如果您使用了 Jazz™ Team Server 设置向导来创建 Tomcat 配置文件,那么会自动完成此过程,您不需要配置 Web 容器。
关于此任务
如果您更愿意在 Apache Tomcat 中为 LDAP 手动配置 Web 容器,请遵循下列步骤:
过程
- 打开 JazzInstallDir/server/tomcat/conf/server.xml 文件以进行编辑,并在注释中放置以下标记:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"
digest="SHA-1"
digestEncoding="UTF-8"/>
- 根据您使用的目录,添加下列其中一个标记:
对 Oracle Internet Directory (OID) 添加以下标记,并更改信息以与您的配置相匹配:
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://ldap.company.com:389"
roleBase="cn=Groups,dc=company,dc=com"
roleSearch="(uniquemember={0})"
roleName="cn"
userBase="cn=Users,dc=company,dc=com"
userSearch="(uid={0})"/>
对 Microsoft Active Directory 添加以下标记,并更改信息以与您的配置相匹配:
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://ldap.company.com:3268"
authentication="simple"
referrals="follow"
connectionName="cn=LDAPUser,ou=Service Accounts,dc=company,dc=com"
connectionPassword="VerySecretPassword"
userSearch="(sAMAccountName={0})"
userBase="dc=company,dc=com"
userSubtree="true"
roleSearch="(member={0})"
roleName="cn"
roleSubtree="true"
roleBase="dc=company,dc=com"/>
对 Tivoli® Directory Server 添加以下标记,并更改信息以与您的配置相匹配:
<RealmclassName="org.apache.catalina.realm.JNDIRealm"
debug="9"
connectionURL="ldap://Machine where TDS is installed>:389"
userBase="o=company.com"
userSearch="(mail={0})"
userSubtree="true"
roleBase="o=company.com"
roleSubtree="true"
roleSearch="(member={0})"
roleName="cn"/>
- 打开 JazzInstallDir/server/tomcat/webapps/app name/WEB-INF/web.xml 以进行编辑,其中 app name 是已安装的应用程序,例如 jts、ccm、qm 或 rm。
- 在您已打开的文件中,链接和映射对于安全角色的安全角色引用:
<web-app id="WebApp">
<servlet id="bridge">
<servlet-name>equinoxbridgeservlet</servlet-name>
<display-name>Equinox Bridge Servlet</display-name>
<description>Equinox Bridge Servlet</description>
<servlet-class>org.eclipse.equinox.servletbridge.BridgeServlet</servlet-class>
<init-param><!-- ... --></init-param>
<!-- ... -->
<load-on-startup>1</load-on-startup>
<!-- Addendum
If the names of your LDAP Groups are the same as the default Jazz roles
you don't need to add the following tags
-->
<security-role-ref>
<role-name>JazzAdmins</role-name>
<role-link>[LDAP Group for Jazz admins]</role-link>
</security-role-ref>
<security-role-ref>
<role-name>JazzDWAdmins</role-name>
<role-link>[LDAP Group for Jazz data warehouse admins]</role-link>
</security-role-ref>
<security-role-ref>
<role-name>JazzGuests</role-name>
<role-link>[LDAP Group for Jazz guests]</role-link>
</security-role-ref>
<security-role-ref>
<role-name>JazzUsers</role-name>
<role-link>[LDAP Group for Jazz users]</role-link>
</security-role-ref>
<security-role-ref>
<role-name>JazzProjectAdmins</role-name>
<role-link>[LDAP Group for Jazz project admins]</role-link>
</security-role-ref>
</servlet>
<!-- ... -->
</web-app>
使用下列标记将 LDAP 组声明为安全角色:
<web-app id="WebApp">
<servlet id="bridge">
<!-- ... -->
<security-role>
<role-name>JazzAdmins</role-name>
<role-name>JazzDWAdmins</role-name>
<role-name>JazzGuests</role-name>
<role-name>JazzUsers</role-name>
<role-name>JazzProjectAdmins</role-name>
<!-- Addendum
If the names of your LDAP Groups are the same as the default Jazz roles
you don't need to add the following tags
-->
<role-name>[LDAP Group for Jazz Admins]</role-name>
<role-name>[LDAP Group for Jazz Data Warehouse Admins]</role-name>
<role-name>[LDAP Group for Jazz Guests]</role-name>
<role-name>[LDAP Group for Jazz Users]</role-name>
<role-name>[LDAP Group for Jazz Project Admins]</role-name>
<!-- End Addendum -->
</security-role>
<!-- ... -->
</web-app>
使用下列标记来更新 security-constraint 部分:
<web-app id="WebApp">
<!-- ... -->
<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JazzUsers</role-name>
<role-name>JazzAdmins</role-name>
<role-name>JazzGuests</role-name>
<role-name>JazzDWAdmins</role-name>
<role-name>JazzProjectAdmins</role-name>
<!-- Addendum
If the names of your LDAP Groups are the same as the default Jazz roles
you don't need to add the following tags
-->
<role-name>[LDAP Group for Jazz Admins]</role-name>
<role-name>[LDAP Group for Jazz Data Warehouse Admins]</role-name>
<role-name>[LDAP Group for Jazz Guests]</role-name>
<role-name>[LDAP Group for Jazz Users]</role-name>
<role-name>[LDAP Group for Jazz Project Admins]</role-name>
<!-- End Addendum -->
</auth-constraint>
<user-data-constarint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- ... -->
</web-app>
通过引用 Jazz 组对每个 security-constraint 重复相同的添加内容:
<web-app id="WebApp">
<!-- ... -->
<security-constraint>
<web-resource-collection>
<web-resource-name>adminsecure</web-resource-name>
<url-pattern>/admin/cmd/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JazzAdmins</role-name>
<!-- Addendum -->
<role-name>[LDAP Group for Jazz Admins]</role-name>
<!-- End addendum -->
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- ... -->
</web-app>