How to Turn on Server-side AD Authentication for Lucee

Here’s the instructions I use whenever I need to remember how to set up server-side Active Directory authentication on a Lucee server. These are really instructions for Apache Tomcat, which Lucee uses as its web server.

Step 1)

Define a global “Realm” that contains the LDAP config info.

We will need to edit the server.xml file.  This file is located here for me:
c:\Lucee-express\conf\server.xml
But it might also be located here: /data/lucee/tomcat/conf/server.xml
The server.xml file may be in a slightly different place for you, but its always in the conf directory.

Add the following XML inside the “<Engine>” section

<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://YOURSERVERNAME:PORT"
userSearch="(samAccountName={0})"
userSubtree="true"
userBase="YOURPARAMSGOHERE"
connectionName="USERNAME"
connectionPassword="PASSWORD"
/>

Your own AD creds should work for testing, but for production you should set up a service account to make this connection

Step 2)

Now that we have an LDAP Realm defined we need to tell the website to turn on basic authentication

Create an WEB-INF/web.xml file below your web root and stick all of the following XML in there:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
<display-name>test</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.cfm</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.cfm</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name></web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
</web-app>

Step 3)

Restart lucee

Finished!

Now, the user will be prompted to log in to the server using their AD credentials before hitting the website. The username will be in the cgi variables if the website needs this information.

If you need to turning on LDAP logging:

Step 1)

Add
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true

to /data/lucee/tomcat/conf/logging.properties

Step 2)

Add
debug=”99″
to the end of your Realm like this:

<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://YOURSERVERNAME:PORT"
userSearch="(samAccountName={0})"
userSubtree="true"
userBase="YOURPARAMSGOHERE"
connectionName="USERNAME"
connectionPassword="PASSWORD"
debug="99"
/>

Sources

https://tomcat.apache.org/tomcat-8.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html#JNDIRealm
http://dev-answers.blogspot.com/2010/03/enable-debugtrace-level-logging-for.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.