JBoss AS Version 4.0.5 and Portal 2.4 with jems installer
This configuration is tested with SUN`s iplanet LDAP, but i`m pretty sure it can be as well for any other LDAP server (OpenLDAP, Apache Directory Server, a.o.). This configuration uses anonymous binding and includes the existing default login configuration of jboss-portal "IdentityLoginModule", so the shipped account admin, user still will work, even if LDAP is configured.
Example LDAP Structure (equal to above LDIF Example 1):
o=company | |- ou=poeple | | | - c=country, e.g. us | | | - ou=internal | | | - uid=user | | - ou=groups | - cn=Authenticated | - member=uid=user,ou=internal,c=country,ou=people,o=company
1. Update $JBOSS_HOME\server\default\deploy\jboss-portal.sar\conf\login-config.xml and replace existing configuration with:
<application-policy name="portal">
<authentication>
<login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
<module-option name="unauthenticatedIdentity">guest</module-option>
<module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
<module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
<module-option name="additionalRole">Authenticated</module-option>
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.factory.initial">
com.sun.jndi.ldap.LdapCtxFactory
</module-option>
<module-option name="java.naming.provider.url">
ldap://ldap.company.com:389/
</module-option>
<module-option name="java.naming.security.authentication">
simple
</module-option>
<module-option name="baseCtxDN">ou=People,o=company</module-option>
<module-option name="baseFilter">(uid={0})</module-option>
<module-option name="rolesCtxDN">ou=Groups,o=company</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">member</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="searchTimeLimit">5000</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
</login-module>
</authentication>
</application-policy>
Be sure you change the flag in login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" to "sufficient".
2. Modify baseCtxDN and roleCtxDN with the correct context of your LDAP directory. Also you may add the module-options "bindDN" and "bindCredential", if anonymous binding is not allowed in your LDAP.
3. Create a role in LDAP with name "Authenticated" and add all users, which you want to login as members to the role. (You can also map the security-constraint in portal-server.war\WEB-INF\web.xml, to any other already existing role, but i`ve never tested that.)
Troubleshooting:
Check, if roleAttributeID equals "member" in LDAP, maybe its named "memberOf".
Check, if roleNameAttributeID equals "cn".
Check, if user is associated via DN or UID to role, change roleFilter to (member=)
See LdapExtLoginModule for detailed explanantion on module-options.
Referenced by:
Configuration prior to Portal 2.4
Note: Apparently these instructions are correct, but the code is not found anywhere... Hope the author will indicate us all the location of the source code for the LdapConnectionModule and the LdapRoleModule and LdapUserModule...
Authenticating the portal against an LDAP datasource requires several pieces of configuration:
JAAS Authentication source
Portal User Module
Portal Role Module
JAAS Authentication source
The initial authentication to the portal (through the user portlet) is performed by the Java Authentication and Authorization Service (JAAS). JAAS allows you to plug in different authentication mechanisms without having to recode your application. JAAS is configured with a file called login-config.xml. This file can be found in core/src/resources/portal-core-sar/conf/login-config.xml within the source bundle, or in the exploded deployment, JBOSS_HOME/server/default/deploy/jboss-portal-exploded.sar/conf/login-config.xml. JBoss Portal currently uses a module called ModelLoginModule to control authentication. This module defaults to a password validation method where the entered password and the expected password are compared. For authentication sources where the expected password cannot be retrieved, e.g. LDAP, an extra parameter has to be added to tell ModelLoginModule to call the password validation method in the User Module. To enable this, add a line in login-config.xml under
<module-option name="password-stacking">useFirstPass</module-option>
which reads
<module-option name="passwordValidation">remote</module-option>
Portal User Module
JBoss Portal uses two modules to track user and role information - strangely enough called the User Module and the Role Module. These modules are declared and configured in the file jboss-service.xml. This file is located in JBOSS_HOME/server/default/deploy/jboss-portal-exploded.sar/conf/login-config.xml, or in the source bundle, core/src/resources/portal-core-sar/META-INF/jboss-service.xml NOTE: There are several jboss-service.xml files in the source bundle - we are only concerned with the one in the core module.
