Note: For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.

Configuration of LDAP authentication (Apache Tomcat)

Define the users who can access the Application Center console and the users who can log in with the mobile client by mapping Java™ Platform, Enterprise Edition roles to LDAP roles.

Purpose

To configure ACL management of the Application Center, follow this process:
  1. Configure LDAP for user authentication.
  2. Map the Java Platform, Enterprise Edition (Java EE) roles of the Application Center to the LDAP roles.
  3. Configure theApplication Center properties for LDAP authentication.
Restriction: Only the simple type of LDAP authentication is supported.

You configure the Apache Tomcat server for LDAP authentication and configure security (Java™ Platform, Enterprise Edition) in the web.xml file of theApplication Center Services web application (applicationcenter.war) and of the Application Center Console web application (appcenterconsole.war).

LDAP user authentication

You must configure a JNDIRealm in the server.xml file in the <Host> element. For more information about configuring a realm, see the Realm Component on the Apache Tomcat website.

Example of configuration on Apache Tomcat to authenticate against an LDAP server

This example shows how to configure user authentication on an Apache Tomcat server by comparing with the authorization of these users on a server enabled for LDAP authentication.
<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
 ...
<Realm className="org.apache.catalina.realm.JNDIRealm"
       connectionURL="ldap://bluepages.ibm.com:389"
       userSubtree="true"
       userBase="ou=bluepages,o=ibm.com"
       userSearch="(emailAddress={0})"
       roleBase="ou=ibmgroups,o=ibm.com"
       roleName="cn"
       roleSubtree="true"
       roleSearch="(uniqueMember={0})"
       allRolesMode="authOnly"
       commonRole="appcenter"/>
 ...
</Host>

The value of connectionURL is the LDAP URL of your LDAP server.

The userSubtree, userBase, and userSearch attributes define how to use the name that is given to the Application Center in login form (in the browser message box) to match an LDAP user entry.

In the example, the definition of userSearch specifies that the user name is used to match the email address of an LDAP user entry.

The basis or scope of the search is defined by the value of the userBase attribute. In LDAP, an information tree is defined; the user base indicates a node in that tree.

Set the value of userSubtree to true; if it is set to false, the search runs only on the direct child nodes of the user base. It is important that the search penetrates the subtree and does not stop at the first level.

For authentication, you define only the userSubtree, userBase, and userSearch attributes. The Application Center also uses Java EE security roles. Therefore, you must map LDAP attributes to some Java EE roles. These attributes are used for mapping LDAP attributes to security roles:

  • roleBase
  • roleName
  • roleSubtree
  • roleSearch
In this example, the value of the roleSearch attribute matches all LDAP entries with a uniqueMember attribute whose value is the Distinguished Name (DN) of the authenticated user.
  • The roleBase attribute specifies a node in the LDAP tree below which the roles are defined.
  • The roleSubtree attribute indicates whether the LDAP search should search the entire subtree, whose root is defined by the value of roleBase, or only the direct child nodes.
  • The roleName attribute defines the name of the LDAP attribute.
  • The allRolesMode attribute specifies that you can use the asterisk (*) character as the value of role-name in the web.xml file. This attribute is optional.
  • The commonRole attribute adds a role that is shared by all authenticated users. This attribute is optional.

Mapping the Java EE roles of the Application Center to LDAP roles

After you define the LDAP request for the Java EE roles, you must change the web.xml file of the Application Center Services web application (applicationcenter.war) and of the Application Center Console web application (appcenterconsole.war) to map the Java EE roles of appcenteradmin and appcenteruser to the LDAP roles.

These examples, where LDAP users have LDAP roles, called MyLdapAdmin and MyLdapUser, show where and how to change the web.xml file. Replace the names MyLdapAdmin and MyLdapUser with the roles that are defined in your LDAP. Modify the following files:
  • tomcat_install_dir/webapps/appcenterconsole/WEB-INF/web.xml
  • tomcat_install_dir/webapps/applicationcenter/WEB-INF/web.xml

The security-role-ref element in the JAX_RS servlet

<servlet>
    <servlet-name>...</servlet-name>
    <servlet-class>...</servlet-class>
        <init-param>
            ...		
        </init-param>
       <load-on-startup>1</load-on-startup>
       <security-role-ref>
           <role-name>appcenteradmin</role-name>
           <role-link>MyLdapAdmin</role-link>
       </security-role-ref>
       <security-role-ref>
           <role-name>appcenteruser</role-name>
           <role-link>MyLdapUser</role-link>
       </security-role-ref>
</servlet>

The security-role element

<security-role>
        <role-name>MyLdapAdmin</role-name>
    </security-role>
    <security-role>
        <role-name>MyLdapUser</role-name>
    </security-role>

The auth-constraint element

After you edit the security-role-ref and the security-role elements, you can use the roles that are defined in the auth-constraint elements to protect the web resources. Edit these roles for the appcenteradminConstraint element in both the web.xml file of both appcenterconsole and applicationcenter, and for the appcenteruserConstraint element in the appcenterconsole web.xml file. 
<security-constraint>
        <display-name>appcenteradminConstraint</display-name>
        <web-resource-collection>
            ...
        </web-resource-collection>
        <auth-constraint>
            <role-name>MyLdapAdmin</role-name>
        </auth-constraint>
        <user-data-constraint>
            ...
        </user-data-constraint>
</security-constraint>
and
<security-constraint>
        <display-name>appcenteruserConstraint</display-name>
        <web-resource-collection>
            ...
        </web-resource-collection>
        <auth-constraint>
            <role-name>MyLdapUser</role-name>
        </auth-constraint>
        <user-data-constraint>
            ... 
        </user-data-constraint>
</security-constraint>
Parent topic: LDAP with Apache Tomcat