users) to change the schema by sending LDAP modify operation affecting the so-called subschema subentry directly, but not OpenLDAP.
In OpenLDAP you have two possible configuration methods:
Static file configuration usually with schema files being simply included (aka slapd.conf) which requires slapd to be restarted to make configuration changes effective
Dynamic configuration backend back-config (aka cn=config) for which you can also define ACLs restricting access to your LDAP admins
The dynamic configuration method allows to tweak the schema via LDAP making it effective without server-restart. But you have to modify the multiple LDAP entries in sub-tree cn=schema,cn=config which you can do with any generic LDAP client.
Since schema descriptions usually reference other schema descriptions the order is important. Standard LDAP does not know about order of entries beneath an entry or order of attribute values. Therefore OpenLDAP implements an extension specified in draft-chu-ldap-xordered.
I have a test server installed with liferay 6.2 g4 and it is configured with a LDAP server.The configuration was done through the portal-ext.properties file.As per my understanding configuration mentioned in the portal-ext.properties file are effective only during the initial setup. Any change in the Ldap configuration should done through the control panel.The control panel show the ldap servers in a list(search container).and we can select and edit the ldap server from control panel.
Now what im trying is like, i want to do this from a custom portlet.ie I want to list the ldap servers in my portlet and should be able update it. I have checked the PortalLDAPExporterUtil,PortalLDAPImporterUtil but that didnt help.
Can someone help me to find out which Liferay API should i look to achieve this.
I got the answer from the liferay forum by their staff Jorge Díaz.
You can find the code where LDAP servers are stored at control panel at following files:
edit_ldap_server.jsp: https://github.com/liferay/liferay-portal/blob/6.2.x/portal-web/docroot/html/portlet/portal_settings/edit_ldap_server.jsp
EditLDAPServerAction: https://github.com/liferay/liferay-portal/blob/6.2.x/portal-impl/src/com/liferay/portlet/portalsettings/action/EditLDAPServerAction.java
At first JSP, edit_ldap_server.jsp the parameters are filed by final user and sent to EditLDAPServerAction. This second java only retrieves that information and stores it to preferences (method EditLDAPServerAction.addLDAPServer)
You cannot call this methods from a portlet, but perhaps you can copy and paste internal logic.
Orginal Answer:https://www.liferay.com/community/forums//message_boards/message/55597042
I have a file (or set of files under a directory) published on my web server. Each of this resource needs to be access-protected based on the user's credentials and authority.
The authorization details are stored in a DB, so I need to make a call to the Java code in application server to determine the access.
Everytime the user hits this particular path in the webserver, I need to ensure s/he has access to the requested resource by, ensuring he is logged in and has the necessary priveleges to access this resource.
The webserver is apache - Can you please point me to the settings in apache that allows me to secure resource access using the above logic?
Thanks for the suggestions to correct the Tag and the Question!:
My Web Server is Apache HTTPD
Agree that this is not a Java Question: The only reason why I am bringing the Java perspective, is that I am most likely going to use some Java POJOs to go and check for user authorization for a particular directory that is stored in the DB - That is unless there is a trick in the apache httpd configuration that goes and checks the DB automatically - something similar to the one that is pointed out here...At the end of the it, I need to check if a particular user (authenticated previously by the Single Sign On Server (Sun access manager)) has access to a particular directory (user mapping to directory stored in the DB) and protect the resources under the directory accordingly.
Please let me know if that clarifies.
i am not sure why this is tagged with java - unless your db structure is VERY sepcific, you might able to get it done with apache authz and authn:
http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html
or, for an ovierview:
http://httpd.apache.org/docs/2.2/howto/auth.html
This question is related to Weblogic 12c.
I have an EAR file that I want to deploy in various environments (dev, QA, pre-prod and prod). However, my application requires a username and a password (to connect to another server) and they're not the same across the four environments. I don't want to package 4 different property files in 4 different EAR files. I want a single generic EAR file. Beside, I don't want to handle the prod password during packaging.
Ideally, I'd like the admin of each environment to provide the appropriate username nad password for the environment. Unlike Tomcat, Jetty or JBoss(?), I think it's not possible for a WebLogic Admin to specify this information in a way that it will become available under the java:comp/env JNDI context.
How can an application obtain some admin-defined configuration strings from Weblogic?
BTW, it's not a username/password for a JDBC connection.
From what I understand, you need to change parameters based on the environment you are using right?
If you would like to override parameterss on the fly you can use WebLogic deployment plan concept.
Did you mean that you need to provide username/password to start-up the application?
If so, you may accomplish that by creating a script with WLST http://docs.oracle.com/cd/E15051_01/wls/docs103/config_scripting/using_WLST.html
As far as I know, the WebLogic way is to
Define your username/password as env-entry in the deployment descriptor
Deploy your application together with the plan.mxl whereas each environment admin maintains his own envrionemnt-specific version of the plan.xml
That way you get them into /comp/env/config
More details here: http://docs.oracle.com/cd/E11035_01/wls100/deployment/config.html
Only drawback known to me: plan.xml will always contain the unencrypted password but as the admin knows the password anyway and this is "his" file on "his" maschine that should be fine.