0 Replies Latest reply on Nov 16, 2007 3:49 PM by Jeremiah Lopez

    Instructions for setting up OpenLDAP and JBoss Portal Server

    Jeremiah Lopez Newbie

      The following provides instructions on how to set up JBoss Portal server v. 2.6.2 to authenticate against OpenLDAP v. 2.4.6. This is a work in progress so please email me if you find any errors or issues with it.

      Thanks,
      Jeremiah


      Install OpenLDAP from http://www.openldap.org/software/download/
      slapd.conf in the LDAP installation should be configured according to your environment. At a minimum, make sure the following entries appear in slapd.conf:

      include /usr/local/etc/openldap/schema/core.schema
      include /usr/local/etc/openldap/schema/cosine.schema
      include /usr/local/etc/openldap/schema/inetorgperson.schema
      include /usr/local/etc/openldap/schema/misc.schema
      include /usr/local/etc/openldap/schema/nis.schema
      include /usr/local/etc/openldap/schema/openldap.schema


      At the bottom of the file, edit the file to your environment:
      database bdb
      suffix "o=portal,dc=mydomain,dc=com"
      rootdn "uid=admin,ou=People,o=portal,dc=mydomain,dc=com"
      # Cleartext passwords, especially for the rootdn, should
      # be avoid. See slappasswd(8) and slapd.conf(5) for details.
      # Use of strong authentication encouraged.
      rootpw {SSHA}ENCRYPTED PASSWORD HIDDEN
      # The database directory MUST exist prior to running slapd AND
      # should only be accessible by the slapd and slap tools.
      # Mode 700 recommended.
      directory /usr/local/var/openldap-data
      # Indices to maintain
      index objectClass eq
      

      Note that the root password is encrypted. This is achieved by running 'slappasswd -s <password we want to encrypt>'. In the LDAP schema file below, the encrypted passwords were produced in a similar manner.

      Once OpenLDAP is installed, the slapd daemon may be started by executing the following:
      sudo <path>/slapd

      "path" represents the directory that slapd is located in. On my machine is was installed at /usr/local/libexec, but your environment may be different.
      Install JBoss Portal server from http://labs.jboss.com/jbossportal/download/index.html
      Create an ldap schema definition file that we will use to authenticate against. Here is an example:

      [CODE]
      # Define the top-level object.
      dn: o=portal,dc=mydomain,dc=com
      objectclass: top
      objectclass: organization
      o: portal

      # Define the organizational unit will contain any portal users.
      dn: ou=People,o=portal,dc=mydomain,dc=com
      objectclass: top
      objectclass: organizationalUnit
      ou: People

      # Define an administrator for the system.
      dn: uid=admin,ou=People,o=portal,dc=mydomain,dc=com
      objectclass: top
      objectclass: inetOrgPerson
      objectclass: person
      uid: admin
      cn: Portal Administrator
      sn: Administrator
      userPassword: HIDDEN
      mail: admin@mydomain.com

      # Define another user.
      dn: uid=jlopez,ou=People,o=portal,dc=mydomain,dc=com
      objectclass: top
      objectclass: inetOrgPerson
      objectclass: person
      uid: jlopez
      cn: jlopez
      sn: Lopez
      userPassword: HIDDEN
      mail: jlopez@mydomain.com

      # .... other users can be added in a similar manner or through the user management portlet.

      # Define the 'Roles' organizational unit. This is required to be named 'Roles'.
      dn: ou=Roles,o=portal,dc=mydomain,dc=com
      objectclass: top
      objectclass: organizationalUnit
      ou: Roles

      # Define an Admin role.
      dn: cn=Admin,ou=Roles,o=portal,dc=mydomain,dc=com
      objectClass: top
      objectClass: groupOfNames
      cn: Admin
      description: Portal admin role
      member: uid=admin,ou=People,o=portal,dc=mydomain,dc=com

      # Define a User role.
      dn: cn=User,ou=Roles,o=portal,dc=mydomain,dc=com
      objectClass: top
      objectClass: groupOfNames
      cn: User
      description: Portal user role
      member: uid=jlopez,ou=People,o=portal,dc=mydomain,dc=com

      [CODE]

