ConfigurePortalForMicrosoftActiveDirectory

This page describes how to configure the JBoss Portal to authenticate and authorise against Microsoft Active Directory LDAP server (AD). The non-AD specific part below is kept very brief, if you have problems with it, consult this blog entry for more details on how to install JBoss and build the portal from source.

 

This configuration uses LDAPExtUserModule, this means there is no write-back from to portal to your AD. The advantage is better filter support.

 

Basic installation:

  1. Install JBoss non-installer version and set JBOSS_HOME to where you installed it

  2. Check out the portal (adjust tag to latest version or head):

    svn co http://anonsvn.jboss.org/repos/portal/tags/JBoss_Portal_2_6_1/ jboss-portal-2.6

     

  3. compile the portal (this will take a while): build/build.sh

  4. deploy the portal: build/build.sh deploy (to just deploy the bare portal) or deploy-all (to deploy admin interface, examples, ...)

  5. build the datasource descriptor: core/build.sh datasource

  6. copy the datasource descriptor: cp core/output/resources/setup/portal-hsqldb-ds.xml $JBOSS_HOME/server/default/deploy/

 

Now for the AD-specific part:

  1. enable ldap configuration: in $JBOSS_HOME/server/default/deploy/jboss-portal.sar/META-INF/jboss-service.xml, change this line

 

     

<attribute name="ConfigFile">conf/identity/identity-config.xml</attribute>

 

  to

 

     

<attribute name="ConfigFile">conf/identity/ldap_identity-config.xml</attribute>

 

jboss-portal.sar is zipped, so you may need to open it with an appropriate program.

  • configure for your AD: in $JBOSS_HOME/server/default/deploy/jboss-portal.sar/conf/identity/ldap_identity-config.xml, adjust:

  1. host (hostname or IP of your AD server)

  2. port (389)

  3. adminDN (domain\user)

  4. adminPassword

  • Adjust the following entries in the modules section, leave the others as they are:

      <module>
         <!--type used to correctly map in IdentityContext registry-->
         <type>User</type>
         <implementation>LDAP</implementation>
         <class>org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl</class>
         <config></config>
      </module>
      <module>
         <type>Role</type>
         <implementation>LDAP</implementation>
         <class>org.jboss.portal.identity.ldap.LDAPExtRoleModuleImpl</class>
         <config></config>
      </module>
      <module>
         <type>Membership</type>
         <implementation>LDAP</implementation>
         <class>org.jboss.portal.identity.ldap.LDAPStaticGroupMembershipModuleImpl</class>
         <config></config>
      </module>
  • Delete the options section and add this instead, adjusting for your directory (where it says ou= and dc=):

   <options>
      <option-group>
         <group-name>common</group-name>
         <option>
            <name>userCtxDN</name>
           <value>ou=unit2,ou=unit1,dc=domain,dc=com</value>
         </option>
         <option>
            <name>uidAttributeID</name>
            <value>sAMAccountName</value>
         </option>
         <option>
            <name>userSearchFilter</name>
            <value><![CDATA[(&(sAMAccountName={0})(objectClass=User))\]\]\></value>
         </option>

         <option>
            <name>roleCtxDN</name>
            <value><![CDATA[ou=unit3,ou=unit1,dc=domain,dc=com\]\]\></value>
         </option>
         <option>
            <name>roleSearchFilter</name>
            <value><![CDATA[(&((CN={0})(objectClass=group)))\]\]\></value>
         </option>
         <option>
            <name>searchScope</name>
            <value>SUBTREE_SCOPE</value>
         </option>
      </option-group>
   </options>
  • To find out how to give admin privileges to one of your existing LDAP roles, see here

  • As of beginning of August 2007, if the DN of a user contains a comma (as in Lastname, Firstname), no roles for that user are found. This is investigated in JBPORTAL-1592. UPDATE: this issue has been resolved in JBoss_Portal_Branch_2_6_0.