1 2 Previous Next 17 Replies Latest reply on Apr 11, 2012 3:53 PM by fredcurry

    Automatically put users from LDAP into /plateform/users?

    philippelr

      Hello,

       

      I've read a lot of stuff to get rid of the 403 error after successfully connected GateIn, but as I don't have roles in my LDAP dictionnary, I can't use it.

       

      I would like to import all users in the "/platform/users" group to automatically give them the right to access everything.

       

      How could I do that? (I am with GateIn 3.0)

       

       

      Here is my current idm-configuration.xml file:

       

       

      <?xml version="1.0" encoding="ISO-8859-1"?>
      <!--
       
          Copyright (C) 2009 eXo Platform SAS.
          
          This is free software; you can redistribute it and/or modify it
          under the terms of the GNU Lesser General Public License as
          published by the Free Software Foundation; either version 2.1 of
          the License, or (at your option) any later version.
          
          This software is distributed in the hope that it will be useful,
          but WITHOUT ANY WARRANTY; without even the implied warranty of
          MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
          Lesser General Public License for more details.
          
          You should have received a copy of the GNU Lesser General Public
          License along with this software; if not, write to the Free
          Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
          02110-1301 USA, or see the FSF site: http://www.fsf.org.
       
      -->
       
      <configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                     xsi:schemaLocation="http://www.exoplaform.org/xml/ns/kernel_1_1.xsd http://www.exoplaform.org/xml/ns/kernel_1_1.xsd"
                     xmlns="http://www.exoplaform.org/xml/ns/kernel_1_1.xsd">
       
       
        <component>
          <key>org.exoplatform.services.organization.idm.PicketLinkIDMCacheService</key>
          <type>org.exoplatform.services.organization.idm.PicketLinkIDMCacheService</type>
        </component>
       
        <component>
          <key>org.exoplatform.services.database.HibernateService</key>
          <jmx-name>database:type=HibernateService</jmx-name>
          <type>org.exoplatform.services.database.impl.HibernateServiceImpl</type>
          <init-params>
            <properties-param>
              <name>hibernate.properties</name>
              <description>Default Hibernate Service</description>
              <property name="hibernate.show_sql" value="false"/>
              <property name="hibernate.current_session_context_class" value="thread"/>
              <property name="hibernate.cache.use_second_level_cache" value="true"/>
              <property name="hibernate.cache.use_query_cache" value="true"/>
              <!--CHANGEME HashtableCacheProvider shold not be used in production env-->
              <property name="hibernate.cache.provider_class" value="org.hibernate.cache.HashtableCacheProvider"/>
              <property name="hibernate.connection.datasource" value="${gatein.idm.datasource.name}${container.name.suffix}"/>
              <property name="hibernate.connection.autocommit" value="true"/>
              <!--
                   Should be automatically detected. Force otherwise 
              <property name="hibernate.dialect" value="org.hibernate.dialect.XXXDialect"/>
               -->
            </properties-param>
          </init-params>
        </component>
       
        <component>
          <key>org.exoplatform.services.organization.idm.PicketLinkIDMService</key>
          <type>org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl</type>
          <init-params>
            <value-param>
              <name>config</name>
              <!--<value>war:/conf/organization/picketlink-idm/picketlink-idm-config.xml</value>-->
       
              <!--Sample LDAP config-->
              <!--<value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-ldap-config.xml</value>-->
       
              <!--ACME LDAP Example-->
              <!--<value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-ldap-acme-config.xml</value>-->
       
              <!--MSAD LDAP Example-->
              <!--<value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-msad-config.xml</value>-->
       
              <!--MSAD Read Only LDAP Example-->
             <value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-msad-readonly-config.xml</value>
              
            </value-param>
       
            <!-- In default PicketLink IDM configuration hibernate store will namespace identity objects using this realm name
                 if you want to share DB between portal and also share the same identity data remove the "${container.name.suffix}" part-->
            <value-param>
              <name>portalRealm</name>
              <value>idm_realm${container.name.suffix}</value>
            </value-param>
       
            <value-param>
              <name>cacheConfig</name>
              <value>war:/conf/organization/picketlink-idm/jboss-cache.xml</value>
            </value-param>
            
            <value-param profiles="cluster">
              <name>cacheConfig</name>
              <value>war:/conf/organization/picketlink-idm/jboss-cache-cluster.xml</value>
            </value-param>
       
          </init-params>
        </component>
       
       
        <component>
          <key>org.exoplatform.services.organization.OrganizationService</key>
          <type>org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</type>
          <init-params>
            <object-param>
              <name>configuration</name>
              <object type="org.exoplatform.services.organization.idm.Config">
                <!-- For all ids not mapped with type in 'groupTypeMappings' use parent id path
                     as a group type to store group in PicketLink IDM. The effect of setting
                     this option to false and not providing any mappings under 'groupTypeMappings' option
                     is that there can be only one group with a given name in all GateIn group tree-->
                <field name="useParentIdAsGroupType">
                  <boolean>true</boolean>
                </field>
                <!-- Group stored in PicketLink IDM with a type mapped in 'groupTypeMappings' will
                     automatically be member under mapped parent. Normally groups are linked by
                     PicketLink IDM group association - such relationship won't be needed then. It can
                     be set to false if all groups are added via GateIn APIs
                     This option may be useful with LDAP config as it will make (if set to true) every entry
                     added to LDAP (not via GateIn management UI) appear in GateIn-->
                <field name="forceMembershipOfMappedTypes">
                  <boolean>true</boolean>
                </field>
                <!-- When 'userParentIdAsGroupType is set to true this value will be used to
                     replace all "/" chars in id. This is because "/" is not allowed to be
                     used in group type name in PicketLink IDM-->
                <field name="pathSeparator">
                  <string>.</string>
                </field>
                <!-- Name of a group stored in PicketLink IDM that acts as root group in GateIn - "/" -->
                <field name="rootGroupName">
                  <string>GTN_ROOT_GROUP</string>
                </field>
                <!-- Map groups added with GateIn API as a childs of a given group ID to be stored with a given
                     group type name in PicketLink IDM. If parent ID ends with "/*" then all child groups will
                     have the mapped group type. Otherwise only direct (first level) children will use this type.
       
