Using multiple authentication providers (LDAP, flat file, Database) to authenticate login in WASCE

Technote (FAQ)


Question

How do you setup the multiple realm binding in IBM WebSphere ILOG Rule Team Server for .NET?

Cause

At different stage of the project it may be more convenient to log from the default account (rstUser, rtsAdmin,...), but as soon as the project evolve you also need to integrate more users probably already identified in different system (LDAP, Database ).

Answer

WAS CE allow you to define up to 5 realms to check a login/password.

To setup the multiple realm binding, you need to create a new realm (type: other ) then according to the attached image, you may define each Login Module as you would do for a single realm. Note that the Login Module order is important since it defined the order of validation.

As long as you don't want to provide your own security mechanism you don't need to set a jar containing your implementation (Login Module JAR).

The different Login Module classes are :
org.apache.geronimo.security.realm.providers.LDAPLoginModule
org.apache.geronimo.security.realm.providers.FileAuditLoginModule
org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule
org.apache.geronimo.security.realm.providers.SQLLoginModule

The Control Flag (REQUIRED, REQUISITE, SUFFICIENT, or OPTIONAL) allow to implement a cascading Authentication logic. (See URL section for more information).

The Configuration Options depends of the module used, a link is available in the URL section.



In order to enable Rule Team Server to use those new providers you need to change the deployment plan and declare the new realm in the file C:\Program Files\IBM\WebSphere\ILOG Rule Team Server\Config\prod_rtswar_plan.xml :

<security-realm-name>customRealm</security-realm-name>    <== change the name to the new realm just defined

<role role-name="rtsAdministrator">

    <realm realm-name="ldap-realm"><!-- Add your administrator security roles here if needed -->

<principal name="ScottTiger" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" designated-run-as="true"/>

<principal name="jrules-user-group" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" designated-run-as="true"/>

<principal name="jrules-expert-group" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" designated-run-as="true"/>

<principal name="rules-editors" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" designated-run-as="true"/>

<principal name="rules-dotnet-developer" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" designated-run-as="true"/>

<principal name="rules-support" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" designated-run-as="true"/>

<principal name="rtsAdministrator" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />

</realm>

</role>

.... repeat the same process for each roles.

For example in the above:

  • Bold is for the customFileRealm(default),
  • underlined is for instance the IBM Tivoli realm, and
  • italic for another LDAP(Active Directory).

There you can also define to type (GeronimoUserPrincipal, GeronimoGroupPrincipal).

Once you have change the deployment plan you can apply it using the following command:

Then run from the Config directory :

..\tools\ant\bin\ant -f build_wizard.xml update.config.teamserver.prod

It will update your C:\Program Files\IBM\WebSphere\ILOG Rule Team Server\applicationservers\WebSphereCE21\teamserver.war with the new definition. Then from the Administration console, you can redeploy this file , and use the new realm.

Related information

Control flag definition
Configuration Options

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere ILOG Rule Team Server

Software version:

7.0, 7.1

Operating system(s):

Windows

Reference #:

1577455

Modified date:

2014-02-26

Translate my page

Machine Translation

Content navigation