Sunday, August 29, 2010

LDAP with ApacheDS for Authentication

Regardless which security options you are using LDAP is the place to store user groups and credentials. I am not going to explain why, as the Web is plenty of explanations but I will show here how to get ApacheDS working so you can start using LDAP for authentication purposes.

If you are doing Web Programming in Java I recommend Spring Security. I am providing an example of such integration.

1. Download and install apacheds(v 1.5.7) and ApacheDirectoryStudio(v 1.5.3).

2. The DS Server should start automatically. Telnet to localhost port 10389 (default apacheds port) to test it is running. To start the server in case it is not running:
OSX$ sudo launchctl load /Library/LaunchDaemons/org.apache.directory.server.plist
OSX$ sudo launchctl start org.apache.directory.server
LINUX$ sudo /etc/init.d/apacheds-1.5.7-default start

3. To stop the server:
OSX$ sudo launchctl stop org.apache.directory.server
OSX$sudo launchctl unload /Library/LaunchDaemons/org.apache.directory.server.plist
LINUX$sudo /etc/init.d/apacheds-1.5.7-default stop

4. Download the ldif sample file from http://directory.apache.org/apacheds/1.5/15-about-the-
sample-configurations-and-sample-directory-data.data/apache_ds_tutorial.ldif

5. Open ApacheDirectoryStudio and select File|New|LDAP Browser|LDAP Connection. Name it "localhost", hostname=localhost, port=10389, use No Encryption. Hit “Check Network parameter” and be sure the connection to the server is succesful. Use bind user=”uid=admin,ou=system” and bind password=”secret” (defaults). Hit “Check Authentication” and be sure it is succesful.

6. Stop the server and add to server.xml a new partition:
OSX$sudo vi /usr/local/apacheds-1.5.7//instances/default/conf/server.xml
LINUX$sudo vi /var/lib/apacheds-1.5.7/default/conf/server.xml
...
<jdbmPartition id="sevenSeas" suffix="o=sevenSeas" />
</partitions7gt;
...
7. You might have to close the localhost connection and open it again from ApacheDirectoryStudio.

8. Assign a root entry to the partition. Right click on the DIT on the left panel and select “New Entry|Next|Select domain|RDN:o=sevenSeas. Pick for dc property “o=sevenSeas”

9. Right click on the “o=sevenSeas” entry and import the file apache_ds_tutorial.ldif

10. Now you have “ou=groups” and “ou=people” below “o=sevenSeas”

11. Create a new User: Right click “ou=people”|Add a NewEntry from scratch| select “objectclass: inetOrgPerson”|Next|add RDN: cn=admin. You will need to provide “sn” attribute (surname) as it is specified to be mandatory. Set it as “admin” for example. In addition set “userPassword” and “mail”

12. Create a new group. Right click “groups”|Add a NewEntry from scratch| select “objectclass: groupOfUniqueNames”|Next|add RDN: cn=admin|at least one member must be placed inside the group, use “cn=admin,ou=people,o=sevenSeas”

13. Create a second user called “test” member of a new group called “user”

14. Test your application. Below is a snippet of the security xml spring configuration:
<beans:bean id="customUserDetailsService"

class="com.nestorurquiza.security.DummyForTokenBasedRememberMeServicesUserDetailsService
">
</beans:bean>
<beans:bean id="customUserDetailsContextMapper"
class="com.nestorurquiza.security.LdapUserDetailsContextMapper">
</beans:bean>

<ldap-server url="ldap://localhost:10389" manager-
dn="uid=admin,ou=system"
manager-password="secret" root="o=sevenSeas" />
<authentication-manager>
<ldap-authentication-provider
user-search-filter="mail={0}" user-search-
base="ou=people,o=sevenSeas"
user-context-mapper-ref="customUserDetailsContextMapper" group-search-
base="ou=groups,o=sevenSeas" />
</authentication-manager>

15. Of course you will want to create your own “ou=groups” and “ou=people”. You can do that
from active directory as I already posted or you you can create the ldif file yourself (remember it is just plain text!). Alternatively you can add groups and users manually through the GUI. Creating an ldif file is the easiest way:
dn: ou=people,o=MyCompany
objectclass: organizationalUnit
objectclass: top
description: User entries
ou: people

dn: ou=groups,o=MyCompany
objectclass: organizationalUnit
objectclass: top
description: User Group Entries
ou: groups

dn: CN=Nestor Urquiza,ou=people,o=MyCompany
sn: Urquiza
givenName: Nestor
mail: nurquiza@mycompany.com
uid: nurquiza
userPassword:
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: top

dn: CN=Tom Cat,ou=people,o=MyCompany
sn: Cat
givenName: Tom
mail: tcat@mycompany.com
uid: tcat
userPassword:
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: top

dn: cn=admin,ou=groups,o=MyCompany
description: Super User
objectclass: groupOfUniqueNames
objectclass: top
cn: admin
uniquemember: cn=Nestor Urquiza,ou=people,o=MyCompany

dn: cn=user,ou=groups,o=MyCompany
description: Regular User
objectclass: groupOfUniqueNames
objectclass: top
cn: user
uniquemember: cn=Nestor Urquiza,ou=people,o=MyCompany
uniquemember: cn=Tom Cat,ou=people,o=MyCompany

16. Secure ApacheDS. Besides using SSL do not forget to disabled anonymous access:
<defaultDirectoryService
    ...
    allowAnonymousAccess="false"
    ...>

Followers