0 Replies Latest reply on Jul 18, 2014 11:09 AM by juro kunec

    Mapping LDAP Groups with picketlink(GateIn 3.6)

    juro kunec Newbie

      Hey

      I am struggling with mapping between my OpenLDAP and picketlink in gatein 3.6. I checked all tutorials that I found on the internet

      GateIn with LDAP as a default user and group store

      http://docs.exoplatform.com/public/index.jsp?topic=%2FPLF41%2FPLFAdminGuide.LDAP.html

      LDAP integration - GateIn Portal 3.8 - Project Documentation Editor

       

      I can get working mapping users from ldap to platform(gatein) but if I map the groups from ldap to platform. I cant get access for the users, who are in these groups

      my output in browser

      screen.gif

      but if I uncomment these parts,where I map the groups in idm-configuration.xml and picketlink-idm-ldap-config.xml. excatly how it is done in tutorials

       

      idm-configuration.xml

       

      <?xml version="1.0" encoding="ISO-8859-1"?>
      <!--
      
      
          Copyright (C) 2009 eXo Platform SAS.
          
          This is free software; you can redistribute it and/or modify it
          under the terms of the GNU Lesser General Public License as
          published by the Free Software Foundation; either version 2.1 of
          the License, or (at your option) any later version.
          
          This software is distributed in the hope that it will be useful,
          but WITHOUT ANY WARRANTY; without even the implied warranty of
          MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
          Lesser General Public License for more details.
          
          You should have received a copy of the GNU Lesser General Public
          License along with this software; if not, write to the Free
          Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
          02110-1301 USA, or see the FSF site: http://www.fsf.org.
      
      
      -->
      
      
      <configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                     xsi:schemaLocation="http://www.exoplaform.org/xml/ns/kernel_1_2.xsd http://www.exoplaform.org/xml/ns/kernel_1_2.xsd"
                     xmlns="http://www.exoplaform.org/xml/ns/kernel_1_2.xsd">
      
      
      
      
        <component>
          <key>org.exoplatform.services.organization.idm.PicketLinkIDMCacheService</key>
          <type>org.exoplatform.services.organization.idm.PicketLinkIDMCacheService</type>
        </component>
      
      
        <component>
          <key>org.gatein.common.transaction.JTAUserTransactionLifecycleService</key>
          <type>org.gatein.common.transaction.JTAUserTransactionLifecycleServiceImpl</type>
        </component>
      
      
        <component>
          <key>org.exoplatform.services.database.HibernateService</key>
          <jmx-name>database:type=HibernateService</jmx-name>
          <type>org.exoplatform.services.organization.idm.CustomHibernateServiceImpl</type>
          <init-params>
            <properties-param>
              <name>hibernate.properties</name>
              <description>Default Hibernate Service</description>
              <property name="hibernate.hbm2ddl.auto" value="update"/>
              <property name="hibernate.show_sql" value="false"/>
              <property name="hibernate.connection.datasource" value="${gatein.idm.datasource.name}${container.name.suffix}"/>
              <property name="hibernate.connection.autocommit" value="false"/>
      
      
              <!-- Non-JTA setup -->
              <property name="hibernate.current_session_context_class" value="thread"/>
      
      
              <!-- JTA setup -->
              <!--<property name="hibernate.current_session_context_class" value="jta"/>
           <property name="hibernate.transaction.factory_class" value="org.hibernate.transaction.JTATransactionFactory" />
           <property name="hibernate.transaction.jta.platform" value="org.exoplatform.services.organization.idm.UserTransactionJtaPlatform" />-->
      
      
              <property name="hibernate.cache.use_second_level_cache" value="false"/>
              <property name="hibernate.cache.use_query_cache" value="false"/>
              <!-- Uncomment for enable 2nd level cache based on Infinispan -->
              <!--<property name="hibernate.cache.region.factory_class" value="org.jboss.as.jpa.hibernate4.infinispan.InfinispanRegionFactory" />-->
              <!-- Uncomment to enable cache statistics for infinispan />-->
              <!--<property name="hibernate.cache.infinispan.statistics" value="true" />-->
              <!-- Uncomment to use custom infinispan configuration file instead of the default bundled in hibernate-infinispan jar -->
              <!--<property name="hibernate.cache.infinispan.cfg" value="/home/infinispan/cacheprovider-configs.xml"/>-->
      
