Jenkins : Delegate security to servlet container

Created by Unknown User (jdamay), last modified on Nov 27, 2009

About this document

This is more specific to Tomcat than Hudson but as i did my specific configuration for Hudson i think it can help someone here (smile)

Existing Realms

There are 5 existing realms for Tomcat 6:

  • JDBCRealm - Accesses authentication information stored in a relational database, accessed via a JDBC driver.
  • DataSourceRealm - Accesses authentication information stored in a relational database, accessed via a named JNDI JDBC DataSource.
  • JNDIRealm - Accesses authentication information stored in an LDAP based directory server, accessed via a JNDI provider.
  • MemoryRealm - Accesses authentication information stored in an in-memory object collection, which is initialized from an XML document (conf/tomcat-users.xml).
  • JAASRealm - Accesses authentication information through the Java Authentication & Authorization Service (JAAS) framework.

See Tomcat documentation here for more information.

Specific need

For my company i need to have an LDAP authentication and an hudson authorization management.
So i just had to mix JNDIRealm & JDBCRealm.

The result is LdapJDBCRealm (LdapJdbcRealm.java,LdapJdbcRealm.class). This is only a deal with overriding some methods.
Parameters are also mix of Realms, see server.xml template in installation steps.

Installation steps (Tomcat 6.x)

  1. Copy the Mysql JDBC driver to your %CATALINA_HOME%/lib (get it here)
  2. Copy this .class file to %CATALINA_HOME%/lib/org/apache/catalina/realm folder
  3. Update server.xml configuration file (%CATALINA_HOME%/conf).Look at the following template:
    this is the template for LdapJDBCRealm configuration in server.xml file: 
    <Realm className="org.apache.catalina.realm.LdapJdbcRealm" debug="99"
        connectionName="_your bind accound information_"
        connectionPassword="_your bind accound password if anonymous not supported_"
        connectionURL="_ldap url server (like http://ldapserver:389)_"
        userPattern="_pattern to search your user_"
        roleBase="dummyValue"
        roleSubtree="true"
        roleName="groupMembership"
        roleSearch="cn=DummyValue"
        driverName="com.mysql.jdbc.Driver"
        dbConnectionURL="jdbc:mysql://localhost:3306/hudson_users?user=userForDatabase&amp;password=userpassword"
        dbConnectionName="userForDatabase"
        dbConnectionPassword="userpassword"
        userTable="users"
        userNameCol="user_name"
        userRoleTable="user_roles"
        roleNameCol="role_name"
      />
  4. Create your users database. See here for scripts to create it.

Once you do that, Hudson should authenticate users against LDAP server and get their authorization using your local database.

Attachments:

LdapJdbcRealm.java (application/octet-stream)
LdapJdbcRealm.class (application/octet-stream)