tachtler:apache_tomcat_7_-_ldap-authentifizierung_jndirealm
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
tachtler:apache_tomcat_7_-_ldap-authentifizierung_jndirealm [2015/05/07 16:21] – klaus | tachtler:apache_tomcat_7_-_ldap-authentifizierung_jndirealm [2015/05/07 18:20] (aktuell) – [/etc/tomcat/tomcat-users.xml] klaus | ||
---|---|---|---|
Zeile 237: | Zeile 237: | ||
</ | </ | ||
- | Um Änderungen an diesen Zugriffsberechtigungen durchzuführen, | + | Um Änderungen an diesen Zugriffsberechtigungen durchzuführen, |
- | | + | * **Hinzufügen** der neuen ACL an Position |
- | | + | |
+ | :!: **HINWEIS** - **Die aktuelle | ||
Mit nachfolgendem Befehl soll nun eine LDIF-Datei in nachfolgendem Verzeichnis, | Mit nachfolgendem Befehl soll nun eine LDIF-Datei in nachfolgendem Verzeichnis, | ||
Zeile 254: | Zeile 255: | ||
dn: olcDatabase={2}hdb, | dn: olcDatabase={2}hdb, | ||
changetype: modify | changetype: modify | ||
- | replace: olcAccess | + | add: olcAccess |
olcAccess: {5}to dn.regex=" | olcAccess: {5}to dn.regex=" | ||
- | olcAccess: {6}to * by self write by dn.base=" | ||
</ | </ | ||
Zeile 264: | Zeile 264: | ||
< | < | ||
- | # ldapadd | + | # ldapmodify |
+ | SASL/ | ||
+ | SASL username: gidNumber=0+uidNumber=0, | ||
+ | SASL SSF: 0 | ||
+ | modifying entry " | ||
</ | </ | ||
Zeile 270: | Zeile 275: | ||
<code ini> | <code ini> | ||
# ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb, | # ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb, | ||
+ | Enter LDAP Password: | ||
+ | # extended LDIF | ||
+ | # | ||
+ | # LDAPv3 | ||
+ | # base < | ||
+ | # filter: (objectclass=*) | ||
+ | # requesting: ALL | ||
+ | # | ||
+ | |||
+ | # {2}hdb, config | ||
+ | dn: olcDatabase={2}hdb, | ||
+ | objectClass: | ||
+ | objectClass: | ||
+ | olcDatabase: | ||
+ | olcDbDirectory: | ||
+ | olcDbIndex: objectClass eq,pres | ||
+ | olcDbIndex: ou, | ||
+ | olcDbIndex: uidNumber, | ||
+ | olcDbIndex: uid, | ||
+ | olcDbIndex: nisMapName, | ||
+ | olcDbIndex: uniqueMember eq,pres | ||
+ | olcSuffix: dc=tachtler, | ||
+ | olcRootDN: cn=Manager, | ||
+ | olcRootPW: {SSHA}moVXokSVz9/ | ||
+ | olcAccess: {0}to attrs=userPassword, | ||
+ | y self write by dn=" | ||
+ | | ||
+ | olcAccess: {1}to dn=" | ||
+ | olcAccess: {2}to dn=" | ||
+ | | ||
+ | olcAccess: {3}to dn.regex=" | ||
+ | te by dn=" | ||
+ | | ||
+ | read by * none | ||
+ | olcAccess: {4}to dn.regex=" | ||
+ | rite by dn=" | ||
+ | | ||
+ | " | ||
+ | olcAccess: {5}to dn.regex=" | ||
+ | lf write by dn=" | ||
+ | | ||
+ | olcAccess: {6}to * by self write by dn.base=" | ||
+ | ite by * read | ||
+ | |||
+ | # search result | ||
+ | search: 2 | ||
+ | result: 0 Success | ||
+ | |||
+ | # numResponses: | ||
+ | # numEntries: 1 | ||
</ | </ | ||
Zeile 291: | Zeile 346: | ||
Der Eintrag steht für den **einzelnen Benutzer** im Teil des //DIT// **D**irectory **I**nformation **T**ree '' | Der Eintrag steht für den **einzelnen Benutzer** im Teil des //DIT// **D**irectory **I**nformation **T**ree '' | ||
- | === Zugriffsrecht: * === | + | ===== Konfiguration: Apache Tomcat ===== |
- | <code ini> | + | Nachfolgende Konfiguration zeigt die notwendigen Ergänzungen und Änderungen an der unter nachfolgendem internen Link gezeigten Installation eines [[http:// |
- | olcAccess: {6}to * by self write by dn.base="cn=Manager,dc=tachtler,dc=net" write by * read | + | * Siehe auch den internen Link: [[tachtler: |
+ | |||
+ | :!: **WICHTIG** - **Nachfolgende Konfigurationen sind auf dem __Apache Tomcat Applikations-Server__ durchzuführen !!!** | ||
+ | |||
