securing glassfish admin console using ldap

Hi

I am new to glassfish & this forum . I wanted to secure glassfish using ldap ( so that we can assign a group of people in admin role, another for deployer role etc etc)

How would I do it? Couldn't find any documentation. Any pointers is really appreciated

Thanks

Jay
[Message sent by forum member 'jaymalya' (jaymalya)]

http://forums.java.net/jive/thread.jspa?messageID=326015

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

One product on the market is Sun's "Identity Management" , http://developers.sun.com/identity/ which does just what you are asking for.   (Full disclosure:  I work for Sun.  I worked in QA on it for several years.  It is a mature and productive product.)
[Message sent by forum member 'rpetruzzelli' (rpetruzzelli)]

http://forums.java.net/jive/thread.jspa?messageID=326020

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Hi
Thanks for the reply . I am not looking for a directory server ( we already have eDirectory & Oracle OID) that glassfish can talk to. I am asking for glassfish configurations to enable admin console to talk to ldap & authenticate console users against ldap


Thanks

Jay
[Message sent by forum member 'jaymalya' (jaymalya)]

http://forums.java.net/jive/thread.jspa?messageID=326022

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

You would have to create the realm named "admin-realm" in domain.xml as an LDAP based realm as opposed to the default file realm :

<auth-realm classname="com.sun.enterprise.security.auth.realm.file.FileRealm" name="admin-realm">
          <property name="file" value="${com.sun.aas.instanceRoot}/config/admin-keyfile"/>
          <property name="jaas-context" value="fileRealm"/>
</auth-realm>

for example change the above to  :

<auth-realm classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm" name="admin-realm">
          <property name="directory" value="ldap://localhost:389"/>
          <property name="assign-groups" value="LDAPAuthorizedGroup"/>
          <property name="base-dn" value="dc=sun,dc=com"/>
          <property name="jaas-context" value="ldapRealm"/>
 </auth-realm>
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]

http://forums.java.net/jive/thread.jspa?messageID=326409

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Hi Thanks for the reply

I went ahead & changed the admin-realm for the server-config & also changed the sun-web.xml & web.xml for the admintool app. Now I can log-in using my ldap credentials, but getting a 403 ( unauthorized) error right after login


Anything else I missed

Thanks for the help
[Message sent by forum member 'jaymalya' (jaymalya)]

http://forums.java.net/jive/thread.jspa?messageID=327494

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

what did you change in sun-web.xml and why ?. It would have been better to just change the admin-realm to use LDAP and leave the admin app untouched.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]

http://forums.java.net/jive/thread.jspa?messageID=327523

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

I added an ldap group in the admin role. Isn't that needed?

Thanks

Jay
[Message sent by forum member 'jaymalya' (jaymalya)]

http://forums.java.net/jive/thread.jspa?messageID=327622

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Ok, I removed all the modifications in sun-web.xml & web.xml.

I can authenticate but get 403 error ( resource is not authorizing). I guess somewhere we need to pass some attribute which will inform glassfish that the user is in admin role

Thanks for your help

Jay
[Message sent by forum member 'jaymalya' (jaymalya)]

http://forums.java.net/jive/thread.jspa?messageID=327958

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Ok, i guess if you wanted to map an ldap group to admin role, then yes you should modify in sun-web.xml. But then the reason it maynot be working is because the authorization policies for the admin-app have not been regenerated after all your changes.

You would have to redeploy the admin app after your changes to force regeneration of the policies.

 the policy file will be located in  : glassfish\domains\domain1\generated\policy\adminapp\adminapp\granted.policy

If you see by default it would have a grant statement only for the Group named "asadmin"

so if for some reason you are unable to force redeploy of the adminapp then you can actually edit the granted.policy file and add a second grant ... { } for the ldap group. The contents could be be an identical copy of the contents for "asadmin" group.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]

http://forums.java.net/jive/thread.jspa?messageID=328126

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

That worked perfectly. Thanks for your help

Jay
[Message sent by forum member 'jaymalya' (jaymalya)]

http://forums.java.net/jive/thread.jspa?messageID=328169

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Well, spoke too soon.

