Quick setup for Tomcat manager authentication using LDAP


  1. Purpose
  2. Steps
    1. Create users in the Directory Server database
    2. Create JNDI realm in the Tomcat configuration
    3. Restart Tomcat
  3. Notes


Tomcat’s manager is not enabled by default. This entry shows a quick setup for the Tomcat manager using LDAP. The steps involved are:

  1. Create users in the Directory Server database
  2. Create a JNDIRealm in server.xml
  3. Restart Tomcat

Create users in the Directory Server database

The following three entries are used by the realm example. Note that the entry "cn=manager,ou=apache,ou=people,dc=example,dc=com" has an attribute objectClass with value extensibleObject. The extensibleObject objectClass allows any attribute to be added to an entry, including attributes that are not defined in the Directory Server schema. The entry "cn=manager,ou=apache,ou=people,dc=example,dc=com" has an attribute "tomcatRole" that is used to contain the role needed by the Tomcat JNDIRealm. Using the extensibleObject objectClass is not the best idea in the world, though, and its use reminds one of the FORTRAN garbage common block. Any legal attribute could have been used and which attribute is used is set in the JNDIRealm.


ldapsearch --propertiesFilePath ds-setup/cfg-connect.properties \
   --baseDn ou=people,dc=example,dc=com --searchScope sub '(&)' 

dn: ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
userPassword: {SSHA512}pa1nS0ams9V7kmu4WQ6CDZ2iKMwBZhxco7I12+Olb7U4pnS0f6bUHdt2n
 27N8My6p3Rwu1aERgza2ihTES1FZSglW1k0rehr
ou: people
description: The ou=people entry is the top of a tree containing user entries.

dn: ou=apache,ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
userPassword: {SSHA512}XhfZEcr/YJI1ZanGYYuycQmHySry8E2nQRuPx9wzcqPmjko+jX2dLNko7
 GXKAlzmRJy6juEWHMvTP9QWIw2ilI/BAzxnZlqa
ou: apache
description: The ou=apache entry is used by the Tomcat application server to aut
 henticate to the Directory Server

dn: cn=manager,ou=apache,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: extensibleObject
cn: manager
cn: Tomcat manager
sn: Tomcat
userPassword: {SSHA512}nEO6fX0BKVFD0ff1K9Yi/KEA8Kg+iZBkQ5BaRvLUVXb5DQXh9V0XpZsgK
 mxcnp0pVesGkjFVZBaM/pxRPx+MgDNROIGniJ56
tomcatRole: manager-gui
description: The cn=manager entry is a user with Tomcat manager-gui access

An access control may also be necessary:


ldapsearch --propertiesFilePath ds-setup/cfg-connect.properties \
    --baseDn dc=example,dc=com --searchScope base '(&)' aci

dn: dc=example,dc=com
aci: (targetattr="*")(version 3.0; acl "access to description attribute for tomc
 at"; allow(all) userdn="ldap:///ou=apache,ou=people,dc=example,dc=com";)

Create JNDI realm in the Tomcat configuration

The realm below uses:

  • hostname ldap.example.com and port 10389
  • "cn=manager,ou=apache,ou=people,dc=example,dc=com" for the Tomcat server to authenticate to directory server
  • "tomcatRole" as the name of the attribute whose value is the Tomcat role (“manager-gui”)
  • "cn={0},ou=apache,ou=people,dc=example,dc=com" as the pattern for base-level user searches

      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.JNDIRealm"
               connectionURL="ldap://ldap.example.com:10389"
               connectionName="ou=apache,ou=people,dc=example,dc=com"
               connectionPassword="password"
               userPattern="cn={0},ou=apache,ou=people,dc=example,dc=com"
               userRoleName="tomcatRole" />
      </Realm>

Notes

  1. A pre-encoded password could be used in the realm, but the LDAP server would have to be configured to accept pre-encoded passwords, which is not recommended because the LDAP server could not check pre-encoded passwords for quality and history. The method shown in the realm example is not secure because the password is in the clear and SSL is not used.
  2. IMPROVEMENT: SSL should be used for the authentication (the sample does not use SSL)
  3. The LDAP server is configured to use the extremely strong SHA-2 512 salted password storage scheme, which is superior to a reversible scheme such as AES
  4. IMPROVEMENT: the "extensibleObject" should not be used unless there is no other way to accomplish the task

About Terry Gardner

Terry Gardner was a leading directory services architect with experience with many large scale directory services installations and messaging server installations, and was a Subject Matter Expert in the field of Directory Services and Solaris (operating system) performance. Mr. Gardner also participated in the open-source software community. Mr. Gardner passed away in December, 2013.
This entry was posted in computing, LDAP and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s