Try Free

Payara Server LDAP Integration – Part 1: Configuring the LDAP Server

Uncategorized
Fabio Turizo
Published: 04 Nov 2016
Updated: 04 Aug 2025

If you work in an organization with a robust IT department, it’s very likely that you are using a LDAP server to handle your user directory information. You probably have to follow some general guidelines dictating that all web applications deployed within the organization’s infrastructure must access this user directory; and must authenticate and authorize the users that will interact with them. This is a very common scenario nowadays.

 

In this three-parts article series I will illustrate the implementation of the LDAP integration using a sample scenario: integrate Payara Server with a LDAP user directory and manage the authentication and authorization of a sample web application.

 

Starting the LDAP Server

There are many different LDAP server implementations in the market today (in both commercial and open source models). For our scenario, we will quickly start an OpenDJ instance using a Docker container and set up a directory domain with some test users and groups.

 

First, we start with a new Docker image that will download the OpenDJ binaries and run them in a container. This is a Java based image, since OpenDJ needs the JDK to run:

FROM java:8
MAINTAINER Fabio Turizo <fabio.turizo@payara.fish>
WORKDIR /opt
ENV JAVA_HOME /usr/lib/jvm/java-8-openjdk-amd64/
ENV MVN_REPO=https://maven.forgerock.org/repo/repo/org/forgerock/opendj
ENV OPENDJ_VERSION=3.0.0
ENV SERVER_PATH opendj-server-legacy
RUN curl $MVN_REPO/$SERVER_PATH/$OPENDJ_VERSION/$SERVER_PATH $OPENDJ_VERSION.zip 
         -o /tmp/opendj.zip && 
    unzip /tmp/opendj.zip -d /opt && 
    rm /tmp/opendj.zip
ADD run.sh /opt/opendj/run.sh
ADD users.ldif /opt/opendj/initial.ldif
EXPOSE 1389 4444
WORKDIR /opt/opendj
CMD ["./run.sh"]

 

 

You will notice that we are using 2 external files in this image: run.sh and users.ldif. Let’s start with the users.ldif file, which we are using to create a starting set of users and groups:

dn: dc=payara,dc=fish
objectClass: top
objectClass: domain
dc: payara

dn: cn=Alfa Michael,dc=payara,dc=fish
objectClass: organizationalPerson
objectClass: top
objectClass: person
objectClass: inetOrgPerson
uid: malfa
mail: malfa@payara.fish
givenName: Michael
sn: Alfa
cn: Alfa Michael
userPassword: {SSHA}nirDyc9/XKLXqUqlR3sqD1De3qhybUqZQeU8pg==
creatorsName: cn=Directory Manager,cn=Root DNs,cn=config

dn: cn=Beta Carol,dc=payara,dc=fish
objectClass: organizationalPerson
objectClass: top
objectClass: person
objectClass: inetOrgPerson
uid: cbeta
mail: cbeta@payara.fish
givenName: Carol
sn: Beta
cn: Beta Carol
userPassword: {SSHA}ALhq+r+G3znVsPH70FkzyhHRZiN092w1GXiAZw==

dn: cn=Omega John,dc=payara,dc=fish
objectClass: organizationalPerson
objectClass: top
objectClass: person
objectClass: inetOrgPerson
uid: jomega
mail: jomega@payara.fish
givenName: John
sn: Omega
cn: Omega John
userPassword: {SSHA}KVj0XDak6E+IRecFkkCveTzsmW014IlGN2LlWg==

dn: cn=Admins,dc=payara,dc=fish
objectClass: groupOfNames
objectClass: top
member: cn=Alfa Michael,dc=payara,dc=fish
description: Administrators
cn: Admins
entryUUID: b7f3af29-3834-4765-9978-33e419073a65
createTimestamp: 20161019012425Z
creatorsName: cn=Directory Manager,cn=Root DNs,cn=config

dn: cn=Common,dc=payara,dc=fish
objectClass: groupOfNames
objectClass: top
member: cn=Beta Carol,dc=payara,dc=fish
member: cn=Omega John,dc=payara,dc=fish
description: Common Users
cn: Common
entryUUID: 8bc4ac5c-3313-4f9d-a111-6c933191fb2d
createTimestamp: 20161019012453Z
creatorsName: cn=Directory Manager,cn=Root DNs,cn=config

 

The contents of this file will allow us to create an initial set of 3 users (Michal Alfa, Carol Beta and John Omega) and 2 groups (Admin and Common). These objects are under the dc=payara, dc=fish base domain name.