+ | Nachfolgende Stellen innerhalb der Konfigurationsdatei des [[http:// | ||
+ | |||
+ | ==== / | ||
+ | |||
+ | Die Konfigurationsdatei | ||
+ | | ||
+ | ist unter [[http:// | ||
+ | |||
+ | Nachfolgend sollen einige Änderungen bzw. Ergänzungen an dieser Konfigurationsdatei durchgeführt werden, welchen ein Kommentar, wie nachfolgend dargestellt, | ||
+ | < | ||
+ | <!-- Tachtler --> | ||
</ | </ | ||
- | Auf den Eintrag | + | Hier die **komplette Konfigurationsdatei** mit allen Änderungen bzw. Ergänzungen, |
- | * '' | + | <code xml> |
- | können | + | <?xml version='1.0' |
- | ^ Zugriffsformulierung | + | <!-- |
- | | '' | + | Licensed to the Apache Software Foundation |
- | | '' | + | contributor license agreements. |
- | | '' | + | this work for additional information regarding copyright ownership. |
+ | The ASF licenses this file to You under the Apache License, Version 2.0 | ||
+ | (the "License" | ||
+ | the License. | ||
- | Der Eintrag steht für alle Einträge, **ohne** besondere Beschränkungen. | + | http:// |
+ | |||
+ | Unless required by applicable law or agreed to in writing, software | ||
+ | distributed under the License is distributed on an "AS IS" BASIS, | ||
+ | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
+ | See the License for the specific language governing permissions and | ||
+ | limitations under the License. | ||
+ | --> | ||
+ | <!-- Note: A " | ||
+ | | ||
+ | | ||
+ | | ||
+ | <!-- Tachtler --> | ||
+ | <!-- default: <Server port=" | ||
+ | <Server port=" | ||
+ | <!-- Security listener. Documentation at / | ||
+ | < | ||
+ | --> | ||
+ | <!--APR library loader. Documentation at / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | <!-- Prevent memory leaks due to use of particular java/javax APIs--> | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | |||
+ | <!-- Global JNDI resources | ||
+ | | ||
+ | --> | ||
+ | < | ||
+ | <!-- Editable user database that can also be used by | ||
+ | | ||
+ | --> | ||
+ | <!-- Tachtler disabled --> | ||
+ | <!-- disabled: < | ||
+ | <!-- disabled: | ||
+ | <!-- disabled: | ||
+ | <!-- disabled: | ||
+ | <!-- disabled: | ||
+ | </ | ||
+ | |||
+ | <!-- A " | ||
+ | a single " | ||
+ | so you may not define subcomponents such as " | ||
+ | | ||
+ | | ||
+ | <Service name=" | ||
+ | |||
+ | <!--The connectors can use a shared executor, you can define one or more named thread pools--> | ||
+ | <!-- | ||
+ | < | ||
+ | maxThreads=" | ||
+ | --> | ||
+ | |||
+ | |||
+ | <!-- A " | ||
+ | and responses are returned. Documentation at : | ||
+ | Java HTTP Connector: / | ||
+ | Java AJP Connector: / | ||
+ | APR (HTTP/AJP) Connector: / | ||
+ | | ||
+ | --> | ||
+ | <!-- Tachtler --> | ||
+ | <!-- default: < | ||
+ | <!-- default: | ||
+ | <!-- default: | ||
+ | < | ||
+ | | ||
+ | | ||
+ | | ||
+ | <!-- A " | ||
+ | <!-- | ||
+ | < | ||
+ | | ||
+ | | ||
+ | | ||
+ | --> | ||
+ | <!-- Define a SSL HTTP/1.1 Connector on port 8443 | ||
+ | This connector uses the BIO implementation that requires the JSSE | ||
+ | style configuration. When using the APR/native implementation, | ||
+ | | ||
+ | | ||
+ | <!-- | ||
+ | < | ||
+ | | ||
+ | | ||
+ | --> | ||
+ | |||
+ | <!-- Define an AJP 1.3 Connector on port 8009 --> | ||
+ | <!-- < | ||
+ | < | ||
+ | |||
+ | |||
+ | <!-- An Engine represents the entry point (within Catalina) that processes | ||
+ | every request. | ||
+ | | ||
+ | on to the appropriate Host (virtual host). | ||
+ | | ||
+ | |||
+ | <!-- You should set jvmRoute to support load-balancing via AJP ie : | ||
+ | <Engine name=" | ||
+ | --> | ||
+ | <Engine name=" | ||
