Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 17829 invoked from network); 15 Jun 2008 10:54:07 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 15 Jun 2008 10:54:07 -0000 Received: (qmail 98137 invoked by uid 500); 15 Jun 2008 10:54:06 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 98088 invoked by uid 500); 15 Jun 2008 10:54:06 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 98077 invoked by uid 99); 15 Jun 2008 10:54:06 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 15 Jun 2008 03:54:06 -0700 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [68.142.237.92] (HELO n7.bullet.re3.yahoo.com) (68.142.237.92) by apache.org (qpsmtpd/0.29) with SMTP; Sun, 15 Jun 2008 10:53:15 +0000 Received: from [68.142.237.89] by n7.bullet.re3.yahoo.com with NNFMP; 15 Jun 2008 10:52:17 -0000 Received: from [66.196.97.133] by t5.bullet.re3.yahoo.com with NNFMP; 15 Jun 2008 10:52:17 -0000 Received: from [127.0.0.1] by omp106.mail.re3.yahoo.com with NNFMP; 15 Jun 2008 10:52:17 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 927985.24850.bm@omp106.mail.re3.yahoo.com Received: (qmail 13434 invoked by uid 60001); 15 Jun 2008 10:52:17 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=TuNiVD3kC82+s/DjvBZ/BxmZ2TO8BlNVwyZ2FOeOUnkPip7pIoAayNHDHtDv+Rvm4RYnY76KqBiKIee4v9lKvNCJ3C47RwxaR7CeBOWBVik10edB7J27BVvdgYS81EgmGdeBruwfHHVOn/bvi6fw9EI/xZFnoJ26mPi9CwQ3jMI=; Received: from [202.108.130.138] by web57513.mail.re1.yahoo.com via HTTP; Sun, 15 Jun 2008 03:52:17 PDT X-Mailer: YahooMailRC/975.45 YahooMailWebService/0.7.199 Date: Sun, 15 Jun 2008 03:52:17 -0700 (PDT) From: YunFeng Ma Subject: Re: How to use Kerberos in Geronimo? To: dev@geronimo.apache.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1091051466-1213527137=:12690" Message-ID: <753896.12690.qm@web57513.mail.re1.yahoo.com> X-Virus-Checked: Checked by ClamAV on apache.org --0-1091051466-1213527137=:12690 Content-Type: text/plain; charset=us-ascii Hi Jacek, I'm not familiar with Kerberos, but for ActiveDirectory I configured it successful before using the following deployment plan, you also can configure this via Admin Console: Security --> Security Realms --> Add new security realm samples ldap-realm 2.0 car org.apache.geronimo.configs j2ee-security car org.apache.geronimo.security.realm.providers.LDAPLoginModule initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connectionURL=ldap://localhost:389 connectionUsername=cn=Administrator,cn=users,dc=yourdc,dc=local connectionPassword=yourpassword connectionProtocol= authentication=simple userBase=ou=people,dc=yourdc,dc=local userSearchMatching=cn={0} userSearchSubtree=false roleBase=cn=users,dc=yourdc,dc=local roleName=cn roleSearchMatching=(uniqueMember={0}) roleSearchSubtree=false userRoleName= ldap-realm ldap-realm ldap-login ServerInfo REQUIRED ldap-login Hope this helpful. --YunFeng Jacek Laskowski wrote: Hi, Is JAAS the recommeded approach to use Kerberos to do AA in Geronimo? Is JAAS enough? Should I take some other stuff into consideration when configuring Geronimo with ActiveDirectory? Or is there any other (better?) approach to get it done? Jacek --0-1091051466-1213527137=:12690 Content-Type: text/html; charset=us-ascii
Hi Jacek,

I'm not familiar with Kerberos, but for ActiveDirectory I configured it successful before using the following deployment plan,  you also can configure this via Admin Console: Security --> Security Realms --> Add new security realm

<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
  <environment>
    <moduleId>
      <groupId>samples</groupId>
      <artifactId>ldap-realm</artifactId>
      <version>2.0</version>
      <type>car</type>
    </moduleId>
    <dependencies>
      <dependency>
        <groupId>org.apache.geronimo.configs</groupId>
        <artifactId>j2ee-security</artifactId>
        <type>car</type>
      </dependency>
    </dependencies>
    <hidden-classes/>
    <non-overridable-classes/>
  </environment>

  <gbean name="ldap-login" class="org.apache.geronimo.security.jaas.LoginModuleGBean">
    <attribute name="loginModuleClass">org.apache.geronimo.security.realm.providers.LDAPLoginModule</attribute>
    <attribute name="options">initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
        connectionURL=ldap://localhost:389
        connectionUsername=cn=Administrator,cn=users,dc=yourdc,dc=local
        connectionPassword=yourpassword
        connectionProtocol=
        authentication=simple
        userBase=ou=people,dc=yourdc,dc=local
        userSearchMatching=cn={0}
        userSearchSubtree=false
        roleBase=cn=users,dc=yourdc,dc=local
        roleName=cn
        roleSearchMatching=(uniqueMember={0})
        roleSearchSubtree=false
        userRoleName=</attribute>
    <attribute name="loginDomainName">ldap-realm</attribute>
  </gbean>
  <gbean name="ldap-realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm">
    <attribute name="realmName">ldap-realm</attribute>
    <reference name="LoginModuleConfiguration">
      <name>ldap-login</name>
    </reference>
    <reference name="ServerInfo">
      <name>ServerInfo</name>
    </reference>
  </gbean>
  <gbean name="ldap-login" class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
    <attribute name="controlFlag">REQUIRED</attribute>
    <reference name="LoginModule">
      <name>ldap-login</name>
    </reference>
  </gbean>
</module>

Hope this helpful.
--YunFeng

Jacek Laskowski wrote: 
Hi,

Is JAAS the recommeded approach to use Kerberos to do AA in Geronimo?
Is JAAS enough? Should I take some other stuff into consideration when
configuring Geronimo with ActiveDirectory? Or is there any other
(better?) approach to get it done?

Jacek


--0-1091051466-1213527137=:12690--