7 Replies Latest reply on Aug 12, 2012 4:14 AM by antoine_h

    picketlink-idm

    mzorai

      Hello,

       

      I have a question about picketlink idm:

      I want to store users and groups in the LDAP server and conserve roles in the data base, knowing that the actual behavior stores only users in the LDAP server.

      i made this modicfication: modify this :

      <identity-store-id>HibernateStore</identity-store-id>  by this:

      <identity-store-id>PortalLDAPStore</identity-store-id>

      But it does not lead to the wanted result.

      Any suggestions?

       

      Cordially,

      Meriem.

        • 1. Re: picketlink-idm
          vrockai

          Hi,

           

          Did you see this doc?

          https://community.jboss.org/wiki/GateInWithLDAPAsADefaultUserAndGroupStore

           

          I believe it has contains resolution to your issue.

          • 2. Re: picketlink-idm
            mzorai

            Hello,

            Thanks for the reply.

            Yes we followed this documentaion but without results.

            I attach you my configuration file picketlink-idm-ldap-config.xml

            • 3. Re: picketlink-idm
              vrockai

              can you please also attach your WEB-INF/conf/organization/idm-configuration.xml ?

              • 4. Re: picketlink-idm
                mzorai

                Hello,

                file attached

                • 5. Re: picketlink-idm
                  vrockai

                  in idm-configuration.xml just uncomment part entitled with comment "<!-- Uncomment for sample LDAP configuration -->"

                  • 6. Re: picketlink-idm
                    hoang_to

                    @mzoral:

                     

                    If you could not manage to fix your problem, i suggest you to ask this guy https://community.jboss.org/people/bdaw

                    • 7. Re: picketlink-idm
                      antoine_h

                      Hi,

                       

                      I am not sure to understand :

                      I want to store users and groups in the LDAP server and conserve roles in the data base, knowing that the actual behavior stores only users in the LDAP server.

                      Groups and "roles" are the same... so what do you meand by "groups in LDAP" and "roles in data base ?

                       

                      Also : what do you mean by : "the actual behavior stores only users in the LDAP server" ?

                      which "actual behavior", ... do you mean the one you see in your system, the one that is supposed to be configured, as a customization, etc ???

                       

                      Could you, please, provide more specific and detailled description of what you want to do ?

                       

                      *************

                      There is a mechanism, yet programmed, in the Users and Groups manangement, in GateIn, relying on PicketLink, that allows to have the Users and Groups in the LDAP, but have the Users infos (the User Profile) that is store separately, in the database.

                       

                      There is also one, that stores the Users in the LDAP, and if they cannot, they are stored in the database (for the use case of a legacy LDAP, that would be in read only, and then allow to add some new user, using the database store).

                       

                      These are pre coded, and can be set with the configuration (in the files for setting the Organization Service, and relying on the Hibernate and LDAP provider services).

                      Look at the files, there are some comments on the properties that should be changed, to have these specific behaviours.

                       

                      So, you may look at how all this is working, to adapt your custom way for storing the Users and the Groups.

                       

                      *************

                      You will have to see, and adapt (code some new specific implementation), in the OrganizationService, and specifically in the UserHandler, and the GroupHandler.

                       

                      Look at the miscellaneous implementation of these interface, that are yet provided with GateIn.

                      They all give you peaces of code that you will need :

                      - to store in the LDAP, with the LDAP implementation

                      -  to store in the database, with the Hibernate or Jdbc implementation

                      - to dispatch the users in one store, and the group in the other, ... with the sample of code doing the "multi store for the User and User Profile".

                       

                      *************

                      More specific infos about how to do it :

                      • rewrite one OrganizationService implementation, using the piece of code from the one for LDAP, and the one from DataBase store.
                      • for this, look at the provided implementation (for LDAP, for Database, etc...) and take advantage of these pieces of code to build your implementation.
                      • make a mix inside your MyCustomOrganizationServiceImpl :

                            - the UserHandler is instanciated with the UserHandler implemenation with LDAP

                            - the GroupHandler is instanciated with the GroupHandler implemenation with DataSource

                      • Adapt the MyCustomOrganizationServiceImpl so it can receive both the configuration for the LDAP and the configuration for the DataSource
                      • Provide the proper configuration elements, to the UserHandler and GroupHandler

                       

                      The easy part : this is just some kind of rearranging the objects (pieces of code), with cooking a nice mix and setting your own configuration files, calling your own components.

                       

                      The not easy part :

                      • this cooking mix requires some time to code and make your configuration file. I would say 2 to 4 days, depending if you are quick with all these GateIn and PicketLink java api, and coding, and depending on how familiar you are with all this configuration stuff.
                      • this will require some tuning and testing, to make it run properly. This may take some time. I recommend a step by step approach,... making sure that things works at each step, before to go to the next.

                       

                      Globally, it could be done in 1 or 2 days, max, if everything goes directly fine.

                       

                      *************

                      Note : the User and Groups are not tightly related, so you can split the storage of each. I mean : there is no database relation between these to object.

                      Same : the UserHandler and GroupHandler API is nicely done, and allow to play with this kind of "storage mix". I mean : by experience of these User and Group integration with LDAP and GateIn, you should not come accross a blocking problem (nor a "cannot do it".

                       

                      Hope it helps,

                      Antoine

                      Consultant JBoss AS7, J2EE, JBoss Portal and GateIn (JSR-286), JSF, Richfaces, Drools, BRMS.