      
              <!--
                Should be automatically detected. Force otherwise
                 <property name="hibernate.dialect" value="org.hibernate.dialect.XXXDialect"/>
              -->
              <property name="hibernate.listeners.envers.autoRegister" value="false"/>
            </properties-param>
          </init-params>
        </component>
      
      
        <component>
          <key>org.exoplatform.services.organization.idm.PicketLinkIDMService</key>
          <type>org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl</type>
          <init-params>
            <value-param>
              <name>config</name>
      <!--         <value>war:/conf/organization/picketlink-idm/picketlink-idm-config.xml</value> -->
      
      
              <!--Sample LDAP config-->
              <value>file:${jboss.server.config.dir}/allianz/projectsuite/picketlink-idm-ldap-config.xml</value>
      
      
              <!--Read Only "ACME" LDAP Example-->
              <!--<value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-ldap-acme-config.xml</value>-->
      
      
              <!--OpenLDAP LDAP config-->
              <!--<value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-openldap-config.xml</value>-->
      
      
              <!--OpenLDAP ReadOnly "ACME" LDAP Example-->
              <!--<value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-openldap-acme-config.xml</value>-->
      
      
              <!--MSAD LDAP Example-->
              <!--<value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-msad-config.xml</value>-->
      
      
              <!--MSAD Read Only "ACME" LDAP Example-->
              <!--<value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-msad-readonly-config.xml</value>-->
      
      
            </value-param>
      
      
            <!-- In default PicketLink IDM configuration hibernate store will namespace identity objects using this realm name
                 if you want to share DB between portal and also share the same identity data remove the "${container.name.suffix}" part-->
            <value-param>
              <name>portalRealm</name>
              <value>idm_realm${container.name.suffix}</value>
            </value-param>
      
      
            <value-param>
              <name>apiCacheConfig</name>
              <value>war:/conf/organization/picketlink-idm/infinispan.xml</value>
            </value-param>
      
      
            <value-param profiles="cluster">
              <name>apiCacheConfig</name>
              <value>war:/conf/organization/picketlink-idm/infinispan-cluster.xml</value>
            </value-param>
      
      
            <value-param>
              <name>storeCacheConfig</name>
              <value>war:/conf/organization/picketlink-idm/infinispan.xml</value>
            </value-param>
      
      
            <value-param profiles="cluster">
              <name>storeCacheConfig</name>
              <value>war:/conf/organization/picketlink-idm/infinispan-cluster.xml</value>
            </value-param>
      
      
            <value-param>
              <name>skipExpirationOfStructureCacheEntries</name>
              <value>true</value>
            </value-param>
      
      
            <value-param>
              <name>useSecureRandomService</name>
              <value>true</value>
            </value-param>
      
      
          </init-params>
        </component>
      
      
      
      
        <component>
          <key>org.exoplatform.services.organization.OrganizationService</key>
          <type>org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</type>
          <init-params>
            <object-param>
              <name>configuration</name>
              <object type="org.exoplatform.services.organization.idm.Config">
                <!-- For all ids not mapped with type in 'groupTypeMappings' use parent id path
                     as a group type to store group in PicketLink IDM. The effect of setting
                     this option to false and not providing any mappings under 'groupTypeMappings' option
                     is that there can be only one group with a given name in all GateIn group tree-->
                <field name="useParentIdAsGroupType">
                  <boolean>true</boolean>
                </field>
                <!-- Group stored in PicketLink IDM with a type mapped in 'groupTypeMappings' will
                     automatically be member under mapped parent. Normally groups are linked by
                     PicketLink IDM group association - such relationship won't be needed then. It can
                     be set to false if all groups are added via GateIn APIs
                     This option may be useful with LDAP config as it will make (if set to true) every entry
                     added to LDAP (not via GateIn management UI) appear in GateIn-->
                <field name="forceMembershipOfMappedTypes">
                  <boolean>true</boolean>
                </field>
                <!-- When 'userParentIdAsGroupType is set to true this value will be used to
                     replace all "/" chars in id. This is because "/" is not allowed to be
                     used in group type name in PicketLink IDM-->
                <field name="pathSeparator">
                  <string>.</string>
                </field>
                <!-- Name of a group stored in PicketLink IDM that acts as root group in GateIn - "/" -->
                <field name="rootGroupName">
                  <string>GTN_ROOT_GROUP</string>
                </field>
                <!-- Map groups added with GateIn API as a childs of a given group ID to be stored with a given
                     group type name in PicketLink IDM. If parent ID ends with "/*" then all child groups will
                     have the mapped group type. Otherwise only direct (first level) children will use this type.
      