+ | |||
+ | <!--For clustering, please take a look at documentation at: | ||
+ | / | ||
+ | / | ||
+ | <!-- | ||
+ | <Cluster className=" | ||
+ | --> | ||
+ | |||
+ | <!-- Use the LockOutRealm to prevent attempts to guess user passwords | ||
+ | via a brute-force attack --> | ||
+ | <Realm className=" | ||
+ | <!-- This Realm uses the UserDatabase configured in the global JNDI | ||
+ | | ||
+ | that are performed against this UserDatabase are immediately | ||
+ | | ||
+ | <!-- Tachtler - disabled --> | ||
+ | <!-- disabled: <Realm className=" | ||
+ | <!-- disabled: | ||
+ | </ | ||
+ | |||
+ | <Host name=" | ||
+ | unpackWARs=" | ||
+ | |||
+ | <!-- SingleSignOn valve, share authentication between web applications | ||
+ | | ||
+ | <!-- | ||
+ | <Valve className=" | ||
+ | --> | ||
+ | |||
+ | <!-- Access log processes all example. | ||
+ | | ||
+ | Note: The pattern used is equivalent to using pattern=" | ||
+ | <Valve className=" | ||
+ | | ||
+ | | ||
+ | |||
+ | </ | ||
+ | </ | ||
+ | </ | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | **Nachfolgend die Erklärungen zu den gemachten Änderungen bzw. Ergänzungen: | ||
+ | |||
+ | === Bereich: Server | GlobalNamingResources === | ||
+ | |||
+ | Nachfolgende Änderungen **deaktivieren** die Nutzung der Konfigurationsdatei | ||
+ | * ''/ | ||
+ | durch den [[http:// | ||
+ | * **'' | ||
+ | |||
+ | <code xml> | ||
+ | < | ||
+ | <!-- Editable user database that can also be used by | ||
+ | | ||
+ | --> | ||
+ | <!-- Tachtler - DISABLED --> | ||
+ | <!-- disabled: < | ||
+ | <!-- disabled: | ||
+ | <!-- disabled: | ||
+ | <!-- disabled: | ||
+ | <!-- disabled: | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | === Bereich: Server | Service | Engine | Realm === | ||
+ | |||
+ | Nachfolgende Änderungen **deaktivieren** die Nutzung der Konfigurationsdatei | ||
+ | * ''/ | ||
+ | durch den [[http:// | ||
+ | * **'' | ||
+ | |||
+ | <code xml> | ||
+ | <!-- Use the LockOutRealm to prevent attempts to guess user passwords | ||
+ | via a brute-force attack --> | ||
+ | <Realm className=" | ||
+ | <!-- This Realm uses the UserDatabase configured in the global JNDI | ||
+ | | ||
+ | that are performed against this UserDatabase are immediately | ||
+ | | ||
+ | <!-- Tachtler - DISABLED --> | ||
+ | <!-- disabled: <Realm className=" | ||
+ | <!-- disabled: | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ==== / | ||
+ | |||
+ | Die Konfigurationsdatei | ||
+ | * **''/ | ||
+ | ist unter [[http:// | ||
+ | |||
+ | Nachfolgend sollen einige Änderungen bzw. Ergänzungen an dieser Konfigurationsdatei durchgeführt werden, welchen ein Kommentar, wie nachfolgend dargestellt, | ||
+ | < | ||
+ | <!-- Tachtler --> | ||
+ | </ | ||
+ | |||
+ | Hier die **komplette Konfigurationsdatei** mit allen Änderungen bzw. Ergänzungen, | ||
+ | <code xml> | ||
+ | <?xml version=' | ||
+ | <!-- | ||
+ | Licensed to the Apache Software Foundation (ASF) under one or more | ||
+ | contributor license agreements. | ||
+ | this work for additional information regarding copyright ownership. | ||
+ | The ASF licenses this file to You under the Apache License, Version 2.0 | ||
+ | (the " | ||
+ | the License. | ||
+ | |||
+ | http:// | ||
+ | |||
+ | Unless required by applicable law or agreed to in writing, software | ||
+ | distributed under the License is distributed on an "AS IS" BASIS, | ||
+ | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
+ | See the License for the specific language governing permissions and | ||
+ | limitations under the License. | ||
+ | --> | ||
