You can use the fully qualified Kerberos principal name for authorization instead of
using simple mapping or creating your own custom JAAS custom login module.
About this task
These steps should be rarely followed, and only by users who specifically choose not to use
simple mapping, which is the default configuration, or choose not to add a JAAS custom login module
to map the fully qualified Kerberos principal name to a user in the Liberty server user registry. This task allows
you to use the fully qualified Kerberos principal name for authorization.
Procedure
- Configure the SPNEGO authentication to not trim the Kerberos realm name from the fully
qualified Kerberos principal name by setting the
trimKerberosRealmNameFromPrincipal
attribute to false.
-
Configure the Liberty server to use
either stand-alone LDAP or federated repositories.
-
Make sure that the Active Directory user exists in the LDAP user registry and that this user
has a single
userPrincipalName
attribute that is associated with it.
-
Update the LDAP filter in the server.xml file to search for the
userPrincipalName
, as shown in the following example:
<activedLdapFilterProperties id="myactivedfilters"
userFilter="(&(userPrincipalName=%v))"
groupFilter="(&(cn=%v))"
userIdMap="*:userPrincipalName"
groupIdMap="*:cn"
groupMemberIdMap="ibm-allGroups:member">
</activedLdapFilterProperties>
- Configure the application bindings for the corresponding application to use the fully
qualified Kerberos principal name as the user name along with a properly configured
access-id
. For example:
<application type="war" id="myApp" name="myApp" location="${server.config.dir}/apps/myApp.war">
<application-bnd>
<security-role name="Employee">
<user name="kevin@MYDOMAIN.EXAMPLE.COM" access-id="CN=kevin,CN=Users,DC=MYDOMAIN,DC=EXAMPLE,DC=COM"/>
...
</security-role>
...
</application-bnd>
</application>