      
                     This can be leveraged by LDAP setup. Given LDAP DN configured in PicketLink IDM to
                     store specific group type will then store one given branch in GateIn group tree while
                     all other groups will remain in DB. -->
                <field name="groupTypeMappings">
                  <map type="java.util.HashMap">
                    <entry>
                      <key>
                        <string>/groups/*</string>
                      </key>
                      <value>
         <string>group_type</string>
        </value>
                    </entry>
      
      
                    <!-- Uncomment for sample LDAP configuration -->
      
      
      <!--               <entry> -->
      <!--                 <key><string>/platform/*</string></key> -->
      <!--                 <value><string>platform_type</string></value> -->
      <!--               </entry> -->
      <!--               <entry> -->
      <!--                 <key><string>/organization/*</string></key> -->
      <!--                 <value><string>organization_type</string></value> -->
      <!--               </entry> -->
                    
      
      
      
      
                    <!-- Uncomment for ACME LDAP example -->
                    <!--
                    <entry>
                      <key><string>/acme/roles/*</string></key>
                      <value><string>acme_roles_type</string></value>
                    </entry>
                    <entry>
                      <key><string>/acme/organization_units/*</string></key>
                      <value><string>acme_ou_type</string></value>
                    </entry>
                    -->
      
      
                    <!-- Uncomment for MSAD ReadOnly LDAP example -->
                    <!--
                    <entry>
                      <key><string>/acme/roles/*</string></key>
                      <value><string>msad_roles_type</string></value>
                    </entry>
                    -->
                  </map>
                </field>
                <!-- If this option is used then each Membership created with MembrshipType that is
                     equal to value specified here will be stored in PicketLink IDM as simple
                     Group-User association-->
                <field name="associationMembershipType">
                  <string>member</string>
                </field>
                <!-- if "associationMembershipType" option is used and this option is set to true
                      then Membership with MembershipType configured to be stored as PicketLink IDM association
                      will not be stored as PicketLink IDM Role in case that they are in groups from this parameter.
                      For RW LDAP setup, it's recommended to map all groups mapped to LDAP (all those from parameter groupTypeMappings)
                      However for DB only and/or Read-only LDAP, it's recommended to not map anything here -->
                <field name="ignoreMappedMembershipTypeGroupList">
                  <collection type="java.util.ArrayList" item-type="java.lang.String">
                    <!-- Uncomment for sample LDAP config -->
                    <value>
                      <string>/groups/*</string>
                    </value>
                  </collection>
                </field>
      
      
                <!-- If 'true' will use JTA UserTransaction. If 'false' will use IDM transaction API -->
                <field name="useJTA">
                  <boolean>false</boolean>
                </field>
      
      
                <!-- If PLIDM group will have name containing slash "/" char than it will be replace with following string.
                     Slashes are used in group paths and if present in names may cause unpredictable behaviour -->
                <field name="slashReplacement">
                  <string>@_@_@</string>
                </field>
      
      
                <!-- If groups should be displayed in a sorted order in the management UI-->
                <field name="sortGroups">
                  <boolean>true</boolean>
                </field>
      
      
                <!-- If memberships should be displayed in a sorted order in the management UI-->
                <field name="sortMemberships">
                  <boolean>true</boolean>
                </field>
      
      
                <!-- For some LDAP configurations where part of users can duplicate in both DB and LDAP
                     it is not possible to count user efficiently for paginated query. Only way is to download
                     whole content of LDAP server and exclude duplicates manually to return accurate user count.
                     When this option is set to false GateIn will rely on user count information returned from PLIDM
                     which can return greater number of users then in real non duplicated count for perf reasons..
                     Those users will be filtered before returning search page however to not return nulls last entry
                     can be duplicated in returned user list.
                     If this value is set to true GateIn will perform whole non paginated query and filter it after.
                     It will result in more accurate results and paginated list size info however can affect performance
                     If you have DB only setup, it's recommended to switch this option to false. This will help to have better performance.
                     If you have DB+LDAP setup, it's recommended to switch this option to true, otherwise you can have inaccurate results -->
                <field name="countPaginatedUsers">
                  <boolean>true</boolean>
                </field>
      
