Ldap Integration

Reference for below is this: Active Directory Integration#

What I did for Tomcat 6.0.18:#

Note: web-app means JSPWiki

1. Specify realm#

Under conf, create a sub directory <service>\<host>\<webappname>.xml
This would be generally <tomcat>\conf\Catalina\localhost\JSPWiki.xml
Put the realm information in like below.

You can place "realm" information also somewhere else, but specifying it this way, the context becomes web-app specific, which is necessary, because otherwise our realm will interfere with the realm used by tomcat in the server.xml ("UserDatabase", which is the conf/tomcat-users.xml).
<?xml version='1.0' encoding='utf-8'?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- The contents of this file will be loaded for each web application -->
<Context>

    <!-- Default set of monitored resources -->
    <WatchedResource>WEB-INF/web.xml</WatchedResource>
	
    <!-- Uncomment this to disable session persistence across Tomcat restarts -->
    <Manager pathname="" />   

	<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
				connectionURL="ldap://<domain.server.com>:389"
				connectionName="<username@domain>"
				connectionPassword="<password>"
				referrals="follow"
				userBase="OU=Objects,DC=<domain>,DC=<server>,DC=<com>"
				userSearch="(sAMAccountName={0})"
				userSubtree="true"
				roleBase="OU=Objects,DC=<domain>,DC=<server>,DC=<com>"
				roleName="name"
				roleSubtree="true"
				roleSearch="(member={0})"
		  />	
	
    <!-- Uncomment this to enable Comet connection tacking (provides events
         on session expiration as well as webapp lifecycle) -->
    <!--
    <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
    -->

</Context>

2. Test your realm#

Reload your web-app with the tomcat manager.
By the way, editing the web-app specific context will make tomcat to reload the web-app also automatically.
You should see results in logs/localhost.YYYY-MM-DD.log
You may want to increase Tomcat logging level. Tomcat uses the java.util.logging by default, not log4j, so do not mix up the levels under conf/logging.properties.
Note: You can also increase the JSPWiki log4j logging level in jspwiki.properties.
It will not help you with authentication, but nevertheless... Uncomment the following and give a proper ".File" path (!) and name. 
log4j.appender.FileLog =org.apache.log4j.RollingFileAppender
log4j.appender.FileLog.MaxFileSize    =10MB
log4j.appender.FileLog.MaxBackupIndex =14
log4j.appender.FileLog.File =${catalina.home}/logs/jspwiki.log
log4j.appender.FileLog.layout =org.apache.log4j.PatternLayout
log4j.appender.FileLog.layout.ConversionPattern=%d [%t] %p %c %x - %m%n

log4j.rootCategory=INFO,FileLog

First search for something like "context could not be loaded" or "context is invalid", then something is wrong with your context set up.
If everything is fine, you should find nothing about LDAP and AD in the log.

To force some output, create some errors to get a feeling:

Try 1: Enter an invalid server as connectionURL, then you get something like this: 

08.09.2009 16:32:06 org.apache.catalina.realm.JNDIRealm open
WARNUNG: Exception performing authentication
javax.naming.CommunicationException: <domain.server.comXY>:389 [Root exception is java.net.UnknownHostException: <domain.server.comXY>]

Try 2: Enter an invalid connectionName or connectionPassword, then you get something like this: 

08.09.2009 16:35:40 org.apache.catalina.realm.JNDIRealm open
WARNUNG: Exception performing authentication
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]

3. Edit webapps/JSPWiki/WEB-INF/web.xml#

Update settings as described in the link above
Disable 
<user-data-constraint>
   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
or set 
<user-data-constraint>
   <transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
to disable SSL for now.

4. Adjust WEB-INF\jspwiki.policy#

If you use your AD specific groups you have to tell JSPWiki in WEB-INF\jspwiki.policy.
Generally only the group "Admin" can delete pages for example, simply add another entry for your groups
as described here: http://doc.jspwiki.org/2.4/wiki/WikiGroups

5. Nevertheless create a profile within Wiki#

No Copyright