根据Tomcat配置配置WAS Liberty LDAP身份验证设置

时间:2014-06-04 17:58:56

标签: tomcat ldap ibm-mobilefirst websphere-liberty

我有一个类似的问题:

Worklight WAS Liberty profile configuration based on Tomcat configuration

@Kristof:你有没弄明白怎么做?

我正在使用openldap。所以我的ldapType是Custom。所以我的配置是:

<ldapRegistry 
    baseDN="ou=people,dc=my-domain,dc=com" 
    ldapType="Custom"
    port="389" 
    host="MyServerHost" 
    id="myLdap"
    bindDN="" 
    bindPassword=""
    searchTimeout="300000m" 
    recursiveSearch="true">
    <customFilters
        id="customFilters"
        userFilter="(uid={0})"
        userIdMap="*:uid"
        groupFilter="(member={0})"
        groupIdMap="*:cn"/>         
</ldapRegistry>

我做错了什么?我尝试过像

这样的东西 
<customFilters
    id="customFilters"
    userFilter="(&amp;(uid=%v)(objectClass=inetOrgPerson))"
    groupFilter="(&amp;(cn=%v)(|(objectclass=organizationalUnit)))"
    groupMemberIdMap="posixGroup:memberUid"/>

但这也无法解决。问题是这些都代表了什么?我不知道objectClass是什么......或者inetOrgPerson需要来自哪里。而且,没有办法在自由配置中表示roleBase。我将baseDN设置为userBase值。

为什么我们需要像userIdMap和groupIdMap这样的属性?

在阅读了更多内容之后,我将配置更新为:

<ldapRegistry 
    baseDN="dc=my-domain,dc=com" 
    ldapType="Custom"
    port="389" 
    host="myLdapServerHost" 
    id="myLdap"
    bindDN="cn=admin,dc=my-domain,dc=com" 
    bindPassword="admin"
    recursiveSearch="true">
    <customFilters
        id="customFilters"
        userFilter="&amp;(ou=people)(uid=%v)(objectClass=inetOrgPerson)"
        groupFilter="&amp;(ou=groupsJ2EE)(cn=%v)(objectClass=groupOfNames)"/>
</ldapRegistry>

仍然没有运气......任何可能出错的想法?​​

1 个答案:

答案 0 :(得分:0)

过滤器必须如下所示。

<customFilters
    id="customFilters"
    userFilter="&amp;(uid=%v)(objectClass=inetOrgPerson)"
    groupFilter="&amp;(cn=%v)(objectClass=groupOfNames)"
    userIdMap="*:uid"
    groupMemberIdMap="groupOfNames:member"/>/>

假设OpenLdap被配置为使用inetorgperson.schema(作为标准openldap的一部分提供的扩展模式),在slapd.conf中添加以下行

include /usr/local/etc/openldap/schema/inetorgperson.schema

默认情况下,OpenLdap不启用inetorgperson.schema,在这种情况下,userFilter需要类似

&amp;(cn=%v)(objectClass=person)

和userIdMap将是

 "*:cn"

以下是Open Ldap的ldif文件示例和ldap配置代码段

LDIF 

dn: o=ibm,c=in
objectClass: organization
o: ibm

dn: ou=people,o=ibm,c=in
objectClass: organizationalUnit
description: All people in organisation
ou: people

dn: cn=Robert Smith,ou=people,o=ibm,c=in
objectClass: inetOrgPerson
cn: Robert Smith
cn: Robert J Smith
cn: bob  smith
sn: smith
uid: rjsmith
userPassword:: e1NIQX1XNnBoNU1tNVB6OEdnaVVMYlBnekczN21qOWc9

dn: uid=testUser,ou=people,o=ibm,c=in
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: testUserCN
sn: testUserSN
uid: testUser

dn: ou=groups,o=ibm,c=in
objectClass: organizationalUnit
objectClass: top
ou: groups

dn: cn=testGroup1,ou=groups,o=ibm,c=in
objectClass: groupOfNames
objectClass: top
cn: testGroup1
member: uid=TESTUSER,ou=PEOPLE,o=IBM,c=IN

配置

<ldapRegistry 
    baseDN="o=ibm,c=in" 
    ldapType="Custom"
    port="389" 
    host="9.113.58.110" 
    id="myLdap"
    bindDN="cn=root,o=ibm,c=in" 
    bindPassword="root"
    recursiveSearch="true">
    <customFilters
        id="customFilters"
        userFilter="&amp;(uid=%v)(objectClass=inetOrgPerson)"
        groupFilter="&amp;(cn=%v)(objectClass=groupOfNames)"
        userIdMap="*:uid"
        groupMemberIdMap="groupOfNames:member"/>/>
</ldapRegistry>
相关问题
最新问题