 

Finally, we have the run.sh file. This file handles the OpenDJ installation and initialization using bash scripting:

#!/usr/bin/env bash
cd /opt/opendj/

if [ ! -d ./data/config ] ; then
  echo "Executing OpenDJ first setup"

  MANAGER_USER=${MANAGER:-"cn=Directory Manager"}
  BASE_DN=${BASE_DN:-"dc=payara,dc=fish"}
  PASSWORD=${PW:-admin}

  ./setup --cli --hostname localhost --ldapPort 1389 --rootUserDN "${MANAGER_USER}" 
          --rootUserPassword "${PASSWORD}" --backendType pdb --baseDN "${BASE_DN}" 
          --ldifFile "/opt/opendj/initial.ldif" --acceptLicense --no-prompt 
   --noPropertiesFile
else
  echo "Starting OpenDJ"
  ./bin/start-ds
fi

if (bin/status -n -w "${PASSWORD}" | grep Started); then
   echo "OpenDJ is running"
   while true; do sleep 100000; done
fi

 

This bash script will detect if there’s a previous OpenDJ installation (by checking out if the local data directory ./data/config exists). If not, it will setup OpenDJ using the command line interface option of the setup binary utility. The script provides the values for the installation options (root user, root password, LDAP port, etc.), but some of them can be changed with environment variables (${MANAGER}, ${PASSWORD}, etc.). If OpenDJ is already installed, then the script will simply start the server.

 

Finally, we let the script run the container indefinitely by starting an infinite loop that sleeps the input at frequent intervals.

 

Now, we proceed to build this image:

docker build -t fturizo/opendj .

And then start a new container with it:

docker run -d -p 1389:1389 -v ~/opendj-data:/opt/opendj/data –-name=opendj fturizo/opendj

You can now connect to this LDAP server using port 1389. Using an LDAP Browser tool, we can check that our schema was imported correctly and the OpenDJ server is running:

 

1- ldap-browser-check.jpg

Click here for Part 2, where we look at configuring LDAP Realm and creating a web application.

Click here for Part 3, where we go through the process of extracting user information. 

Share:

Contents
Download Payara Platform Community

Comments (2)

Post a comment

Your email address will not be published. Required fields are marked *

Payara needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Legal & Privacy Policy.

  1. Andreas Gottardi

    Hi,
    great tutorial! Thanks for that, but are you going to cover a LDAP integration for the administration console in one of the later parts? I don’t know if it is possible but it would be very useful if I can define a group of administrators who have access to the administration console so that I don’t have to store a password and everyone is using the same password.
    Thanks! Bye.

    Reply
    1. Fabio Turizo

      Hi Andreas,

      Thank you for your kind comments! In the following part that will be published today we will tackle the domain configuration and the asadmin commands to integrate the server with the user directory. Feel free to keep asking questions if something’s not clear enough.

      Reply

Related Posts

kubernetes docker 7 minutes
Cloud & Microservices
Luqman Saeed
17 Jul 2025

Multi-stage Docker Builds for Efficient Jakarta EE Deployments with Payara

Enterprise Jakarta EE applications require extensive tooling during development – Maven for dependency management, full JDKs for compilation, and […]

Read More
5 minutes
Cloud & Microservices
Chiara Civardi
19 May 2025

Mitigating Kubernetes Misconfigurations: How To Secure Your Deployments

Almost any developer looking to leverage containers turns to Kubernetes (K8s) for orchestration. However, with its complexity comes security risks, particularly […]

Read More
6 minutes
Uncategorized
Chiara Civardi
12 Mar 2025

Conf42 IoT 2024: At the Edge of Robotic Applications

At the latest Conf42 Internet of Things (IoT) 2024 conference, our Payarans deliver a keynote, titled “At the Edge […]

Read More