      
                <!-- For DB+LDAP it is not possible to efficiently perform paginated membership query. Only way is to download
                     all memberships from LDAP server and all memberships from DB and merge them together.
                     When this option is set to false GateIn will rely on membership count information returned from PLIDM
                     and it will use paginated membership queries based on this. This is better for performance but for DB+LDAP the
                     memberships pagination may not behave correctly.
                     If this value is set to true GateIn will perform whole non paginated query to obtain all memberships and filter it after.
                     It will result in more accurate results however can affect performance.
                     If you have DB only setup, it's recommended to switch this option to false. This will help to have better performance.
                     If you have DB+LDAP setup, it's recommended to switch this option to true, otherwise you can have inaccurate results -->
                <field name="skipPaginationInMembershipQuery">
                  <boolean>true</boolean>
                </field>
      
      
                <!-- If true, the property lastLoginTime of user will be updated after successful authentication of this user to portal.
                     If false, the property won't be updated, which could have performance improvement in systems with many concurrent user logins -->
                <field name="updateLastLoginTimeAfterAuthentication">
                  <boolean>false</boolean>
                </field>
      
      
              </object>
            </object-param>
          </init-params>
        </component>
      
      
        <external-component-plugins>
          <target-component>org.exoplatform.services.naming.InitialContextInitializer</target-component>
          <component-plugin>
            <name>bind.datasource</name>
            <set-method>addPlugin</set-method>
            <type>org.exoplatform.services.naming.BindReferencePlugin</type>
            <init-params>
              <value-param>
                <name>bind-name</name>
                <value>${gatein.idm.datasource.name}${container.name.suffix}</value>
              </value-param>
              <value-param>
                <name>class-name</name>
                <value>javax.sql.DataSource</value>
              </value-param>
              <value-param>
                <name>factory</name>
                <value>org.apache.commons.dbcp.BasicDataSourceFactory</value>
              </value-param>
              <properties-param>
                <name>ref-addresses</name>
                <description>ref-addresses</description>
                <property name="driverClassName" value="${portal.container.gatein.idm.datasource.driver}"/>
                <property name="url" value="${portal.container.gatein.idm.datasource.url}"/>
                <property name="username" value="${portal.container.gatein.idm.datasource.username}"/>
                <property name="password" value="${portal.container.gatein.idm.datasource.password}"/>
      
      
              </properties-param>
            </init-params>
          </component-plugin>
        </external-component-plugins>
      
      
        <external-component-plugins>
          <target-component>org.exoplatform.services.database.HibernateService</target-component>
          <component-plugin>
            <name>add.hibernate.mapping</name>
            <set-method>addPlugin</set-method>
            <type>org.exoplatform.services.database.impl.AddHibernateMappingPlugin</type>
            <init-params>
              <values-param>
                <name>hibernate.mapping</name>
                <value>picketlink-idm/mappings/HibernateRealm.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObjectCredentialBinaryValue.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObjectAttributeBinaryValue.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObject.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObjectCredential.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObjectCredentialType.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObjectAttribute.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObjectType.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObjectRelationship.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObjectRelationshipType.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObjectRelationshipName.hbm.xml</value>
              </values-param>
              <values-param profiles="sybase">
                <name>hibernate.mapping</name>
                <value>picketlink-idm/sybase-mappings/HibernateRealm.hbm.xml</value>
                <value>picketlink-idm/sybase-mappings/HibernateIdentityObjectCredentialBinaryValue.hbm.xml</value>
                <value>picketlink-idm/sybase-mappings/HibernateIdentityObjectAttributeBinaryValue.hbm.xml</value>
                <value>picketlink-idm/sybase-mappings/HibernateIdentityObject.hbm.xml</value>
                <value>picketlink-idm/sybase-mappings/HibernateIdentityObjectCredential.hbm.xml</value>
                <value>picketlink-idm/sybase-mappings/HibernateIdentityObjectCredentialType.hbm.xml</value>
                <value>picketlink-idm/sybase-mappings/HibernateIdentityObjectAttribute.hbm.xml</value>
                <value>picketlink-idm/sybase-mappings/HibernateIdentityObjectType.hbm.xml</value>
                <value>picketlink-idm/sybase-mappings/HibernateIdentityObjectRelationship.hbm.xml</value>
                <value>picketlink-idm/sybase-mappings/HibernateIdentityObjectRelationshipType.hbm.xml</value>
                <value>picketlink-idm/sybase-mappings/HibernateIdentityObjectRelationshipName.hbm.xml</value>
              </values-param>
            </init-params>
          </component-plugin>
        </external-component-plugins>
      
