realm支持LDAP

1.TW核心类

核心类com.tongweb.server.realm.JNDIRealm

2.LDAP

1.LDAP 安装

1)yum -y install openldap compat-openldap openldap-clients
openldap-servers openldap-servers-sql openldap-devel migrationtools

2)查看版本OpenLdap版本
slapd -VV
2.4.44
3)slappasswd -s 123456
xxxxxxxxxxxxxxxxxxx

4)vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
末尾添加一行
//xxxxxxxxxxxxxxxxxxx 是第三步的结果
olcRootPW: xxxxxxxxxxxxxxxxxxx
修改
olcSuffix: dc=mycompany,dc=com
olcRootDN: cn=Manager,dc=mycompany,dc=com
5)vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif

修改如下：
olcAccess: {0}to * by dn.base=“gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth” read by dn.base=“cn=Manager,dc=mycompany,dc=com” read by * none
6)验证配置是否正确
slaptest -u
7） 启动
systemctl enable slapd
systemctl start slapd
systemctl status slapd
8）查看端口
ss -lanp | grep 389
9）配置OpenLDAP数据库
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap -R /var/lib/ldap
chmod 700 -R /var/lib/ldap
ll /var/lib/ldap/
10)导入基本Schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
11)修改migrate_common.ph文件
vim /usr/share/migrationtools/migrate_common.ph
修改如下变量
$DEFAULT_MAIL_DOMAIN = “mycompany.com”;
$DEFAULT_BASE = “dc=mycompany,dc=com”;
$EXTENDED_SCHEMA = 1;

2.导入base
cat > /root/base.ldif << EOF
dn: dc=mycompany,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
dc: mycompany
o: mycompany com

dn: cn=Manager,dc=mycompany,dc=com
cn: Manager
objectClass: organizationalRole
description: Directory Manager

dn: ou=people,dc=mycompany,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people

dn: uid=jjones,ou=people,dc=mycompany,dc=com
objectClass: inetOrgPerson
uid: jjones
sn: jones
cn: janet jones
mail: j.jones@mycompany.com
userPassword: janet

dn: uid=fbloggs,ou=people,dc=mycompany,dc=com
objectClass: inetOrgPerson
uid: fbloggs
sn: bloggs
cn: fred bloggs
mail: f.bloggs@mycompany.com
userPassword: fred

dn: ou=groups,dc=mycompany,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: cn=tomcat,ou=groups,dc=mycompany,dc=com
objectClass: groupOfUniqueNames
cn: tomcat
uniqueMember: uid=jjones,ou=people,dc=mycompany,dc=com
uniqueMember: uid=fbloggs,ou=people,dc=mycompany,dc=com

dn: cn=role1,ou=groups,dc=mycompany,dc=com
objectClass: groupOfUniqueNames
cn: role1
uniqueMember: uid=fbloggs,ou=people,dc=mycompany,dc=com
EOF

3.执行命令 这里的123456是密码 记得修改
ldapadd -x -w “123456” -D “cn=Manager,dc=mycompany,dc=com” -f /root/base.ldif

ldapsearch -LLL -x -D ‘cn=Manager,dc=mycompany,dc=com’ -w “123456” -b ‘dc=mycompany,dc=com’ ‘cn=role1’
也可以不带 -D和-w 匿名查询

3.编写测试用例

1）编写web.xml

Archetype Created Web Application index.html index.htm index.jsp default.html default.htm default.jsp MyApp Config Security Constraint Protected Area /* tomcat BASIC

2)index.jsp

<%@ page language=“java” contentType=“text/html; charset=UTF-8”
pageEncoding=“UTF-8”%>

Hello World!

登陆用户：
<%=request.getRemoteUser() %>

---

用户IP：
<%=request.getRemoteAddr() %>

4.创建LDAP安全域

或者

第二种方式可以支持用户条目绑定角色，这里的，用户角色属性名称就是用户条目指定角色的属性名称，

dn: uid=jjones,ou=people,dc=mycompany,dc=com
objectClass: inetOrgPerson
uid: jjones
sn: jones
cn: janet jones
mail: j.jones@mycompany.com
st:tomcat
userPassword: janet
这种形式，这里tomcat要与角色条目对应

5.部署3创建的应用
关联创建的安全域

6.访问应用输入用户名密码
jjones/janet