7.3. Enabling LDAP Authentication

Revision History
12/05/12
modified the procedure to work in a fabric

Abstract

Fabric containers come with a preinstalled LDAP login module. To activate it you need to reconfigure the default JAAS realm to use the LDAP login module and associate the new realm with all of the containers in the fabric.

Overview

Fabric containers supply a JAAS login module that enables it to use LDAP to authenticate users. The JAAS LDAP login module is implemented by the org.apache.karaf.jaas.modules.ldap.LDAPLoginModule class. It is preloaded by the containers, so you do not need to install its bundle.
To enable LDAP authentication, you need to create a new profile that redefines the default karaf realm to use the LDAP login module and deploy it to every container in the management console's fabric. Once this is done, all access to the management console Web console, and all of the fabric containers' command consoles, will be authenticated against your LDAP server.

Procedure

To enable the fabric containers to use LDAP for user authentication:
  1. Create a Maven project to package and deploy the LDAP JAAS realm to the fabric's Maven proxy as shown in the section called “Creating a Maven project for deploying a JAAS realm”.
  2. Create a JAAS realm that uses the LDAP login module:
    1. Open the blueprint XML file in src/main/resources/OSGI-INF/my-service.xml in a text editor.
    2. Delete the bean and service elements.
    3. Add a jaas:config element to the blueprint.
    4. Add a name attribute to the jaas:config element and set its value to karaf.
      Note
      This will override the default realm used by the container.
    5. Add a rank attribute to the jaas:config element and set its value to 5.
      Note
      This will insure that this realm is used by the container.
    6. Add a jaas:module element to the jaas:config element.
    7. Add a className attribute to the jaas:module element and set its value to org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.
      Example 7.4, “LDAP JAAS Login Module” shows the blueprint file.

      Example 7.4. LDAP JAAS Login Module

      <jaas:config ... >
  <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
               flags="required">
    ...
  </jaas:module>
</jaas:config>
    8. Provide values for the properties described in Table 6.2, “Properties for the Red Hat JBoss A-MQ LDAP Login Module”.
  3. Deploy the JAAS realm to the fabric's maven proxy using the mvn deploy command.
  4. In the management console create a new profile for deploying the LDAP realm.
    See Using the Management Console.
  5. Select the Bundles tab.
  6. Add the bundle you uploaded for the JAAS realm to the profile.
    Bundles are specified using Maven URLs. For example if your project's group ID is my.jaas.realm and the artifact ID is ldap, the Maven URL for the bundle will be mvn:my.jaas.realm/ldap/version.
    See Using the Management Console.
  7. Add the new profile to all of the containers in the fabric.
    See Using the Management Console.