      
      </configuration>
      

       

      picketlink-idm-ldap-config.xml

       

      <?xml version="1.0" encoding="UTF-8"?>
      <!-- Copyright (C) 2009 eXo Platform SAS. This is free software; you can redistribute it and/or modify it under the terms 
        of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, 
        or (at your option) any later version. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; 
        without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public 
        License for more details. You should have received a copy of the GNU Lesser General Public License along with this software; 
        if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF 
        site: http://www.fsf.org. -->
      
      
      <jboss-identity xmlns="urn:picketlink:idm:config:v1_0_0_ga" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:picketlink:idm:config:v1_0_0_ga identity-config.xsd">
        <realms>
        <realm>
        <id>idm_realm_sample-portal</id>
        <repository-id-ref>DefaultPortalRepository</repository-id-ref>
        <identity-type-mappings>
        <user-mapping>USER</user-mapping>
        </identity-type-mappings>
        <options>
        <option>
        <name>cache.providerRegistryName</name>
        <value>apiCacheProvider</value>
        </option>
        <option>
        <name>credentialEncoder.class</name>
        <value>org.picketlink.idm.impl.credential.DatabaseReadingSaltEncoder</value>
        </option>
        <option>
        <name>credentialEncoder.hashAlgorithm</name>
        <value>SHA-256</value>
        </option>
        </options>
        </realm>
        <realm>
        <id>idm_realm</id>
        <repository-id-ref>PortalRepository</repository-id-ref>
        <identity-type-mappings>
        <user-mapping>USER</user-mapping>
        </identity-type-mappings>
        <options>
        <option>
        <name>template</name>
        <value>true</value>
        </option>
        <option>
        <name>cache.providerRegistryName</name>
        <value>apiCacheProvider</value>
        </option>
        <option>
        <name>credentialEncoder.class</name>
        <value>org.picketlink.idm.impl.credential.DatabaseReadingSaltEncoder</value>
        </option>
        <option>
        <name>credentialEncoder.hashAlgorithm</name>
        <value>SHA-256</value>
        </option>
        <option>
        <name>credentialEncoder.secureRandomAlgorithm</name>
        <value>SHA1PRNG</value>
        </option>
        </options>
        </realm>
        </realms>
        <repositories>
        <repository>
        <id>PortalRepository</id>
        <class>org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository</class>
        <external-config />
        <default-identity-store-id>HibernateStore</default-identity-store-id>
        <default-attribute-store-id>HibernateStore</default-attribute-store-id>
        <identity-store-mappings>
        <identity-store-mapping>
        <identity-store-id>PortalLDAPStore</identity-store-id>
        <identity-object-types>
        <identity-object-type>USER</identity-object-type>
        <identity-store-type>group_type</identity-store-type>
        </identity-object-types>
        <options />
        </identity-store-mapping>
        </identity-store-mappings>
        <options>
        <option>
        <name>allowNotDefinedAttributes</name>
        <value>true</value>
        </option>
        </options>
        </repository>
        <repository>
        <id>DefaultPortalRepository</id>
        <class>org.picketlink.idm.impl.repository.WrapperIdentityStoreRepository</class>
        <external-config />
        <default-identity-store-id>HibernateStore</default-identity-store-id>
        <default-attribute-store-id>HibernateStore</default-attribute-store-id>
        <!-- <identity-store-mappings> -->
        <!-- <identity-store-mapping> -->
        <!-- <identity-store-id>HibernateStore</identity-store-id> -->
        <!-- <identity-object-types> -->
        <!-- <identity-object-type>platform_type</identity-object-type> -->
        <!-- <identity-object-type>organization_type</identity-object-type> -->
        <!-- </identity-object-types> -->
        <!-- <options /> -->
        <!-- </identity-store-mapping> -->
        <!-- </identity-store-mappings> -->
        </repository>
        </repositories>
        <stores>
        <attribute-stores />
        <identity-stores>
        <identity-store>
        <id>HibernateStore</id>
        <class>org.picketlink.idm.impl.store.hibernate.HibernateIdentityStoreImpl</class>
        <external-config />
        <supported-relationship-types>
        <relationship-type>JBOSS_IDENTITY_MEMBERSHIP</relationship-type>
        <relationship-type>JBOSS_IDENTITY_ROLE</relationship-type>
        </supported-relationship-types>
        <supported-identity-object-types>
        <identity-object-type>
        <name>USER</name>
        <relationships />
        <credentials>
        <credential-type>PASSWORD</credential-type>
        </credentials>
        <attributes />
        <options />
        </identity-object-type>
        </supported-identity-object-types>
        <options>
        <option>
        <name>hibernateSessionFactoryRegistryName</name>
        <value>hibernateSessionFactory</value>
        </option>
        <option>
        <name>populateRelationshipTypes</name>
        <value>true</value>
        </option>
        <option>
        <name>populateIdentityObjectTypes</name>
        <value>true</value>
        </option>
