Friday, October 09, 2009

GlassFish + OpenDS = No Pain

You want LDAP and appserver work with it. But you also remember all the voodoo bloody massacre you've experienced, once you've tried to setup OpenLDAP and now looking to shoot its developers. Calm down, go an elegant and easy way instead.

My config is pretty much simple OpenDS on an OpenSolaris zone. Nothing special for OpenSolaris zone — just setup it as usual and configure OpenDS as you would do on a global zone. That's my scenario:

  1. Login to your OpenSolaris global zone and install OpenDS from IPS:

    pfexec pkg install opends

  2. Now, login to your zone where OpenDS is supposed to run and add an user, who will use it. In my case it is "opends" user (and a same group) and I've decided to put it separately, where entire OpenDS instance is:

    pfexec useradd -md /opt/opends/home opends

  3. I've also decided that OpenDS instance is running in /opt/opends/instance folder. So run configuration against "opends" user and that folder like this:

    pfexec /usr/opends/configure \
         --instancePath /opt/opends/instance \
         --userName opends \
         --groupName opends

  4. Great. Now is a time to finish it. :-) Login as "opends" user and run "setup" command. Please note, it will try run Swing GUI for you, so either SSH into your box with X11 forwarding or use command line mode ("--cli" option) and follow these few simple instructions (setup DN, admin password, port etc):

    /usr/opends/setup --cli

  5. There is no fifth step — your LDAP is up and running. Need more info about details and such? Here: — depending on your version...

OK, we have LDAP done in four steps. Now we want GlassFish use it as realm. That's also elegant:

  1. Login into your GlassFish admin console (by default on 4848 port).
  2. Go to Configuration → Security → Realms and add one just straight-forward as it is:
    1. Set name to "OpenDS", let's say.
    2. Use class:
    3. Set JAAS context as "ldapRealm"
    4. Set Directory to "ldap://". If you're using SSL to make things thrice slower while no much change to security itself (because it is an internal network), then use scheme "ldaps://...". :-)
    5. Use your base DN that you've put to your LDAP, e.g.: dc=your,dc=host,dc=com or something like this.
    6. And then use your group whenever it is: ou=groups,dc=your,dc=host,dc=com etc.
  3. There is no third step.

Easy, is it? :-)

No comments: