Hi Kev, Geronimo currently does not support a security realm that uses digital certificates and LDAP together. (CertificatePropertiesFile security realm lets you map distinguished names to usernames and then map usernames to groups). You will have to write a custom login module to combine digital certificates and LDAP.
Vamsi On 2/8/07, Kev D'Arcy <[EMAIL PROTECTED]> wrote:
Hi all, I'm in the process of setting up a Geronimo 1.1.1 server to use client certificates as the authentication mechanism and using an LDAP directory as the role store for authorisation purposes. I think I have the client certs working properly (all I had to do was add the truststore file to the SSL connector in tomcat and hey presto it works), however the subsequent connection to LDAP is a bit of a problem. I've created a security realm containing the relevant connection parameters, but the login process never seem to go to LDAP to retrieve the users role list. I'm fairly sure the connection properties are correct (I did a test log in when I created the realm) and I've done a bit of digging to see what's going on under the covers. It appears that the type of login handler being used (CertificateChainCallbackHandler) isn't compatible with the LDAPLoginModule: the ldap module tries to pass in username/password callback which the CertificateChainCallbackHandler doesn't know how to handle. So, I'm a bit stumped. Should the realm I've created have a reference to the fact that I'm trying to use client certs (it doesn't currently, this is only reference in the SSL connector) or should I be looking somewhere else? Any help would be greatly appreciated! Kev ****************************************************** This document is strictly confidential and is intended for use by the addressee unless otherwise indicated. This email has been scanned by an external email security system. Allied Irish Banks ******************************************************
