<!--Read Only "ACME" LDAP Example--> <value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-LDAP-acme-config.xml</value>
For ease of readability the following section uses the notational device ID_HOME to represent the file path GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/organization/, as this directory is the root of all GateIn Portal's identity-related configuration.
LDAP (Lightweight Directory Access Protocol) is a set of open protocols used to access centrally stored information over a network. It is based on the X.500 standard for directory sharing, but is less complex and resource-intensive.
Using a client/server architecture, LDAP provides a reliable means to create a central information directory accessible from the network. When a client attempts to modify information within this directory, the server verifies the user has permission to make the change, and then adds or updates the entry as requested. To ensure the communication is secure, the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) cryptographic protocols can be used to prevent an attacker from intercepting the transmission.
LDAP provides the protocols required to manage the data stored in a Directory Server. A Directory Server contains information about resources available (user accounts and printers for example) and their location on the network.
The following table is a list of Directory Servers that are supported and certified in GateIn Portal.
|
Directory Server |
Version |
|
OpenDS |
1.2 and 2.0 |
|
OpenLDAP |
2.4 |
|
Red Hat Directory Server |
7.1 |
|
Sun Java System Directory Server |
6.1 |
|
Microsoft Active Directory |
Windows Server 2008 |
GateIn Portal includes several example LDAP configuration .xml files and .ldif (LDAP Data Interchange Format) data files.
These examples are in the ID_HOME/picketlink-idm/examples directory and can be deployed in a testing environment to assist in configuring LDAP.
Install your LDAP server by following the installation instructions provided for the product you are using.
If you are installing the Red Hat Directory Server, you should refer to the Installation Guide at http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/index.html.
If you are using a third party directory server (OpenDS, OpenLDAP or Microsoft Active Directory), refer the appropriate documentation for that product.
The following values provide an example of working configuration settings for the different Directory Servers:
|
Directory Server |
root user Distinguished Name (DN) |
Password |
Port |
Admin Port |
Base DN |
Database Population |
SSO/TLS |
|
RHDS and OpenDS |
cn=Directory Manager |
password |
1389 |
4444 |
dc=example,dc=com |
"Only create the base entry" |
no SSO, no TLS |
|
MSAD |
CN=Users |
|
|
|
|
|
|
|
OpenLDAP |
cn=Manager,dc=example,dc=com |
secret |
1389 |
|
dc=example,dc=com |
|
|
These, and other appropriate settings, should be adjusted to suit your circumstances.
Optional: Import an ldif file and populate the Directory Server.
Start the Directory Server.
This section will show you how to add LDAP in read-only mode. This means that user data entries (both pre-existing, and newly added through the GateIn Portal User Interface) will be consumed though the Directory Server and LDAP services, but written to the underlying database. The only exception is that passwords updated via the UI will also be propagated into the appropriate LDAP entry.
Open the ID_HOME/idm-configuration.xml file.
GateIn Portal uses the PicketLink IDM framework as the underlying identity storage system, hence all the configurations use dedicated Picketlink settings.
Comment out the default Picketlink config value: <value>war:/conf/organization/picketlink-idm/picketlink-idm-config.xml</value>
Uncomment the appropriate sample configuration values as described below, depending on which Directory Server you are implementing:
Red Hat Directory Server or OpenDS
Uncomment the line under Read Only "ACME" LDAP Example:
<!--Read Only "ACME" LDAP Example--> <value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-LDAP-acme-config.xml</value>
Uncomment the groupTypeMappings under Uncomment for ACME LDAP example:
<!-- Uncomment for ACME LDAP example --> <entry> <key><string>/acme/roles/*</string></key> <value><string>acme_roles_type</string></value> </entry> <entry> <key><string>/acme/organization_units/*</string></key> <value><string>acme_ou_type</string></value> </entry>
Refer to Read Only groupTypeMappings for more information about how these groupTypeMappings operate.
Microsoft Active Directory
Uncomment the line under MSAD Read Only "ACME" LDAP Example:
<!--MSAD Read Only "ACME" LDAP Example--> <value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-msad-readonly-config.xml</value>
Uncomment the groupTypeMappings under Uncomment for MSAD ReadOnly LDAP example:
<!-- Uncomment for MSAD ReadOnly LDAP example --> <entry> <key><string>/acme/roles/*</string></key> <value><string>msad_roles_type</string></value> </entry>
Refer to Read Only groupTypeMappings for more information about how these groupTypeMappings operate.
OpenLDAP
If you have not done so already, install your LDAP server. Refer to LDAP Set Up for some assistance.
