First Previous Next Last User Management Guide  

CHAPTER 8    Configuring Authentication Realms

This chapter describes how to configure an authentication realm for your Director project. It has these sections:

For more information    For background information about the Directory subsystem, see Understanding Authentication Realms.

 
Top of page

Realm configurations

Director provides pluggable realms for supported J2EE application server vendors, as well as LDAP support. You select a realm when you create a new project using the Director Project Wizard in exteNd Workbench.

For most realm configurations (excluding LDAP realms), Workbench will automatically configure the realm based on your selection in the Wizard. For LDAP realms more setup is required, as described in Configuring an LDAP realm.

Here is the list of available realm configurations

Realm configuration

Description

Ldap

Base configuration for LDAP support in exteNd Director.

PersistManager

Write access to user information stored directly in the Director database.

exteNd Server

Write access to an exteNd application server realm. The default configuration is SilverUsers.

exteNd ServerLdap

Write access to an exteNd application server LDAP realm, using the Novell eDirectory LDAP implementation.

exteNd Server (compatible)

Write access to a backward-compatible exteNd application server.

WebLogic

Write access to a WebLogic application server realm.

WebLogic (readable only)

Read-only access to a WebLogic application server realm.

WebLogicLdap

Write access to a WebLogic application server LDAP realm using the Novell eDirectory LDAP implementation.

WebSphere

Write access to a WebSphere custom registry using the Director database.

WebSphereLdap

Write access to a WebSphere application server LDAP realm, using the Novell eDirectory LDAP implementation.


 
Top of page

Configuring an LDAP realm

An LDAP configuration allows you to integrate your Novell eDirectory LDAP realm with the Directory and User subsystems. You specify LDAP configuration properties when you create a project using the Director Project Wizard. These properties are described in LDAP directory configuration properties and LDAP user configuration properties.

You must also do the following before you deploy your project:

 
Top of section

LDAP directory configuration properties

When you select an LDAP realm using the Project Wizard in Workbench, you get this panel related to the Directory subsystem integration:

Ldap property

Description

Realm

The selected LDAP realm configuration.

Realm Name

A name representing the realm implementation class.

Anonymous User

Anonymous principal name.

Administrator

Name of the LDAP administrator. This user is used internally to access the realm.

Password

Administrator password (see previous item).

Administrator Connections

Number of simultaneous administrator connections (or bindings) allowed.

Administrator Conn Wait

Time to wait (milliseconds) for an admin connection to the LDAP server before timing out.

LDAP Host

Host machine and port for the LDAP server.

Use SSL

Check to connect the LDAP server with the Secure Socket Layer (SSL) for data encryption.

NOTE:   If you are using SSL it is assumed that you have a valid certificate set up on your application server. See your application server documentation for details.

New User Container

LDAP tree entry for new user registration. This container allows new users to add themselves to the realm without specifying a distinguished name (DN).

User Container DN

The distinguished name (DN) or fully qualified LDAP name of the user container. This defines the search scope for users and groups in the LDAP tree. (See next item)

User Container Scope

The scope of user entries in the LDAP tree, relative to the User Container (see previous item). Options are:

  • object: entries in the user container base level only

  • onelevel: entries in the user container and one level beneath it in the tree

  • subtree: entries in the user container and all levels beneath it

User Object Attribute

Attribute representing the user object class.

IMPORTANT:   Do not use spaces in this name.

Login Attribute

Attribute representing the user login name.

IMPORTANT:   Do not use spaces in this name.

User Membership Attribute

(Optional) Attribute representing the user's group membership.

IMPORTANT:   Do not use spaces in this name.

Group Container DN

The distinguished name of the group container object.

Group Container Scope

The scope of user entries in the LDAP directory, relative to the group container (see previous item). Options are:

  • object: entries in the group container base level only

  • onelevel: entries in the group container and one level beneath it in the tree

  • subtree: entries in the group container and all levels beneath it

Group Object Attribute

Attribute representing the group object class.

IMPORTANT:   Do not use spaces in this name.

Group Membership Attribute

(Optional) Attribute representing the user's group membership.

IMPORTANT:   Do not use spaces in this name.

Object Attribute

Name of the attribute that specifies the object type in the LDAP tree.

IMPORTANT:   Do not use spaces in this name.

UUID Auxiliary Class

The auxiliary class that adds the UUID attribute to the user container. This is necessary for accessing the LDAP realm from the exteNd Director APIs.

UUID Attribute

Name of the UUID attribute (see previous item).

IMPORTANT:   Do not use spaces in this name.

Connection Timeout (millis)

Time to wait (milliseconds) for a user connection to the LDAP server before timing out.


