0 Replies Latest reply on Nov 16, 2007 3:49 PM by jl7791

    Instructions for setting up OpenLDAP and JBoss Portal Server

    jl7791
    jl7791 Nov 16, 2007 3:49 PM

      The following provides instructions on how to set up JBoss Portal server v. 2.6.2 to authenticate against OpenLDAP v. 2.4.6. This is a work in progress so please email me if you find any errors or issues with it.

      Thanks,
      Jeremiah


      Install OpenLDAP from http://www.openldap.org/software/download/
      slapd.conf in the LDAP installation should be configured according to your environment. At a minimum, make sure the following entries appear in slapd.conf:

      include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema


      At the bottom of the file, edit the file to your environment: 
      database bdb
suffix "o=portal,dc=mydomain,dc=com"
rootdn "uid=admin,ou=People,o=portal,dc=mydomain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}ENCRYPTED PASSWORD HIDDEN
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq

      Note that the root password is encrypted. This is achieved by running 'slappasswd -s <password we want to encrypt>'. In the LDAP schema file below, the encrypted passwords were produced in a similar manner.

      Once OpenLDAP is installed, the slapd daemon may be started by executing the following: 
      sudo <path>/slapd

      "path" represents the directory that slapd is located in. On my machine is was installed at /usr/local/libexec, but your environment may be different.
      Install JBoss Portal server from http://labs.jboss.com/jbossportal/download/index.html
      Create an ldap schema definition file that we will use to authenticate against. Here is an example:

      [CODE]
      # Define the top-level object.
      dn: o=portal,dc=mydomain,dc=com
      objectclass: top
      objectclass: organization
      o: portal

      # Define the organizational unit will contain any portal users.
      dn: ou=People,o=portal,dc=mydomain,dc=com
      objectclass: top
      objectclass: organizationalUnit
      ou: People

      # Define an administrator for the system.
      dn: uid=admin,ou=People,o=portal,dc=mydomain,dc=com
      objectclass: top
      objectclass: inetOrgPerson
      objectclass: person
      uid: admin
      cn: Portal Administrator
      sn: Administrator
      userPassword: HIDDEN
      mail: admin@mydomain.com

      # Define another user.
      dn: uid=jlopez,ou=People,o=portal,dc=mydomain,dc=com
      objectclass: top
      objectclass: inetOrgPerson
      objectclass: person
      uid: jlopez
      cn: jlopez
      sn: Lopez
      userPassword: HIDDEN
      mail: jlopez@mydomain.com

      # .... other users can be added in a similar manner or through the user management portlet.

      # Define the 'Roles' organizational unit. This is required to be named 'Roles'.
      dn: ou=Roles,o=portal,dc=mydomain,dc=com
      objectclass: top
      objectclass: organizationalUnit
      ou: Roles

      # Define an Admin role.
      dn: cn=Admin,ou=Roles,o=portal,dc=mydomain,dc=com
      objectClass: top
      objectClass: groupOfNames
      cn: Admin
      description: Portal admin role
      member: uid=admin,ou=People,o=portal,dc=mydomain,dc=com

      # Define a User role.
      dn: cn=User,ou=Roles,o=portal,dc=mydomain,dc=com
      objectClass: top
      objectClass: groupOfNames
      cn: User
      description: Portal user role
      member: uid=jlopez,ou=People,o=portal,dc=mydomain,dc=com

      [CODE]

      Save this file as schema.ldif.
      Verify that slapd is running (ps -ef | grep slapd) and load the schema we created into the server: 
      ldapadd -x -D "cn=admin,dc=mydomain,dc=com" -W -f schema.ldif

      A file needs to be created on the JBoss server that specifies how LDAP lookups should be done. This file is not included in a binary install, so you will need to create the following file in the following directory ($JBOSS_HOME/server/default/deploy/jboss-portal.sar/conf/identity) and call it ldap_identity-config.xml. This file should edited to your specific environment. 
      <?xml version="1.0" encoding="UTF-8"?>
 <!--<!DOCTYPE identity-configuration PUBLIC
 "-//JBoss Portal//DTD JBoss Identity Configuration 1.0//EN"
 "http://www.jboss.org/portal/dtd/identity-config_1_0.dtd">-->

<identity-configuration>
 <datasources>
 <datasource>
 <name>LDAP</name>
 <config>
 <option>
 <name>host</name>
 <value>localhost</value>
 </option>
 <option>
 <name>port</name>
 <value>389</value>
 </option>
 <option>
 <name>adminDN</name>
 <value>uid=admin,ou=People,o=portal,dc=mydomain,dc=com</value>
 </option>
 <option>
 <name>adminPassword</name>
 <value>HIDDEN</value>
 </option>
 <!--<option>
 <name>protocol</name>
 <value>ssl</value>
 </option>-->
 </config>
 </datasource>
 </datasources>
 <modules>
 <module>
 <!--type used to correctly map in IdentityContext registry-->
 <type>User</type>
 <implementation>LDAP</implementation>
 <config/>
 </module>
 <module>
 <type>Role</type>
 <implementation>LDAP</implementation>
 <config/>
 </module>
 <module>
 <type>Membership</type>
 <implementation>LDAP</implementation>
 <config/>
 </module>
 <module>
 <type>UserProfile</type>
 <implementation>DELEGATING</implementation>
 <config>
 <option>
 <name>ldapModuleJNDIName</name>
 <value>java:/portal/LDAPUserProfileModule</value>
 </option>
 </config>
 </module>
 <module>
 <type>DBDelegateUserProfile</type>
 <implementation>DB</implementation>
 <config>
 <option>
 <name>randomSynchronizePassword</name>
 <value>true</value>
 </option>
 </config>
 </module>
 <module>
 <type>LDAPDelegateUserProfile</type>
 <implementation>LDAP</implementation>
 <config/>
 </module>
 </modules>

 <options>
 <option-group>
 <group-name>common</group-name>
 <option>
 <name>userCtxDN</name>
 <value>ou=People,o=portal,dc=mydomain,dc=com</value>
 </option>
 <option>
 <name>roleCtxDN</name>
 <value>ou=Roles,o=portal,dc=mydomain,dc=com</value>
 </option>
 </option-group>
 <option-group>
 <group-name>userCreateAttibutes</group-name>
 <option>
 <name>objectClass</name>
 <!--This objectclasses should work with Red Hat Directory-->
 <value>top</value>
 <value>person</value>
 <value>inetOrgPerson</value>
 </option>
 <!--Schema requires those to have initial value-->
 <option>
 <name>cn</name>
 <value>none</value>
 </option>
 <option>
 <name>sn</name>
 <value>none</value>
 </option>
 </option-group>
 <option-group>
 <group-name>roleCreateAttibutes</group-name>
 <!--Schema requires those to have initial value-->
 <option>
 <name>cn</name>
 <value>none</value>
 </option>
 <!--Some directory servers require this attribute to be valid DN-->
 <!--For safety reasons point to the admin user here-->
 <option>
 <name>member</name>
 <value>uid=admin,ou=People,o=portal,dc=mydomain,dc=com</value>
 </option>
 </option-group>
 </options>
</identity-configuration>



      Finally, we need to edit the jboss-service.xml file in $JBOSS_HOME/server/default/deploy/jboss-portal.sar/META-INF to point to the ldap_identity-config.xml we just created. Change the following line: 
      conf/identity/identity-config.xml

      to 
      conf/identity/ldap_identity-config.xml


      Restart the JBoss server and attempt to login using the username / passwords that we created in the LDAP schema file.


      • 1039 Views
      • Tags: