Saturday, September 27, 2008

OpenDS LDAP and GlassFish Configuration


A question was posted to our JUG mailing list on how to lock a directory which contained an Adobe™ PDF file. In this example I want to cover a couple of really cool technologies, and how to implement them.

OpenDS is a project hosted on It is an open source directory server which is based on the Sun™ SunOne™ Directory server and its predecessors (Netscape™ iPlanet™). It has a binary, or a Java™ Webstart deployment mechanism. It has a simple quick start setup including SSL based LDAP, and directory replication.

This is a simple to install, easy to use and configure, no-nosense LDAP server. It is a great server for prototyping.

Project Glassfish is an open source Java EE application server. It is simple to install and configure, and easy to use. The chances are pretty good that if you are reading this blog, you are familiar with its enormous benefits.


The developer has a pdf file that is located inside a web project on the web server. The file can be bookmarked by users, but the developer wants to make sure that the user authenticates with the server before the file is displayed.

Software and Files Required


1. Download and install Glassfish

Note: When Glassfish is installed it creates its own self-signed SSL certificates. We will use this certificate later.
2. Start the installation of OpenDS

3. Create a new instance.

4. Accept the default installation directory. Set the password for the cn=Directory Manager to test.

5. Press the Configure button to configure the secure LDAP connection.
  • Set the Key Store Type to Java Key Store (JKS).
  • Set the key store path to point to the keystore.jks file located in the GLASSFISH_HOME/domains/domain1/config directory.
  • Set the Key Store Pin to changeit.

Note: "changeit" is the default password to the keystore. You will need to "change it" for a production system.

6. Select the default for topology options and continue to Directory Data Next.

  • Directory Data should have the default Directory Base DN: dc=example,dc=com
  • Select Import Data from LDIF file and use this example.ldif file. Next.

Note: I have created a pre-generated list of users previously. In this example, I have created a group and assigned it members. So to simplify the example, please use the example.ldif file.

7. Review the selections and Finish.

8. Authenticate with the server using cn=Directory Manager and password "test".

Note: A message will pop-up asking if you want to accept the certificate for the LDAP server. Use the this session only option.

Congrats. You now have a running LDAP server.

If you want to explore the contents of the directory use a tool like JXplorer, or Apache Directory Studio.

Now we need to configure our LDAP Security Realm in Glassfish. You may have multiple realms in Glassfish to accommodate application requirements.

1. Start Glassfish and login on http://localhost:4848. The default user is admin and password is adminadmin.

2. Go to Configuration --> Security --> Realms. Create a new Realm

  • Name: OpenDS
  • Class:
  • JAAS context: ldapRealm
  • Directory: ldaps://localhost:1636
  • Base DN: dc=example, dc=com
  • Assign Group: ou=Groups,dc=example,dc=com
3. Add a property called group-target.
  • group-search-filter: member=%d

Note: The group-search-filter defines the attribute to look at when determining members of the groups. It may be member, memberurl, etc. depending on how you define your groups. In the example.ldif file, I have define the group as a groupOfNames which contains member [0...] attributes. The %d format expands to match the Relative Distinguished Name (RDN).

4. Save and you are done.

You have now configured Glassfish to use OpenDS.

Note: Since we configured it to use secure LDAP, remember to configure your server to use SSL to authenticate users. Otherwise the secure LDAP portion is a waste if the users are transmitting their usernames and passwords in cleartext over the network
I have created a sample Netbeans project which takes advantage of the new LDAP authentication. The project creates a page with a link to a PDF file located in a secured directory. The directory requires the user to authenticate using basic authentication implemented in the browser. If you fail to authenticate, it will produce a 403 error. The project is located here.

Once you successfully authenticate, you will see a list of popular software that runs on Glassfish.


Popular Posts