Uncomment the line under OpenLDAP ReadOnly "ACME" LDAP Example:
<!--OpenLDAP ReadOnly "ACME" LDAP Example--> <value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-openLDAP-acme-config.xml</value>
Uncomment the groupTypeMappings under Uncomment for ACME LDAP example:
<!-- Uncomment for ACME LDAP example --> <entry> <key><string>/acme/roles/*</string></key> <value><string>acme_roles_type</string></value> </entry> <entry> <key><string>/acme/organization_units/*</string></key> <value><string>acme_ou_type</string></value> </entry>
Refer to Read Only groupTypeMappings for more information about how these groupTypeMappings operate.
To use a different LDAP server or directory data, edit the DS-specific .xml file you uncommented in Substep 3a above and change the values to suit your requirements.
Refer to the list in LDAP configuration for some examples or refer to the product-specific documentation for more information.
Start the server.
Navigate to the portal homepage (http://localhost:8080/portal) and log in as an administrator.
Navigate to Group → Organization → Users and groups management.
Create a new group called acme under the root node.
For RHDS, OpenDS and OpenLDAP:
Create two sub-groups called roles and organization_units.
For MSAD:
Create a subgroup called roles.
By default, users mapped from LDAP will be just members of LDAP groups, but they won't be members of group /platform/users . This results in the fact, that those users won't be treated as full-fledged portal users. To fix this, you will need either:
Add your LDAP users manually to /platform/users group
Configure CustomMembershipLoginModule in JAAS login modules stack. This is special login module, which will add every logged user into group /platform/users after successful login of this user. Actually you will need to add also two additional login modules InitSharedStateLoginModule and SharedStateLoginModule. Details are described in Login modules section .
Users defined in LDAP should be visible in "Users and groups management" and groups from LDAP should be present as children of /acme/roles and /acme/organization_units.
More information about configuration can be found in PicketLink IDM integration and in the PicketLink project Reference Guide.
Follow the procedure below to set LDAP up as the default identity store for GateIn Portal. All default accounts and some of groups that comes with GateIn Portal will be created in the LDAP store.
The LDAP server will be configured to store part of the GateIn Portal group tree. This means that groups under specified part of the tree will be stored in directory server while all others will be stored in database.
If you have not done so already, install your LDAP server. Refer to LDAP Set Up for some assistance.
Open the ID_HOME/idm-configuration.xml file.
GateIn Portal uses the PicketLink IDM framework as the underlying identity storage system, hence all the configurations use dedicated Picketlink settings.
Comment out the default Picketlink config value: war:/conf/organization/picketlink-idm/picketlink-idm-config.xml
Uncomment the appropriate LDAP configuration entry depending on your LDAP server:
For RHDS and OpenDS
Expose the entry under Sample LDAP config:
<!--Sample LDAP config--> <value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-ldap-config.xml</value>
For MSAD
Expose the entry under MSAD LDAP Example:
<!--MSAD LDAP Example--> <value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-msad-config.xml</value>
To use SSL encryption with MSAD:
Open the ID_HOME/picketlink-idm/examples/picketlink-idm-msad-config.xml
Ensure the following entries are uncommented and that the path to the truststore file and password are correct:
<option> <name>customSystemProperties</name> <value>javax.net.ssl.trustStore=/path/to/truststore</value> <value>javax.net.ssl.trustStorePassword=password</value> </option>
You can import a custom certificate by replacing the certificate and truststore details in the following command:
keytool -import -file certificate -keystore truststore
For OpenLDAP
Expose the entry under OpenLDAP LDAP config:
<!--OpenLDAP LDAP config--> <value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-openLDAP-config.xml</value>
Uncomment the groupTypeMappings under Uncomment for sample LDAP configuration:
<entry> <key><string>/platform/*</string></key> <value><string>platform_type</string></value> </entry> <entry> <key><string>/organization/*</string></key> <value><string>organization_type</string></value> </entry>
Refer to Default groupTypeMappings for more information about how these groupTypeMappings operate.
Uncomment ignoreMappedMembershipTypeGroupList under Uncomment for sample LDAP config
<value> <string>/platform/*</string> </value> <value> <string>/organization/*</string> </value>
Usually you need to uncomment same roles, which you are using for LDAP mapping. The point is that user memberships under those groups will be created in Picketlink IDM only as relationships and not as roles. Without uncommenting, memberships will be used as both relationships and roles, which could cause that you may see some duplicated records in UI.
To use a different LDAP server or directory data, edit the DS-specific .xml file you uncommented in Step 4 above and change the values to suit your requirements.
Refer to the list in LDAP configuration for some examples or refer to the product-specific documentation for more information.
Now after server startup, all GateIn Portal groups under /platform and under /organization groups (for example /platform/users , /platform/administrators , /organization/management/executive-board etc.) will be mapped to LDAP tree. The location of groups in LDAP tree is configurable via parameter ctxDNs in Picketlink IDM configuration file as described below.
The following settings are stored in the Picketlink configuration file that is nominated in the idm-configuration.xml file of your deployment (under the config parameter of the PicketLinkIDMService component):
This file could be:
The default picketlink-idm-config.xml.