I am able to browse through console , issue asadmin commands etc. However, node agents are not starting up ( saying admin user is not in the correct group). It's failing in the sync stage
[Message sent by forum member 'jaymalya' (jaymalya)]

http://forums.java.net/jive/thread.jspa?messageID=328530

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Let me know how we can help....I guess if you have done manual steps not going via admin commands then sync up would be a problem. Can you do a manual sync up.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]

http://forums.java.net/jive/thread.jspa?messageID=328577

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Hi Kumarjayanti

It would really help if I can get the checklist ( or things to do) for what I am trying to achieve.
I wanted to secure the admin console using ldap so that we can grant admin access to different people based on ldap groups.
Here are the steps I did:
1. modify admin-realm in server-config with ldap settings
2. modify sun-web.xml for both adminapp & admingui application under $GF_HOME/lib/install/applications
3. Modify granted.policy for both these apps under $GF_HOME/domains/domain1/generated/policy

With these settings I can login to console etc. However node agents don't start. I have a feeling that either DAS or node agents is still looking at some keyfile or password file.

I upgraded to 2.1 today. Here instead of modifying the admin-realm, I created a new ldap realm & pointed adminapp/admingui app to this realm

Now, apparently, nodeagents are getting a 403 error from http://$hostname:4848/web1/remotejmx . I tried the JMX URL & it's prompting for LDAP realm.
When I start nodeagent, which credentials it pics up & sends to DAS ( or is it the other way around)?
[Message sent by forum member 'jaymalya' (jaymalya)]

http://forums.java.net/jive/thread.jspa?messageID=328856

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Hi Kumarjayanti

how do I force redeploy the adminapp application?

Thanks

Jay
[Message sent by forum member 'jaymalya' (jaymalya)]

http://forums.java.net/jive/thread.jspa?messageID=329526

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Will try to get our Admin folks to see this thread and respond.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]

http://forums.java.net/jive/thread.jspa?messageID=331452

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

We will need to reproduce this in order to ascertain. But it looks to me that if you are getting
403, somehow, the node-agent startup is not sending the right user name and password (the
same as the pair you are entering on adminGUI console).

I will look into this shortly. What LDAP do you use?

Thanks,
Kedar
[Message sent by forum member 'km' (km)]

http://forums.java.net/jive/thread.jspa?messageID=331457

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Hi Kumarjayanti & Kedar

Thanks for responding. The problem has been resolved. Basically, for group-search-filter , instead of uniquemember, we had to put member ( we use Novell edirectory).
The other thing I didn't know was the hard dependency on asadmin group. I had added other group names in the admin-role ( in sun-web.xml) . But the jmx queries from node agents ( while starting up was failing ). When I created an asadmin group, then the problem went away.

Thanks

Jay
[Message sent by forum member 'jaymalya' (jaymalya)]

http://forums.java.net/jive/thread.jspa?messageID=331549

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Jay,

Glad to know that it has worked for you. I am still unsure of why you had to modify the
granted.policy and sun-web.xml. It should not required. Both the admingui/adminapp
sun-web.xml has asadmin as the group and the domain.xml has admin-realm mapped to
LDAP, so my understanding was if you would just be changing the admin-realm to point
to LDAP (instead of default FILE realm) and it should have worked.

Yes, making the group configurable is something we are thinking of. Kumar -- we need to talk
about it.

Now that the problem has been resolved for you, may I request an FAQ entry from you with
exact instructions on how to do this?
http://wiki.glassfish.java.net/Wiki.jsp?page=GlassFishUserFAQ#section-GlassFishUserFAQ-Security

BTW, you didn't tell me which LDAP you are using. I want to try it out myself.

Regards,
Kedar
[Message sent by forum member 'km' (km)]

http://forums.java.net/jive/thread.jspa?messageID=331628

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Hi Kedar

We use Novell eDirectory for LDAP

modifying sun-web.xml is not required if we need to have the asadmin group in ldap

I was trying a different group & not asadmin. In that case , we have to add that group in sun-web.xml for admin-role( unless you find out a better way for configurable admin group)

However, that effort didn't work - looks like the JMX authorization is based on membership of asadmin group. The admin console worked just fine without asadmin group
[Message sent by forum member 'jaymalya' (jaymalya)]

http://forums.java.net/jive/thread.jspa?messageID=331648

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...