DS 7.1.7

Install a DSML Gateway

The DSML gateway web application translates each HTTP request into one or more LDAP requests. The translation depends on the DSML protocol. For authentication, you must configure how HTTP user IDs map to LDAP identities.

Requests Through a DSML Gateway
Figure 1. Requests Through a DSML Gateway

The DSML gateway functions as a web application in a web application container.

The DSML gateway runs independently of the directory service.

You configure the gateway to access a directory service by editing parameters in the gateway configuration file, WEB-INF/web.xml:

  1. Prepare for installation.

  2. Deploy the .war file according to the instructions for your web application container.

  3. Edit WEB-INF/web.xml to ensure the parameters are correct.

    For details, see Configure DSML Access.

  4. Configure your web application container to use HTTPS for secure connections to the gateway.

    See your web application container documentation for details.

  5. Restart the web application according to the instructions for your web application container.

Configure DSML Access

Directory Services Markup Language (DSML) client access is implemented as a servlet web application. You edit the WEB-INF/web.xml file after deploying the web application.

The list of DSML configuration parameters are the following:

ldap.host

The hostname of the underlying directory service.

Default: localhost

ldap.port

The LDAP port number of the underlying directory service.

Default: 389

ldap.userdn

Optional parameter specifying the DN to bind to the underlying directory service.

Default: anonymous bind

ldap.userpassword

Optional parameter specifying the password to bind to the underlying directory service.

Default: anonymous bind

ldap.authzidtypeisid

Use this parameter to set up the DSML gateway to do HTTP Basic Access Authentication, given the appropriate mapping between the user ID, and the user’s entry in the directory.

This takes a boolean parameter specifying whether the HTTP Authorization header field’s Basic credentials in the request hold a plain ID, rather than a DN.

If set to true, the gateway performs an LDAP SASL bind using SASL plain, enabled by default in DS servers to look for an exact match between a uid in the server, and the plain ID from the header.

In other words, if the plain ID is bjensen, then the bind DN is uid=bjensen,ou=people,dc=example,dc=com.

Configure DS identity mappers as necessary to use a different attribute than uid. For background information, see Identity Mappers.

Default: false

ldap.usessl

Whether ldap.port uses LDAPS.

Default: false

ldap.usestarttls

Whether to use StartTLS when connecting to ldap.port.

Default: false

ldap.trustall

Whether to blindly trust all server certificates when using LDAPS or StartTLS.

Default: false

ldap.truststore.path

The truststore used to verify server certificates when using LDAPS or StartTLS.

Required when using LDAPS or StartTLS and ldap.trustall is false.

ldap.truststore.password

The password to read the truststore.

Required when using a truststore with a password.

For initial testing purposes, try JXplorer, where the DSML Service is: /webapp-dir/DSMLServlet. The webapp-dir refers to the name of the directory holding the DSML .war.

Copyright © 2010-2023 ForgeRock, all rights reserved.