Enabling Authentication Through LDAP

Tcat Server can use an LDAP server to manage users and roles. To configure Tcat Server to use LDAP, you take the following steps:

1. Set up Tcat Server Roles
2. Add the LDAP JAR to your classpath.
3. Create the LDAP configuration file.

The rest of this page describes these steps in detail.

Set up Tcat Server Roles

If a user has a role (also called a "group") on the LDAP server, and you want to use that same role to manage permissions in Tcat Server, you must also create that role inside Tcat Server and set the appropriate permissions. For instance, if you add the "Developers" role to the LDAP server, you must also create a role with that name in the Tcat Server Administration panel and configure the appropriate permissions.

This can be done one of two ways.

1. Create a role called Administrators on the LDAP server. Tcat Server comes with a set of default permissions for users with the Administrators role. Ensure that your user name has the Administrators role, and then log into Tcat Server. You can then create other roles, assign the appropriate permissions, and remove the original Administrators role from the LDAP server.

2. Start a Tcat Server instance without LDAP enabled. Create roles in the Tcat Server instance that correspond to your roles on the LDAP server, and then follow the instructions below to enable LDAP.

Add the LDAP JAR to Your Classpath

The Tcat Server LDAP support JAR file contains the necessary classes for Tcat Server to authenticate against an LDAP server. You can download this file here. Download the file to the /WEB-INF/lib directory under the Tcat Server console web application (<TCatHome>/webapps/console/WEB-INF/lib).

Create the LDAP Configuration File

You must create an LDAP configuration file called ldap.xml and place it in /WEB-INF/classes. Following is an example template for this file, followed by a description of its properties:

Following are the properties you set in this file:

• The managerDn property of the initialDirContextFactory bean. This is the distinguished name (DN) of the user you will use to log in to the LDAP server.
• The managerPassword property of the initialDirContextFactory bean. This is the password of the user you will use to log in to the LDAP server.
• The first <constructor-arg> of the userSearch bean. This is the base context in which Tcat Server will search for users.
• The second <constructor-arg> of the userSearch bean. This is a filter expression used to find entries that match a particular user name. For example, (uid={0}) would look for an entry where the uid attribute matches the user name.
• The userSearchBase property of the userManagerTarget bean. This is the base context in which Tcat Server will search for users.
• The userSearchAttributes property of the userManagerTarget bean. These attributes are used to search for users in the LDAP server.
• The second <constructor-arg> of the ldapAuthoritiesPopulator bean. This is the DN of the context you will use to search for roles to which the user belongs.
• The groupSearchFilter property of the {ldapAuthoritiesPopulator}} bean. This is an expression that finds roles. For instance, "(uniqueMember={0})" searches for roles inside of the groupSearchBase that have an attribute "uniqueMember" where one of the values is the user name.