diff options
Diffstat (limited to 'pki/base/kra/shared/conf/server.xml')
-rw-r--r-- | pki/base/kra/shared/conf/server.xml | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/pki/base/kra/shared/conf/server.xml b/pki/base/kra/shared/conf/server.xml index fcd849ef2..58121d448 100644 --- a/pki/base/kra/shared/conf/server.xml +++ b/pki/base/kra/shared/conf/server.xml @@ -229,8 +229,58 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. --> + + <!-- <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> + --> + + <!-- Custom PKIJNDI realm + + Example: + + <Realm className="com.netscape.cmscore.realm.PKIJNDIRealm" : classpath to realm + connectionURL="ldap://localhost:389" : standard JNDI connection URL + userBase="ou=people,dc=localhost-pki-kra" : standard JNDI userBase property + userSearch="(description={0})" : Attribute to search for user of incoming client auth certificate + : Use userSearch="(UID={0})" if wanting to search isolate user based on UID + : Also set the following: certUIDLabel="UID" or whatever the field containing + : the user's UID happens to be. This will cause the incoming's cert dn to be + : be searched for <certUIDLabel>=<uid value> + + certAttrName="userCertificate" : Attribute containing user's client auth certificate + roleBase="ou=groups,dc=localhost-pki-kra" : Standard JNDI search base for roles or groups + roleName="cn" : Standard attribute name containg roles or groups + roleSubtree="true" : Standard JNDI roleSubtree property + roleSearch="(uniqueMember={0})" : How to search for a user in a specific role or group + connectionName="cn=Directory Manager" : Connection name, needs elevated privileges + connectionPassword="secret123" : Password for elevated user + aclBase ="cn=aclResources,dc=localhost-pki-kra" : Custom base location of PKI ACL's in directory + aclAttrName="resourceACLS" : Name of attribute containing PKI ACL's + /> + + Uncomment and customize below to activate Realm. + Also umcomment Security Constraints and login config values + in WEB-INF/web.xml as well. + --> + + <!-- + <Realm className="com.netscape.cmscore.realm.PKIJNDIRealm" + connectionURL="ldap://localhost:389" + userBase="ou=people,dc=localhost-pki-kra" + userSearch="(description={0})" + certAttrName="userCertificate" + roleBase="ou=groups,dc=localhost-pki-kra" + roleName="cn" + roleSubtree="true" + roleSearch="(uniqueMember={0})" + connectionName="cn=Directory Manager" + connectionPassword="netscape" + aclBase ="cn=aclResources,dc=localhost-pki-kra" + aclAttrName="resourceACLS" + /> + + --> <!-- Define the default virtual host Note: XML Schema validation will not work with Xerces 2.2. |