                     This can be leveraged by LDAP setup. Given LDAP DN configured in PicketLink IDM to
                     store specific group type will then store one given branch in GateIn group tree while
                     all other groups will remain in DB. -->
                <field name="groupTypeMappings">
                  <map type="java.util.HashMap">
                    <entry>
                      <key><string>/</string></key>
                      <value><string>root_type</string></value>
                    </entry>
       
                    <!-- Uncomment for sample LDAP configuration -->
                    <!--
                    <entry>
                      <key><string>/platform/*</string></key>
                      <value><string>platform_type</string></value>
                    </entry>
                    <entry>
                      <key><string>/organization/*</string></key>
                      <value><string>organization_type</string></value>
                    </entry>
                    -->
       
       
                    <!-- Uncomment for ACME LDAP example -->
                    <!--
                    <entry>
                      <key><string>/acme/roles/*</string></key>
                      <value><string>acme_roles_type</string></value>
                    </entry>
                    <entry>
                      <key><string>/acme/organization_units/*</string></key>
                      <value><string>acme_ou_type</string></value>
                    </entry>
                    -->
       
                    <!-- Uncomment for MSAD ReadOnly LDAP example -->
                    
                    <entry>
                      <key><string>/platform/*</string></key>
                      <value><string>users</string></value>
                    </entry>
                    
                  </map>
                </field>
                <!-- If this option is used then each Membership created with MembrshipType that is
                     equal to value specified here will be stored in PicketLink IDM as simple
                     Group-User association-->
                <field name="associationMembershipType">
                  <string>member</string>
                </field>
                <!-- if "associationMembershipType" option is used and this option is set to true
                      then Membership with MembershipType configured to be stored as PicketLink IDM association
                      will not be stored as PicketLink IDM Role -->
                <field name="ignoreMappedMembershipType">
                  <boolean>false</boolean>
                </field>
                <!-- If 'true' will use JTA UserTransaction. If 'false' will use IDM transaction API -->
                <field name="useJTA">
                  <boolean>false</boolean>
                </field>
              </object>
            </object-param>
          </init-params>
        </component>
       
        <external-component-plugins>
          <target-component>org.exoplatform.services.naming.InitialContextInitializer</target-component>
          <component-plugin>
            <name>bind.datasource</name>
            <set-method>addPlugin</set-method>
            <type>org.exoplatform.services.naming.BindReferencePlugin</type>
            <init-params>
              <value-param>
                <name>bind-name</name>
                <value>${gatein.idm.datasource.name}${container.name.suffix}</value>
              </value-param>
              <value-param>
                <name>class-name</name>
                <value>javax.sql.DataSource</value>
              </value-param>
              <value-param>
                <name>factory</name>
                <value>org.apache.commons.dbcp.BasicDataSourceFactory</value>
              </value-param>
              <properties-param>
                <name>ref-addresses</name>
                <description>ref-addresses</description>
                <property name="driverClassName" value="${portal.container.gatein.idm.datasource.driver}"/>
                <property name="url" value="${portal.container.gatein.idm.datasource.url}"/>
                <property name="username" value="${portal.container.gatein.idm.datasource.username}"/>
                <property name="password" value="${portal.container.gatein.idm.datasource.password}"/>
       
              </properties-param>
            </init-params>
          </component-plugin>
        </external-component-plugins>
       
        <external-component-plugins>
          <target-component>org.exoplatform.services.database.HibernateService</target-component>
          <component-plugin>
            <name>add.hibernate.mapping</name>
            <set-method>addPlugin</set-method>
            <type>org.exoplatform.services.database.impl.AddHibernateMappingPlugin</type>
            <init-params>
              <values-param>
                <name>hibernate.mapping</name>
                <value>picketlink-idm/mappings/HibernateRealm.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObjectCredentialBinaryValue.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObjectAttributeBinaryValue.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObject.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObjectCredential.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObjectCredentialType.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObjectAttribute.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObjectType.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObjectRelationship.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObjectRelationshipType.hbm.xml</value>
                <value>picketlink-idm/mappings/HibernateIdentityObjectRelationshipName.hbm.xml</value>
              </values-param>
            </init-params>
          </component-plugin>
        </external-component-plugins>
       
      </configuration>
       
      
      
      

       

       

      Thank you in advance... GateIn currently work with my "strangely" designed LDAP dictionnary, so I want to continue with it...

        1 2 Previous Next