Monday July 17, 2006

Managing Application Server 8.1 EE via LDAP authentication
Petr has a blog entry on setting up LDAP for the Sun Application Server for user authentication via an LDAP Realm. However, what if you want to enable the Application Server administrator (admin) to authenticate via LDAP as well?

There are a few steps you have to take to accomplish this. The first is to install the latest Application Server patch. For the Solaris X86 package install, this is patch id 119167-16. If you check out the patch README, it should fix bug id 6338508.

Update:  Additional Patch ID's:

Package-based patches:
119166-16 (Solaris Sparc), 119167-16 (Solaris x86), 119168-16 (Linux)

File-based patches:
EE:
119169-08 (Solaris Sparc), 119170-08 (Solaris x86), 119171-08(Linux) ,
119172-08 (Windows)

PE:
119173-08 (Solaris Sparc), 119174-08 (Solaris x86), 119175-08 (Linux),
119176-08 (Windows)

Here are the high-level steps:

• Create an LDAP group called "asadmin". Unfortunately, this can't be changed. Grrr.
  
• Create an LDAP user "admin" (under inetorgperson) which belongs to that group. Any user that belongs to the "asadmin" group will be able to authenticate.
  
• Shut down all node agents
• Run asadmin commands for server-config (below)
  
• Restart DAS
• Start nodeagents
• Wait for nodeagents to actually have a status of "running" (if using SMF)
  
• Run asadmin commands for default-config (below)
  
• Run asadmin commands for node agents (below)
  
• Run asadmin commands for application cluster configs (below)
  

Since I am interested in automating the task, as opposed to using the GUI, here are the steps via the CLI. First up are the asadmin commands for configuring the admin server itself (server-config). Note that my settings are particular to my laptop. Note, the commands setting a property with no value is intentional. That removes the given property. Modify the directory and base-dn properties to your values accordingly:

asadmin set server-config.security-service.auth-realm.admin-realm.classname=com.sun.enterprise.security.auth.realm.ldap.LDAPRealm

asadmin set server-config.security-service.auth-realm.admin-realm.property.file=

asadmin set server-config.security-service.auth-realm.admin-realm.property.directory=ldap://das:389

asadmin set server-config.security-service.auth-realm.admin-realm.property.base-dn=dc=West,dc=Sun,dc=COM

asadmin set server-config.security-service.auth-realm.admin-realm.property.jaas-context=ldapRealm

As noted in the high level steps, restart the DAS. Via SMF, that's "svcadm restart das". When SMF is showing a status of running (check via "svcs das"), then run the following:

asadmin set default-config.security-service.auth-realm.admin-realm.classname=com.sun.enterprise.security.auth.realm.ldap.LDAPRealm

asadmin set default-config.security-service.auth-realm.admin-realm.property.file=

asadmin set default-config.security-service.auth-realm.admin-realm.property.directory=ldap://das:389

asadmin set default-config.security-service.auth-realm.admin-realm.property.base-dn=dc=West,dc=Sun,dc=COM

asadmin set default-config.security-service.auth-realm.admin-realm.property.jaas-context=ldapRealm

Run the following for each node agent. Note, my node agent name below is app1-node-agent. I doubt your's is ( :) ), so modify accordingly:

asadmin set domain.node-agent.app1-node-agent.auth-realm.classname=com.sun.enterprise.security.auth.realm.ldap.LDAPRealm

asadmin set domain.node-agent.app1-node-agent.auth-realm.property.file=

asadmin set domain.node-agent.app1-node-agent.auth-realm.property.jaas-context=ldapRealm

asadmin set domain.node-agent.app1-node-agent.auth-realm.property.directory=ldap://das:389

asadmin set domain.node-agent.app1-node-agent.auth-realm.property.base-dn=dc=West,dc=Sun,dc=COM

Last, if you have any clusters configured, you will want to run the following commands on the cluster-configs. In the example below, my cluster config happens to be zone-cluster-config. Modify accordingly:

asadmin set zone-cluster-config.security-service.auth-realm.admin-realm.classname=com.sun.enterprise.security.auth.realm.ldap.LDAPRealm

asadmin set zone-cluster-config.security-service.auth-realm.admin-realm.property.file=

asadmin set zone-cluster-config.security-service.auth-realm.admin-realm.property.directory=ldap://das:389

asadmin set zone-cluster-config.security-service.auth-realm.admin-realm.property.base-dn=dc=West,dc=Sun,dc=COM

asadmin set zone-cluster-config.security-service.auth-realm.admin-realm.property.jaas-context=ldapRealm

That pretty much sums it up. Hopefully you see the pattern. If, after you run these commands you find yourself locked out, uummm, crap. Can't help you :) FYI, when figuring out how to do this, I utilized zfs snapshots just in case I screwed it up. Which I did :)  I'll blog later this week (tomorrow?) on how I sped up the trial & error testing with ZFS snapshots.
(2006-07-17 10:54:28.0) Permalink