+ | <!-- The contents of this file will be loaded for each web application --> | ||
+ | < | ||
+ | |||
+ | <!-- Default set of monitored resources --> | ||
+ | < | ||
+ | |||
+ | <!-- Tachtler --> | ||
+ | <!-- Enable LDAP authentication --> | ||
+ | <Realm className=" | ||
+ | connectionName=" | ||
+ | connectionPassword=" | ||
+ | | ||
+ | | ||
+ | roleBase=" | ||
+ | roleName=" | ||
+ | roleSearch=" | ||
+ | /> | ||
+ | |||
+ | <!-- Uncomment this to disable session persistence across Tomcat restarts --> | ||
+ | <!-- | ||
+ | <Manager pathname="" | ||
+ | --> | ||
+ | |||
+ | <!-- Uncomment this to enable Comet connection tacking (provides events | ||
+ | on session expiration as well as webapp lifecycle) --> | ||
+ | <!-- | ||
+ | <Valve className=" | ||
+ | --> | ||
+ | |||
+ | </ | ||
+ | </ | ||
+ | |||
+ | === Bereich: Context === | ||
+ | |||
+ | Nachfolgende Änderungen **aktivieren** die Nutzung die Nutzung eines LDAP_Servers durch den [[http:// | ||
+ | * **'' | ||
+ | |||
+ | <code xml> | ||
+ | <!-- Tachtler --> | ||
+ | <!-- Enable LDAP authentication --> | ||
+ | <Realm className=" | ||
+ | connectionName=" | ||
+ | connectionPassword=" | ||
+ | | ||
+ | | ||
+ | roleBase=" | ||
+ | roleName=" | ||
+ | roleSearch=" | ||
+ | /> | ||
+ | </ | ||
+ | |||
+ | ==== / | ||
+ | |||
+ | Die Konfigurationsdatei | ||
+ | * **''/ | ||
+ | stellt eine **Standard**-Konfigurationsdatei zur Authentifizierung der nachfolgenden, | ||
+ | * **'' | ||
+ | |||
+ | :!: **WICHTIG** - **Änderungen zur __Aktivierung__ von Rollen und Benutzer, wie unter nachfolgendem internen Link** | ||
+ | * Siehe auch den internen Link: [[tachtler: | ||
+ | **__sollten__ wieder __rückgängig gemacht werden__** | ||
+ | |||
+ | Nachfolgend die **komplette Konfigurationsdatei** (**wie nach der original Installation ausgeliefert**): | ||
+ | <code xml> | ||
+ | <?xml version=' | ||
+ | <!-- | ||
+ | Licensed to the Apache Software Foundation (ASF) under one or more | ||
+ | contributor license agreements. | ||
+ | this work for additional information regarding copyright ownership. | ||
+ | The ASF licenses this file to You under the Apache License, Version 2.0 | ||
+ | (the " | ||
+ | the License. | ||
+ | |||
+ | http:// | ||
+ | |||
+ | Unless required by applicable law or agreed to in writing, software | ||
+ | distributed under the License is distributed on an "AS IS" BASIS, | ||
+ | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
+ | See the License for the specific language governing permissions and | ||
+ | limitations under the License. | ||
+ | --> | ||
+ | < | ||
+ | <!-- | ||
+ | NOTE: By default, no user is included in the " | ||
+ | to operate the "/ | ||
+ | you must define such a user - the username and password are arbitrary. | ||
+ | --> | ||
+ | <!-- | ||
+ | NOTE: The sample user and role entries below are wrapped in a comment | ||
+ | and thus are ignored when reading this file. Do not forget to remove | ||
+ | <!.. ..> that surrounds them. | ||
+ | --> | ||
+ | <!-- | ||
+ | <role rolename=" | ||
+ | <role rolename=" | ||
+ | <user username=" | ||
+ | <user username=" | ||
+ | <user username=" | ||
+ | --> | ||
+ | |||
+ | <!-- <role rolename=" | ||
+ | <!-- <role rolename=" | ||
+ | <!-- <role rolename=" | ||
+ | <!-- <role rolename=" | ||
+ | <!-- <role rolename=" | ||
+ | <!-- <role rolename=" | ||
+ | <!-- <role rolename=" | ||
+ | <!-- <role rolename=" | ||
+ | <!-- <user name=" | ||
+ | </ | ||
+ | </ | ||
tachtler/apache_tomcat_7_-_ldap-authentifizierung_jndirealm.1431008472.txt.gz · Zuletzt geändert: 2015/05/07 16:21 von klaus