        <option>
        <name>allowNotDefinedIdentityObjectTypes</name>
        <value>true</value>
        </option>
        <option>
        <name>allowNotDefinedAttributes</name>
        <value>true</value>
        </option>
        <option>
        <name>allowNotCaseSensitiveSearch</name>
        <value>true</value>
        </option>
        <option>
        <name>isRealmAware</name>
        <value>true</value>
        </option>
        <option>
        <name>lazyStartOfHibernateTransaction</name>
        <value>true</value>
        </option>
        </options>
        </identity-store>
        <identity-store>
        <id>PortalLDAPStore</id>
        <class>org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl</class>
        <external-config />
        <supported-relationship-types>
        <relationship-type>JBOSS_IDENTITY_MEMBERSHIP</relationship-type>
        </supported-relationship-types>
        <supported-identity-object-types>
        <identity-object-type>
        <name>USER</name>
        <relationships />
        <credentials>
        <credential-type>PASSWORD</credential-type>
        </credentials>
        <attributes>
        <attribute>
        <name>firstName</name>
        <mapping>cn</mapping>
        <type>text</type>
        <isRequired>false</isRequired>
        <isMultivalued>false</isMultivalued>
        <isReadOnly>false</isReadOnly>
        </attribute>
        <attribute>
        <name>lastName</name>
        <mapping>sn</mapping>
        <type>text</type>
        <isRequired>false</isRequired>
        <isMultivalued>false</isMultivalued>
        <isReadOnly>false</isReadOnly>
        </attribute>
        <attribute>
        <name>email</name>
        <mapping>mail</mapping>
        <type>text</type>
        <isRequired>false</isRequired>
        <isMultivalued>false</isMultivalued>
        <isReadOnly>false</isReadOnly>
        <isUnique>false</isUnique>
        </attribute>
        </attributes>
        <options>
        <option>
        <name>idAttributeName</name>
        <value>cn</value>
        </option>
        <option>
        <name>passwordAttributeName</name>
        <value>userPassword</value>
        </option>
        <option>
        <name>ctxDNs</name>
        <value>ou=People,dc=maxcrc,dc=com</value>
        </option>
        <option>
        <name>allowCreateEntry</name>
        <value>true</value>
        </option>
        <option> 
        <name>createEntryAttributeValues</name> 
        <value>objectClass=Top</value> 
        <value>objectClass=Person</value> 
        <value>objectClass=organizationalPerson</value> 
        <value>objectClass=inetOrgPerson</value> 
        <!--value>objectClass=alatWebPortal</value--> 
        <value>sn= </value> 
        <value>cn= </value> 
        </option>
        </options>
        </identity-object-type>
        <identity-object-type>
        <name>group_type</name>
        <relationships>
        <relationship>
        <relationship-type-ref>JBOSS_IDENTITY_MEMBERSHIP</relationship-type-ref>
        <identity-object-type-ref>USER</identity-object-type-ref>
        </relationship>
        <relationship>
        <relationship-type-ref>JBOSS_IDENTITY_MEMBERSHIP</relationship-type-ref>
        <identity-object-type-ref>group_type</identity-object-type-ref>
        </relationship>
        </relationships>
        <credentials/>
        <attributes/>
        <options>
        <option>
        <name>idAttributeName</name>
        <value>cn</value>
        </option>
        <option>
        <name>passwordAttributeName</name>
        <value>userPassword</value>
        </option>
        <option>
        <name>ctxDNs</name>
        <value>ou=Groups,dc=maxcrc,dc=com</value>
        </option>
        <option>
        <name>parentMembershipAttributeName</name>
        <value>member</value>
        </option>
        <option>
        <name>isParentMembershipAttributeDN</name>
        <value>true</value>
        </option>
        </options>
        </identity-object-type>
        </supported-identity-object-types>
        <options>
        <option>
        <name>providerURL</name>
        <value>ldap://127.0.0.1:389</value>
        </option>
        <option>
        <name>adminDN</name>
        <value>cn=Manager,dc=maxcrc,dc=com</value>
        </option>
        <!--option> <name>adminPath</name> <value>ou=WEB,o=CORE</value> </option -->
        <option>
        <name>adminPassword</name>
        <value>secret</value>
        </option>
        <option>
        <name>searchTimeLimit</name>
        <value>60000</value>
        </option>
        <option>
        <name>createMissingContexts</name>
        <value>false</value>
        </option>
        <option>
        <name>customJNDIConnectionParameters</name>
        <value>com.sun.jndi.ldap.connect.pool=true</value>
        </option>
        <option>
        <name>customSystemProperties</name>
        <value>com.sun.jndi.ldap.connect.pool.maxsize=300000</value>
        <value>com.sun.jndi.ldap.connect.pool.protocol=plain ssl</value>
        </option>
        <option>
        <name>cache.providerRegistryName</name>
        <value>storeCacheProvider</value>
        </option>
        <option>
        <name>allowNotCaseSensitiveSearch</name>
        <value>true</value>
        </option>
        </options>
        </identity-store>
        </identity-stores>
        </stores>
        <options>
        <option>
        <name>defaultTemplate</name>
        <value>idm_realm</value>
        </option>
        </options>
      </jboss-identity>
      