Both the User module and the Role module for LDAP require a new module, the LDAP connection module. This module holds common functionality required by both modules. To configure the module, add the following section to jboss-service.xml:
<mbean code="org.jboss.portal.core.impl.conn.LDAPConnectionModule" name="portal:service=Module,type=Connection" xmbean-dd="" xmbean-code="org.jboss.portal.common.system.JBossServiceModelMBean"> <xmbean></xmbean> <attribute name="JNDIName">java:portal/ConnectionModule</attribute> <!-- address of your ldap server --> <attribute name="LdapServer">__server address__</attribute> <!-- if your ldap runs on a non-standard port, use this attribute to specify it --> <!--attribute name="LdapPort">nonStandardPortNumber</attribute--> <!-- username of the admin user used to access the directory --> <attribute name="User">__admin dn__</attribute> <!-- password of the admin user used to access the directory --> <attribute name="Password">__admin password__</attribute> <!-- attribute to specify use of SSL for directory traffic --> <attribute name="LdapSecure">true</attribute> </mbean>
To configure the LDAP User module itself, find the mbean section which has the name "portal:service=Module,type=User". Replace it with the following:
<mbean code="org.jboss.portal.core.impl.user.LDAPUserModule" name="portal:service=Module,type=User" xmbean-dd="" xmbean-code="org.jboss.portal.common.system.JBossServiceModelMBean"> <xmbean></xmbean> <depends optional-attribute-name="HibernateProvider" proxy-type="attribute">portal:service=Hibernate</depends> <attribute name="JNDIName">java:portal/UserModule</attribute> <attribute name="ConnectionModuleJNDIName">java:portal/ConnectionModule</attribute> <!-- attribute to use as the unique object ID. If this is omitted, the objects DN is used--> <!--attribute name="IDAttribute">cn</attribute--> <!-- LDAP attribute containing the username--> <attribute name="UserNameAttribute">cn</attribute> <!-- LDAP attribute containing the display name --> <attribute name="DisplayNameAttribute">fullName</attribute> <!-- LDAP attribute containing the email address --> <attribute name="MailAttribute">mail</attribute> <!-- container to find users in --> <!-- LDAP attribute containing the group membership--> <attribute name="MembershipAttribute">groupMembership</attribute> <attribute name="BaseDN">__user container__</attribute> <!-- LDAP object class of user objects --> <attribute name="ObjectClass">inetOrgPerson</attribute> <!-- additional filter parameters over and above specifying objectClass --> <!--attribute name="Filter">(objectClass=inetOrgPerson)</attribute--> <!-- attribute to order results by --> <attribute name="OrderBy">fullName</attribute> </mbean>
This default configuration assumes that user objects are inetOrgPerson attributes, identified by cn, using fullName as the display name, and object DN as the ID, ordering the list by fullname
Portal Role Module
The configuration for Role module is similar to the User module. Find the section in jboss-service.xml with name portal:service=Module,type=Role and replace it with:
<mbean code="org.jboss.portal.core.impl.role.LDAPRoleModule" name="portal:service=Module,type=Role" xmbean-dd="" xmbean-code="org.jboss.portal.common.system.JBossServiceModelMBean"> <xmbean></xmbean> <depends>portal:service=Hibernate</depends> <attribute name="JNDIName">java:portal/RoleModule</attribute> <attribute name="ConnectionModuleJNDIName">java:portal/ConnectionModule</attribute> <!-- if the IDAttribute is omitted, the object DN will be used as the IDAttribute --> <!--attribute name="IDAttribute">cn</attribute--> <!-- Attribte containing the role name --> <attribute name="NameAttribute">cn</attribute> <!-- Attribute containing the display name --> <attribute name="DisplayNameAttribute">description</attribute> <!-- LDAP object class of role objects --> <attribute name="ObjectClass">groupOfNames</attribute> <!-- additional filter parameters over and above specifying objectClass --> <!-- attribute name="Filter"><![CDATA[(objectClass=groupOfNames)\]\]\></attribute--> <!-- attribute to order results by --> <attribute name="OrderBy">cn</attribute> <!-- container to find roles in --> <attribute name="BaseDN">__roles container__</attribute> <!-- If the newRolesContainer attribute is omitted, then creation of new roles will be disabled --> <attribute name="NewRolesContainer">__new roles container__</attribute> </mbean>
Again, these are defaults: role objects are groupOfNames objects, identified by DN - their name is the cn attribute, and displayname is in the description attribute.
Comments