Instructions for setting up OpenLDAP and JBoss Portal Server
jl7791 Nov 16, 2007 3:49 PMThe following provides instructions on how to set up JBoss Portal server v. 2.6.2 to authenticate against OpenLDAP v. 2.4.6. This is a work in progress so please email me if you find any errors or issues with it.
Thanks,
Jeremiah
Install OpenLDAP from http://www.openldap.org/software/download/
slapd.conf in the LDAP installation should be configured according to your environment. At a minimum, make sure the following entries appear in slapd.conf:
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/openldap.schema
At the bottom of the file, edit the file to your environment:
database bdb suffix "o=portal,dc=mydomain,dc=com" rootdn "uid=admin,ou=People,o=portal,dc=mydomain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}ENCRYPTED PASSWORD HIDDEN # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq
Note that the root password is encrypted. This is achieved by running 'slappasswd -s <password we want to encrypt>'. In the LDAP schema file below, the encrypted passwords were produced in a similar manner.
Once OpenLDAP is installed, the slapd daemon may be started by executing the following:
sudo <path>/slapd
"path" represents the directory that slapd is located in. On my machine is was installed at /usr/local/libexec, but your environment may be different.
Install JBoss Portal server from http://labs.jboss.com/jbossportal/download/index.html
Create an ldap schema definition file that we will use to authenticate against. Here is an example:
[CODE]
# Define the top-level object.
dn: o=portal,dc=mydomain,dc=com
objectclass: top
objectclass: organization
o: portal
# Define the organizational unit will contain any portal users.
dn: ou=People,o=portal,dc=mydomain,dc=com
objectclass: top
objectclass: organizationalUnit
ou: People
# Define an administrator for the system.
dn: uid=admin,ou=People,o=portal,dc=mydomain,dc=com
objectclass: top
objectclass: inetOrgPerson
objectclass: person
uid: admin
cn: Portal Administrator
sn: Administrator
userPassword: HIDDEN
mail: admin@mydomain.com
# Define another user.
dn: uid=jlopez,ou=People,o=portal,dc=mydomain,dc=com
objectclass: top
objectclass: inetOrgPerson
objectclass: person
uid: jlopez
cn: jlopez
sn: Lopez
userPassword: HIDDEN
mail: jlopez@mydomain.com
# .... other users can be added in a similar manner or through the user management portlet.
# Define the 'Roles' organizational unit. This is required to be named 'Roles'.
dn: ou=Roles,o=portal,dc=mydomain,dc=com
objectclass: top
objectclass: organizationalUnit
ou: Roles
# Define an Admin role.
dn: cn=Admin,ou=Roles,o=portal,dc=mydomain,dc=com
objectClass: top
objectClass: groupOfNames
cn: Admin
description: Portal admin role
member: uid=admin,ou=People,o=portal,dc=mydomain,dc=com
# Define a User role.
dn: cn=User,ou=Roles,o=portal,dc=mydomain,dc=com
objectClass: top
objectClass: groupOfNames
cn: User
description: Portal user role
member: uid=jlopez,ou=People,o=portal,dc=mydomain,dc=com
[CODE]
Save this file as schema.ldif.
Verify that slapd is running (ps -ef | grep slapd) and load the schema we created into the server:
ldapadd -x -D "cn=admin,dc=mydomain,dc=com" -W -f schema.ldif
A file needs to be created on the JBoss server that specifies how LDAP lookups should be done. This file is not included in a binary install, so you will need to create the following file in the following directory ($JBOSS_HOME/server/default/deploy/jboss-portal.sar/conf/identity) and call it ldap_identity-config.xml. This file should edited to your specific environment.
<?xml version="1.0" encoding="UTF-8"?> <!--<!DOCTYPE identity-configuration PUBLIC "-//JBoss Portal//DTD JBoss Identity Configuration 1.0//EN" "http://www.jboss.org/portal/dtd/identity-config_1_0.dtd">--> <identity-configuration> <datasources> <datasource> <name>LDAP</name> <config> <option> <name>host</name> <value>localhost</value> </option> <option> <name>port</name> <value>389</value> </option> <option> <name>adminDN</name> <value>uid=admin,ou=People,o=portal,dc=mydomain,dc=com</value> </option> <option> <name>adminPassword</name> <value>HIDDEN</value> </option> <!--<option> <name>protocol</name> <value>ssl</value> </option>--> </config> </datasource> </datasources> <modules> <module> <!--type used to correctly map in IdentityContext registry--> <type>User</type> <implementation>LDAP</implementation> <config/> </module> <module> <type>Role</type> <implementation>LDAP</implementation> <config/> </module> <module> <type>Membership</type> <implementation>LDAP</implementation> <config/> </module> <module> <type>UserProfile</type> <implementation>DELEGATING</implementation> <config> <option> <name>ldapModuleJNDIName</name> <value>java:/portal/LDAPUserProfileModule</value> </option> </config> </module> <module> <type>DBDelegateUserProfile</type> <implementation>DB</implementation> <config> <option> <name>randomSynchronizePassword</name> <value>true</value> </option> </config> </module> <module> <type>LDAPDelegateUserProfile</type> <implementation>LDAP</implementation> <config/> </module> </modules> <options> <option-group> <group-name>common</group-name> <option> <name>userCtxDN</name> <value>ou=People,o=portal,dc=mydomain,dc=com</value> </option> <option> <name>roleCtxDN</name> <value>ou=Roles,o=portal,dc=mydomain,dc=com</value> </option> </option-group> <option-group> <group-name>userCreateAttibutes</group-name> <option> <name>objectClass</name> <!--This objectclasses should work with Red Hat Directory--> <value>top</value> <value>person</value> <value>inetOrgPerson</value> </option> <!--Schema requires those to have initial value--> <option> <name>cn</name> <value>none</value> </option> <option> <name>sn</name> <value>none</value> </option> </option-group> <option-group> <group-name>roleCreateAttibutes</group-name> <!--Schema requires those to have initial value--> <option> <name>cn</name> <value>none</value> </option> <!--Some directory servers require this attribute to be valid DN--> <!--For safety reasons point to the admin user here--> <option> <name>member</name> <value>uid=admin,ou=People,o=portal,dc=mydomain,dc=com</value> </option> </option-group> </options> </identity-configuration>
Finally, we need to edit the jboss-service.xml file in $JBOSS_HOME/server/default/deploy/jboss-portal.sar/META-INF to point to the ldap_identity-config.xml we just created. Change the following line:
conf/identity/identity-config.xml
to
conf/identity/ldap_identity-config.xml
Restart the JBoss server and attempt to login using the username / passwords that we created in the LDAP schema file.