       

      My OpenLDAP entry

       

      version: 1
      
      
      dn: dc=maxcrc,dc=com
      objectClass: top
      objectClass: domain
      dc: maxcrc
      
      
      dn: ou=Groups,dc=maxcrc,dc=com
      objectClass: top
      objectClass: organizationalUnit
      ou: Groups
      
      
      dn: cn=Man,ou=Groups,dc=maxcrc,dc=com
      objectClass: top
      objectClass: groupOfNames
      cn: Man
      member: cn=user1
      
      
      dn: cn=Woman,ou=Groups,dc=maxcrc,dc=com
      objectClass: top
      objectClass: groupOfNames
      cn: Woman
      member: cn=user2
      
      
      dn: ou=People,dc=maxcrc,dc=com
      objectClass: organizationalUnit
      objectClass: top
      ou: People
      description: Container for user entries
      
      
      dn: cn=user1,ou=People,dc=maxcrc,dc=com
      objectClass: top
      objectClass: person
      objectClass: organizationalPerson
      objectClass: inetOrgPerson
      cn: user1
      sn: Mustemann
      mail: mustermann@gmail.com
      userPassword:: dGVzdA==
      
      
      dn: cn=user2,ou=People,dc=maxcrc,dc=com
      objectClass: top
      objectClass: person
      objectClass: organizationalPerson
      objectClass: inetOrgPerson
      cn: user2
      sn: Musterfrau
      mail: musterfrau@gmail.com
      userPassword:: dGVzdA==
      
      

       

      My goal is to read groups from ldap via API. I dont know how i can use Organization API. for example GroupHandler oder UserHandler with Picketlink IDM. I wanna to enable some portlets just for some groups of users.