You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@geronimo.apache.org by Kev D'Arcy <ke...@aib.ie> on 2007/02/08 13:34:35 UTC
Client certificates with LDAP
Hi all,
I'm in the process of setting up a Geronimo 1.1.1 server to use client
certificates as the
authentication mechanism and using an LDAP directory as the role store
for authorisation
purposes. I think I have the client certs working properly (all I had to
do was add the truststore
file to the SSL connector in tomcat and hey presto it works), however
the subsequent
connection to LDAP is a bit of a problem. I've created a security realm
containing the relevant
connection parameters, but the login process never seem to go to LDAP to
retrieve the
users role list. I'm fairly sure the connection properties are correct
(I did a test log in when I
created the realm) and I've done a bit of digging to see what's going on
under the covers.
It appears that the type of login handler being used
(CertificateChainCallbackHandler) isn't
compatible with the LDAPLoginModule: the ldap module tries to pass in
username/password
callback which the CertificateChainCallbackHandler doesn't know how to
handle.
So, I'm a bit stumped. Should the realm I've created have a reference to
the fact that I'm trying
to use client certs (it doesn't currently, this is only reference in the
SSL connector) or should
I be looking somewhere else?
Any help would be greatly appreciated!
Kev
******************************************************
This document is strictly confidential and is intended for use by the addressee unless otherwise indicated.
This email has been scanned by an external email security system.
Allied Irish Banks
******************************************************
Re: Client certificates with LDAP
Posted by Vamsavardhana Reddy <c1...@gmail.com>.
Hi Kev,
Geronimo currently does not support a security realm that uses digital
certificates and LDAP together. (CertificatePropertiesFile security realm
lets you map distinguished names to usernames and then map usernames to
groups). You will have to write a custom login module to combine digital
certificates and LDAP.
Vamsi
On 2/8/07, Kev D'Arcy <ke...@aib.ie> wrote:
>
> Hi all,
>
> I'm in the process of setting up a Geronimo 1.1.1 server to use client
> certificates as the
> authentication mechanism and using an LDAP directory as the role store
> for authorisation
> purposes. I think I have the client certs working properly (all I had to
> do was add the truststore
> file to the SSL connector in tomcat and hey presto it works), however
> the subsequent
> connection to LDAP is a bit of a problem. I've created a security realm
> containing the relevant
> connection parameters, but the login process never seem to go to LDAP to
> retrieve the
> users role list. I'm fairly sure the connection properties are correct
> (I did a test log in when I
> created the realm) and I've done a bit of digging to see what's going on
> under the covers.
>
> It appears that the type of login handler being used
> (CertificateChainCallbackHandler) isn't
> compatible with the LDAPLoginModule: the ldap module tries to pass in
> username/password
> callback which the CertificateChainCallbackHandler doesn't know how to
> handle.
>
> So, I'm a bit stumped. Should the realm I've created have a reference to
> the fact that I'm trying
> to use client certs (it doesn't currently, this is only reference in the
> SSL connector) or should
> I be looking somewhere else?
>
> Any help would be greatly appreciated!
>
> Kev
>
> ******************************************************
> This document is strictly confidential and is intended for use by the
> addressee unless otherwise indicated.
>
> This email has been scanned by an external email security system.
>
> Allied Irish Banks
> ******************************************************
>