One of the three example configuration files discussed in LDAP Set Up :
picketlink-idm-LDAP-acme-config.xml
picketlink-idm-msad-readonly-config.xml
picketlink-idm-openLDAP-acme-config.xml
A custom file created by modifying one of the above files.
ctxDNs - This is the DN that will be used as context for IdentityObject searches. More than one value can be specified.Some examples are:
ou=People,o=acme,dc=example,dc=com
ou=Roles,o=acme,dc=example,dc=com
ou=OrganizationUnits,o=acme,dc=example,dc=com
MSAD: CN=Users,DC=test,DC=domain (in two places)
providerURL - The LDAP server connection URL. Formatted as "LDAP://localhost:<PORT>". The default setting is:LDAP://localhost:1389.
MSAD: Should use SSL connection (LDAPs://xxx:636) for password update or creation to work.
adminDN - The LDAP entry used to connect to the server. Some possible values are:
RHDS or OpenDS: cn=Directory Manager
OpenLDAP: cn=Manager,dc=my-domain,dc=com
MSAD: TEST\Administrator
adminPassword - The password associated with the adminDN.
customSystemProperties - This option defines the values needed to use SSL encryption with LDAP.
The groupTypeMappings exposed in the idm-configuration.xml file correspond to identity-object-type values defined in the DS-specific configuration file (referenced in Sub-step 3a of the DS-specific procedure above).
For RHDS, OpenDS and OpenLDAP the picketlink-idm-LDAP-acme-config.xml and picketlink-idm-openLDAP-acme-config.xml files contain the following values:
<repository>
<id>PortalRepository</id>
<class>org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository</class>
<external-config/>
<default-identity-store-id>HibernateStore</default-identity-store-id>
<default-attribute-store-id>HibernateStore</default-attribute-store-id>
<identity-store-mappings>
<identity-store-mapping>
<identity-store-id>PortalLDAPStore</identity-store-id>
<!-- Comment #1 -->
<identity-object-types>
<identity-object-type>USER</identity-object-type>
<identity-object-type>acme_roles_type</identity-object-type>
<identity-object-type>acme_ou_type</identity-object-type>
</identity-object-types>
<!-- Comment #2 -->
<options>
<option>
<name>readOnly</name>
<value>true</value>
</option>
</options>
</identity-store-mapping>
</identity-store-mappings>
<options>
<option>
<name>allowNotDefinedAttributes</name>
<value>true</value>
</option>
</options>
</repository>
Comment 1: The PicketLink IDM configuration file dictates that users and those two group types be stored in LDAP.
Comment 2: An additional option defines that nothing else (except password updates) should be written there.
All groups under /acme/roles will be stored in PicketLink IDM with the acme_roles_type group type name and groups under /acme/organization_units will be stored in PicketLink IDM with acme_ou_type group type name.
For MSAD, the identity-object-types values in picketlink-idm-msad-readonly-config.xml change to:
<identity-store-id>PortalLDAPStore</identity-store-id> <identity-object-types> <identity-object-type>USER</identity-object-type> <identity-object-type>msad_roles_type</identity-object-type> </identity-object-types>
The difference is that this configuration maps only one group type and points to the same container in LDAP for both users and mapped groups.
The groupTypeMappings exposed in the idm-configuration.xml file correspond to identity-object-type values defined in the DS-specific configuration file (referenced in Sub-step 3a of the DS-specific procedure above).
All of the supported LDAP configurations use the following values when implemented as the default identity store:
<repository>
<id>PortalRepository</id>
<class>org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository</class>
<external-config/>
<default-identity-store-id>HibernateStore</default-identity-store-id>
<default-attribute-store-id>HibernateStore</default-attribute-store-id>
<identity-store-mappings>
<identity-store-mapping>
<identity-store-id>PortalLDAPStore</identity-store-id>
<!-- Comment #1 -->
<identity-object-types>
<identity-object-type>USER</identity-object-type>
<identity-object-type>platform_type</identity-object-type>
<identity-object-type>organization_type</identity-object-type>
</identity-object-types>
<options/>
</identity-store-mapping>
</identity-store-mappings>
<options>
<option>
<name>allowNotDefinedAttributes</name>
<value>true</value>
</option>
</options>
</repository>
<repository>
<id>DefaultPortalRepository</id>
<class>org.picketlink.idm.impl.repository.WrapperIdentityStoreRepository</class>
<external-config/>
<default-identity-store-id>HibernateStore</default-identity-store-id>
<default-attribute-store-id>HibernateStore</default-attribute-store-id>
</repository>
Comment 1: The groupTypeMappings define that all groups under /platform should be stored in PicketLink IDM with the platform_type group type name and groups under /organization should be stored in PicketLink IDM with organization_type group type name.
The PicketLink IDM configuration file repository maps users and those two group types as stored in LDAP.