geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy" <>
Subject Re: Client certificates with LDAP
Date Thu, 08 Feb 2007 14:51:34 GMT
Hi Kev,

Geronimo currently does not support a security realm that uses digital
certificates and LDAP together.  (CertificatePropertiesFile security realm
lets you map distinguished names to usernames and then map usernames to
groups).  You will have to write a custom login module to combine digital
certificates and LDAP.


On 2/8/07, Kev D'Arcy <> wrote:
> Hi all,
> I'm in the process of setting up a Geronimo 1.1.1 server to use client
> certificates as the
> authentication mechanism and using an LDAP directory as the role store
> for authorisation
> purposes. I think I have the client certs working properly (all I had to
> do was add the truststore
> file to the SSL connector in tomcat and hey presto it works), however
> the subsequent
> connection to LDAP is a bit of a problem. I've created a security realm
> containing the relevant
> connection parameters, but the login process never seem to go to LDAP to
> retrieve the
> users role list. I'm fairly sure the connection properties are correct
> (I did a test log in when I
> created the realm) and I've done a bit of digging to see what's going on
> under the covers.
> It appears that the type of login handler being used
> (CertificateChainCallbackHandler) isn't
> compatible with the LDAPLoginModule: the ldap module tries to pass in
> username/password
> callback which the CertificateChainCallbackHandler doesn't know how to
> handle.
> So, I'm a bit stumped. Should the realm I've created have a reference to
> the fact that I'm trying
> to use client certs (it doesn't currently, this is only reference in the
> SSL connector) or should
> I be looking somewhere else?
> Any help would be greatly appreciated!
> Kev
> ******************************************************
> This document is strictly confidential and is intended for use by the
> addressee unless otherwise indicated.
> This email has been scanned by an external email security system.
> Allied Irish Banks
> ******************************************************

View raw message