 
Top of section

LDAP user configuration properties

When you select an LDAP realm using the Project Wizard in Workbench, you get this panel related to the User subsystem integration:

Ldap option

Description

Exclude User Attributes

User attributes that you want to be inaccessible to the Director APIs.

Include User Attributes

User attributes that you want to be accessible from the Director APIs.

Include Auxiliary Classes

(Optional) Use to include any custom auxiliary class attributes. These will be added to the user object class hierarchy.

Use "|" to separate classes, and "," to separate attributes. For example:

  auxclass1,attr1,attr2|auxclass2,attr1,attr2

Exclude Syntax Definitions

Syntax definitions that you want excluded from the Director APIs.

LDAP syntaxes determine the data types that can be stored as an attribute. They are defined in RFC 2252 and RFC 2256.


 
Top of section

Importing the UUID auxiliary class

Before you deploy a project that implements one of the LDAP application server realms, you need to import the provided auxiliary class specified in the UUID auxiliary class property. The purpose of this class is to add a UUID attribute that allows the Director and User subsystem APIs to access the LDAP realm.

You import this class using the NDS Import Wizard in the Novell ConsoleOne eDirectory tool.

Procedure To import the UUID auxiliary class in ConsoleOne:

  1. With the NDS container selected in ConsoleOne, select Wizards>NDS Import/Export.

    Edir1

  2. Click Import LDIF File and choose Next.

    Edir2

  3. Navigate to the ldif file in your Director installation path and select it (it is located at bin/extElemImport.ldif). Click Next.

    Edir3

  4. Verify the LDAP host name and port, choose Authenticated Login, and specify your administrator DN (distinguished name) and password.

    Edir4

  5. Verify the information and click Finish.

    Edir5

 
Top of section

Configuring and using SSL for LDAP connections

NOTE:   SSL connections are slower than plain or clear-text connections. The initial portal connection can take up to 30 seconds to be established.

Procedure To configure the LDAP server to support SSL:

  1. In ConsoleOne, open the properties on the LDAP Server object that represents the LDAP server you are using with Director.

  2. Select the SSL Configuration tab.

  3. For the SSL Certificate field, select an SSL Certificate object.

  4. Make note of the SSL Port (typically 636).

  5. Make sure the Disable SSL Port option is not checked.

  6. Save the settings and refresh the NLDAP server:

    1. Open the properties of the LDAP server.

    2. Press the Refresh NLDAP Server Now button on the General page.

Procedure To export the Trusted Root Certificate:

  1. Open the properties on the SSL certificate object that you configured in the preceding procedure.

  2. Select the Certificates tab.

  3. Select the Trusted Root Certificate subtab.

  4. Press Export and save the file in binary DER format, typically named TrustedRootCert.der.

Procedure To download and install the Java Secure Socket Extension (JSSE):

NOTE:   This step is required only if your server is running with a JRE older than 1.4 and is not already configured to use JSSE.

Follow the installation instructions for JSSE — summarized as follows:

  1. Copy JSSE.JAR, JNET.JAR and JCERT.JAR to the server's JRE extensions directory (for example: jre/lib/ext).

  2. Find and edit the java.security file, located in the lib/security directory of the server's JRE (for example: jre/lib/security/java.security).

  3. Follow the directions at the beginning of the document to add the JSSE SSL provider:

      security.provider.name =com.sun.net.ssl.internal.ssl.Provider

Procedure To import the Trusted Root Certificate into your cacerts or jssecacerts trust store file:

  1. Find the cacerts or jssecacerts file. It is located in the lib/security directory of the server's JRE (for example: jre/lib/security/cacerts).

  2. Find keytool, located in the /bin folder relative to your Java home folder.

    NOTE:   You must use a keytool that comes with JVM 1.3 or higher.

  3. Run the following command, making replacements listed below: 

      keytool -import -alias aliasName -file TrustedRootCert.der -keystore cacerts -storepass changeit

Procedure To configure Director to use SSL in the Directory Service:

  1. Open your Director project in exteNd Workbench.

  2. Select Project>Director Project>Configuration.

  3. Click the Directory tab and then click Directory Ldap Options lower tab.

  4. Change the LDAP host to include the SSL port for eDirectory (for example: localhost:636).

  5. Make sure Use SSL is checked and then click OK.

  6. Rebuild your project and redeploy.

 
Top of page

About the configuration and services descriptors

When you complete the Project Wizard, Workbench generates two descriptors containing editable key/value pairs representing realm and Directory subsystem configuration properties:

Descriptor

Contents

For information, see

config.xml

Stores the realm configuration properties

The section on how the subsystems register themselves in the Core Development Guide

services.xml

Stores the Directory subsystem service configuration

Generally you only need to edit these files directly for special cases. See Editing or changing realms.