      Save this file as schema.ldif.
      Verify that slapd is running (ps -ef | grep slapd) and load the schema we created into the server:
      ldapadd -x -D "cn=admin,dc=mydomain,dc=com" -W -f schema.ldif

      A file needs to be created on the JBoss server that specifies how LDAP lookups should be done. This file is not included in a binary install, so you will need to create the following file in the following directory ($JBOSS_HOME/server/default/deploy/jboss-portal.sar/conf/identity) and call it ldap_identity-config.xml. This file should edited to your specific environment.
      <?xml version="1.0" encoding="UTF-8"?>
       <!--<!DOCTYPE identity-configuration PUBLIC
       "-//JBoss Portal//DTD JBoss Identity Configuration 1.0//EN"
       "http://www.jboss.org/portal/dtd/identity-config_1_0.dtd">-->
      
      <identity-configuration>
       <datasources>
       <datasource>
       <name>LDAP</name>
       <config>
       <option>
       <name>host</name>
       <value>localhost</value>
       </option>
       <option>
       <name>port</name>
       <value>389</value>
       </option>
       <option>
       <name>adminDN</name>
       <value>uid=admin,ou=People,o=portal,dc=mydomain,dc=com</value>
       </option>
       <option>
       <name>adminPassword</name>
       <value>HIDDEN</value>
       </option>
       <!--<option>
       <name>protocol</name>
       <value>ssl</value>
       </option>-->
       </config>
       </datasource>
       </datasources>
       <modules>
       <module>
       <!--type used to correctly map in IdentityContext registry-->
       <type>User</type>
       <implementation>LDAP</implementation>
       <config/>
       </module>
       <module>
       <type>Role</type>
       <implementation>LDAP</implementation>
       <config/>
       </module>
       <module>
       <type>Membership</type>
       <implementation>LDAP</implementation>
       <config/>
       </module>
       <module>
       <type>UserProfile</type>
       <implementation>DELEGATING</implementation>
       <config>
       <option>
       <name>ldapModuleJNDIName</name>
       <value>java:/portal/LDAPUserProfileModule</value>
       </option>
       </config>
       </module>
       <module>
       <type>DBDelegateUserProfile</type>
       <implementation>DB</implementation>
       <config>
       <option>
       <name>randomSynchronizePassword</name>
       <value>true</value>
       </option>
       </config>
       </module>
       <module>
       <type>LDAPDelegateUserProfile</type>
       <implementation>LDAP</implementation>
       <config/>
       </module>
       </modules>
      
       <options>
       <option-group>
       <group-name>common</group-name>
       <option>
       <name>userCtxDN</name>
       <value>ou=People,o=portal,dc=mydomain,dc=com</value>
       </option>
       <option>
       <name>roleCtxDN</name>
       <value>ou=Roles,o=portal,dc=mydomain,dc=com</value>
       </option>
       </option-group>
       <option-group>
       <group-name>userCreateAttibutes</group-name>
       <option>
       <name>objectClass</name>
       <!--This objectclasses should work with Red Hat Directory-->
       <value>top</value>
       <value>person</value>
       <value>inetOrgPerson</value>
       </option>
       <!--Schema requires those to have initial value-->
       <option>
       <name>cn</name>
       <value>none</value>
       </option>
       <option>
       <name>sn</name>
       <value>none</value>
       </option>
       </option-group>
       <option-group>
       <group-name>roleCreateAttibutes</group-name>
       <!--Schema requires those to have initial value-->
       <option>
       <name>cn</name>
       <value>none</value>
       </option>
       <!--Some directory servers require this attribute to be valid DN-->
       <!--For safety reasons point to the admin user here-->
       <option>
       <name>member</name>
       <value>uid=admin,ou=People,o=portal,dc=mydomain,dc=com</value>
       </option>
       </option-group>
       </options>
      </identity-configuration>
      



      Finally, we need to edit the jboss-service.xml file in $JBOSS_HOME/server/default/deploy/jboss-portal.sar/META-INF to point to the ldap_identity-config.xml we just created. Change the following line:
      conf/identity/identity-config.xml

      to
      conf/identity/ldap_identity-config.xml


      Restart the JBoss server and attempt to login using the username / passwords that we created in the LDAP schema file.