geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From YunFeng Ma <yunfeng...@yahoo.com>
Subject Re: How to use Kerberos in Geronimo?
Date Sun, 15 Jun 2008 10:52:17 GMT
Hi Jacek,

I'm not familiar with Kerberos, but for ActiveDirectory I configured it
successful before using the following deployment plan,  you also can
configure this via Admin Console: Security --> Security Realms
--> Add new security realm

<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
  <environment>
    <moduleId>
      <groupId>samples</groupId>
      <artifactId>ldap-realm</artifactId>
      <version>2.0</version>
      <type>car</type>
    </moduleId>
    <dependencies>
      <dependency>
        <groupId>org.apache.geronimo.configs</groupId>
        <artifactId>j2ee-security</artifactId>
        <type>car</type>
      </dependency>
    </dependencies>
    <hidden-classes/>
    <non-overridable-classes/>
  </environment>

  <gbean name="ldap-login" class="org.apache.geronimo.security.jaas.LoginModuleGBean">
    <attribute name="loginModuleClass">org.apache.geronimo.security.realm.providers.LDAPLoginModule</attribute>
    <attribute name="options">initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
        connectionURL=ldap://localhost:389
        connectionUsername=cn=Administrator,cn=users,dc=yourdc,dc=local
        connectionPassword=yourpassword
        connectionProtocol=
        authentication=simple
        userBase=ou=people,dc=yourdc,dc=local
        userSearchMatching=cn={0}
        userSearchSubtree=false
        roleBase=cn=users,dc=yourdc,dc=local
        roleName=cn
        roleSearchMatching=(uniqueMember={0})
        roleSearchSubtree=false
        userRoleName=</attribute>
    <attribute name="loginDomainName">ldap-realm</attribute>
  </gbean>
  <gbean name="ldap-realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm">
    <attribute name="realmName">ldap-realm</attribute>
    <reference name="LoginModuleConfiguration">
      <name>ldap-login</name>
    </reference>
    <reference name="ServerInfo">
      <name>ServerInfo</name>
    </reference>
  </gbean>
  <gbean name="ldap-login" class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
    <attribute name="controlFlag">REQUIRED</attribute>
    <reference name="LoginModule">
      <name>ldap-login</name>
    </reference>
  </gbean>
</module>

Hope this helpful.
--YunFeng

Jacek Laskowski wrote: 
Hi,

Is JAAS the recommeded approach to use Kerberos to do AA in Geronimo?
Is JAAS enough? Should I take some other stuff into consideration when
configuring Geronimo with ActiveDirectory? Or is there any other
(better?) approach to get it done?

Jacek


      
Mime
View raw message