The LDAP integration with RHQ is not complicated but there are a few permutations to configuring the integration that can be slightly confusing. See here for an overview including configuration screenshots. The most difficult portion of configuring your own setup is configuring your own external LDAP server.
|These instructions work for developers with Linux boxes|
Installing your own(instructions from Fedora Core 11):
- sudo su -
- yum install 389-ds
- Option (2) Typical
- Fully qualified host name. Ex. test.youserver.com. Might just work with an ip address as well.
- System User (nobody)
- System Group (nobody)
- Do you want to register this software with an existing
configuration directory server? (no)
- Administrator ID (admin)
- Password x 2 (something you pick)
- Administrator Domain (yourserver.com)
- Directory server network port (389)
- Directory server identifier (test)
- Suffix (dc=yourserver,dc=com)
- Directory manager DN (cn=Directory Manager)
- Password x 2 (something you pick)
- Administrator port (9830)
- Server and Directory server should be running, if not use
- /etc/init.d/dirsrv start
- /etc/init.d/dirsrv-admin start
- On Fedora 15 and later, if the admin server fails to start due to a segmentation fault, the following workaround should fix things: http://lists.fedoraproject.org/pipermail/389-users/2012-January/013960.html
- /usr/bin/389-console # start up admin console GUI
- User ID: admin
- Password : from above
- Administration URL: http://localhost:9830/
- Expand 'Server and Applications'-> your domain -> your server -> Server Group -> Directory Server and hit (Open).
- If you get an error similar to "Failed to install a local copy of 389-ds-1.2.3.jar or one of its supporting files. Please ensure that the appropriate console package is installed on the Administration Server. 389-ds-1.2.3.jar not found at http://localhost:9830/" here, then you probably have upgraded Fedora one or more times since you setup your 389 instance. The way to fix this is to blow away your instance config by running "sudo /usr/sbin/remove-ds-admin.pl -y" and then recreate it by running "sudo setup-ds-admin.pl" again.
- Directory Server expand 'your server' -> 'your domain' -> Groups.
- Create a new test user 'testuser1' in 'People'.
You should now have enough to test your integration with RHQ.
- Log into RHQ with rhqadmin rights. Navigate to 'System' -> 'Settings' and populate the fields like 'Correct Configuration' Screenshot using your test user credentials. Settings slightly different for Active Directory. You should now be able to follow along with 'How LDAP Group Authorization Works' from LDAP overview, and finally test ldap authorization by attempting to log into rhq using your test user credentials(Ex. u:testuser1 p:pass1).
Apache Directory Studio is an Eclipse RCP application for LDAP browsing. But it can also easily create an ApacheDS server for you.
- First download Apache Directory Studio
- Start it
- In the "LDAP Servers" view right click to create a new server and choose ApacheDS 2.0.0 server type
- Start the server and right click on the server line to create an associated connection
- You should see new entries in the "LDAP Navigator" view and should be able to browse your LDAP content
- Click the server line to open the config view
- You can see ApacheDS listens to LDAP requests on port 10389
For further information please read Apache Directory Studio documentation
There are also plenty of tutorials on the web on how to create an LDAP structure.
LDAP is all about attributes. Getting the right attributes that work with your server can be initially confusing if you're not familiar with it. Download and run the following executable Jar 'TestLdapSettings.jar' to interactively mimic the LDAP calls to your external server if you're having difficulty getting the right configuration settings.
- Requires JDK 1.6 or better.
- java -jar TestLdapSettings.jar