The descriptors are located in your project tree in the DirectoryService-conf folder in the DirectoryService.jar.

For more information    For more information about where project files are located, see the section on Director project structure in the Core Development Guide.

 
Top of page

Configuring an external readable realm in exteNd

This section applies to the non-ldap exteNd application server realm only.

By default, the writable realm for the Novell exteNd application server is SilverUsers. You can optionally configure your readable realm to be Windows NT, LDAP, or NIS+, while keeping SilverUsers as your security provider.

NOTE:   If you are accessing an external LDAP realm through Novell eDirectory, the exteNd ServerLdap realm is the recommended LDAP configuration. See Configuring an LDAP realm.

Procedure To configure a different security provider in exteNd:

  1. In Workbench, open config.xml for the Directory subsystem.

    For more information    For more information about where project files are located, see the section on Director project structure in the Core Development Guide.

    DirectoryConfigxml

  2. Click Add.

  3. For each key/value pair, double-click the Key field and the Value field and enter these values:

    For Windows NT:

    For LDAP (read-only):

    NOTE:   If you are accessing an external LDAP realm through Novell eDirectory, the exteNd ServerLdap realm is the recommended LDAP configuration. See Configuring an LDAP realm.

    For NIS+:

    NOTE:   If you want to reconfigure your primary realm, see Configuring a primary realm.

  4. Redeploy your project.

    For more information    For more information, see deploying a Director project in the Core Development Guide.

Configuring a primary realm   By default, the readable realm is your primary realm. For API method calls, the Directory subsystem checks the primary realm first.

Procedure To specify your writable realm as the primary realm:

  1. In Workbench, open config.xml for the Directory subsystem.

  2. Click Add.

  3. Enter this key/value pair:

  4. Open your project's Directory services subsystem descriptor:

    ...\library\DirectoryService\DirectoryService-conf\services.xml

    services xml graphical

  5. Click Add.

  6. Enter the requested values as shown:

    Form information

    Value

    Interface

    com.sssw.fw.directory.api.EbiSilverServerRealm

    Implementation Class

    com.sssw.fw.server.silverserver.realm.EboSilverServerRealm

    Maximum Instances

    0

    IMPORTANT:   You must set Maximum Instances to 0 so that the readable realm and writable realm are separate instances of the EboSilverServerRealm implementation.

    Startup

    manual

    Namespacing

    false

    Description

    Any string

  7. Redeploy your project.

    For more information    For more information, see the section on deploying a Director project in the Core Development Guide.

 
Top of page

Configuring a custom realm

To write a custom pluggable realm, you need to implement the interface com.sssw.fw.directory.EbiRealm (for a readable realm) or EbiWriteableRealm (for a writable realm).

For more information    For more information, see Writing a custom realm.

Procedure To configure a custom realm:

  1. In Workbench, open your project's Directory service descriptor, located at:

    ...\DirectoryService\DirectoryService-conf\services.xml

  2. Click Add.

  3. Enter the appropriate values

    Form information

    Description

    Interface

    A key for the interface or the fully qualified name. For example: com.acme.MyCustomRealmInterface.

    Implementation Class

    The fully qualified implementation class. For example: com.acme.MyCustomRealmImpl.

    Maximum Instances

    If you are planning to use the class as both readable and writable realm or if you are using only one instance of the realm, set this value to 1. Otherwise, set it to 0 (for multiple instances).

    Startup

    If you want the class instantiated on server startup, select automatic. Otherwise select manual.

    Namespacing


    Description

    Any string.

    :

  4. In Workbench, open your project's Directory subsystem configuration file, located at:

    ... \DirectoryService\DirectoryService-conf\config.xml

  5. If your realm is readable-only, enter a key/value pair that matches the value you entered in services.xml:

  6. If the custom realm is readable/writable, add the same value with this key:

  7. Redeploy your project.

    For more information    For more information, see the section on deploying a Director project in the Core Development Guide.

 
Top of page

Editing or changing realms

You can edit the current realm configurations or change realms and redeploy your project in Workbench.

Procedure To edit or change a realm configuration:

  1. With your Director project open in Workbench, choose Project>Director Project>Configuration.

    DirectorConfig

  2. To edit or change a realm configuration choose the Directory tab at the top of the form:

    For more information    See LDAP directory configuration properties.

  3. To edit the User subsystem LDAP options, select the User tab at the top of the form and enter your changes on the form.

    For more information    See LDAP user configuration properties.

  4. Redeploy your project.

    For more information    For more information, see the section on deploying a Director project in the Core Development Guide.

    First Previous Next Last User Management Guide  

Copyright © 2000, 2001, 2002, 2003 SilverStream Software, LLC, a wholly owned subsidiary of Novell, Inc. All rights reserved.