GateIn with LDAP as a default user and group store

This tutorial describes how to configure LDAP as the default users and groups store. All default accounts and some of groups that comes with GateIn will be created in LDAP. LDAP will be configured to store part of the GateIn group tree. This means that groups under specified part of GateIn tree will be stored in directory server while all others will be stored in database.

 

GateIn Portal comes with several example configuration files that can be found in portal.war/WEB-INF/conf/organization/picketlink-idm/examples.


Quick Setup using OpenDS

 

  • Prepare LDAP server using instructions LDAP setup for local testing It doesn't need to be populated. Present root DN is enough - PicketLink IDM will create all missing entries in LDAP.
    • Download and unzip OpenDS
    • Run OpenDS/setup (setup --cli for commandline)
    • Use following values in the configuration:
      • root user DN: cn=Directory Manager
      • password: password
      • port: 1389
      • admin port: 4444
      • base DN: dc=example,dc=com
      • "Only create the base entry"
      • no SSO, no TLS
    • Start server: OpenDS/bin/start-ds
  • Download GateIn and unzip portal.war
    • For Tomcat tomcat/webapps/portal.war should became /tomcat/webapps/portal
    • For JBoss jboss/server/default/deploy/gatein.ear/02portal.war should became expanded archive
  • In portal.war edit WEB-INF/conf/organization/idm-configuration.xml and uncomment:
    • war:/conf/organization/picketlink-idm/examples/picketlink-idm-ldap-config.xml (file attached)

      <component>
          <key>org.exoplatform.services.organization.idm.PicketLinkIDMService</key>
          <type>org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl</type>
          <init-params>
            <value-param>
              <name>config</name>
              <value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-ldap-config.xml</value>

    • Following groupTypeMappings:

      <component>
          <key>org.exoplatform.services.organization.OrganizationService</key>
          <type>org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</type>
          <init-params>
            <object-param>
              <name>configuration</name>
              <object type="org.exoplatform.services.organization.idm.Config">
                ...
                <field name="groupTypeMappings">
                  <map type="java.util.HashMap">
                    <entry>
                      <key><string>/</string></key>
                      <value><string>root_type</string></value>
                    </entry>
                    <entry>
                      <key><string>/platform/*</string></key>
                      <value><string>platform_type</string></value>
                    </entry>
                    <entry>
                      <key><string>/organization/*</string></key>
                      <value><string>organization_type</string></value>
                    </entry>

                   ...

  • Start the server
  • Log into portal (http://localhost:8080/portal) user: root password: gtn

 

In LDAP you can see that:

  • ou=People,o=portal,o=gatein,dc=example,dc=com contains all portal users
  • ou=Platform,o=portal,o=gatein,dc=example,dc=com contains portal groups stored under /platform. Those groups contain references to users with "member" attribute.
  • ou=Organization,o=portal,o=gatein,dc=example,dc=com contains portal groups stored under /organization. Those groups contain membership information (member attribute) that represents tree structure from GateIn.

 

To use different LDAP server setup or directory data please edit file /WEB-INF/conf/organization/picketlink-idm/examples/picketlink-idm-ldap-config.xml and change following values:

 

  • ctxDNs options values:
    • ou=People,o=portal,o=gatein,dc=example,dc=com
    • ou=Platform,o=portal,o=gatein,dc=example,dc=com
    • ou=Organization,o=portal,o=gatein,dc=example,dc=com
  • providerURL  option value
    • ldap://localhost:1389
  • adminDN option value
    • cn=Directory Manager
  • adminPassword
    • password

 

For additional customizations please read PicketLink IDM Reference Guide and dedicated chapter of GateIn Reference Guide.

 

How does it work

 

  • groupTypeMappings option defines that all groups under /platform should be stored in PicketLink IDM with the platform_type group type name and groups under /organization should be stored in PicketLink IDM with organization_type group type name.
  • In PicketLink IDM configuration file repository mapps users and those two group types to be stored in LDAP.

   <repository>
      <id>PortalRepository</id>
      <class>org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository</class>
      <external-config/>
      <default-identity-store-id>HibernateStore</default-identity-store-id>
      <default-attribute-store-id>HibernateStore</default-attribute-store-id>
      <identity-store-mappings>
        <identity-store-mapping>
          <identity-store-id>PortalLDAPStore</identity-store-id>
          <identity-object-types>
            <identity-object-type>USER</identity-object-type>
            <identity-object-type>platform_type</identity-object-type>
            <identity-object-type>organization_type</identity-object-type>
          </identity-object-types>
          <options>
          </options>
        </identity-store-mapping>
      </identity-store-mappings>
      <options>
        <option>
          <name>allowNotDefinedAttributes</name>
          <value>true</value>
        </option>
      </options>
    </repository>


Active Directory configuration

 

Sample config file that can be found in portal.war/WEB-INF/conf/organization/picketlink-idm/examples/picketlink-idm-msad-config.xml (or attached here) configures PicketLink IDM to use Active Directory and store GateIn users and groups. It uses additional DN to not conflict with default content: o=gatein,dc=test,dc=domain

 

  • Prepare Active Directory server.
  • Download GateIn and unzip portal.war
    • For Tomcat tomcat/webapps/portal.war should became /tomcat/webapps/portal
    • For JBoss jboss/server/default/deploy/gatein.ear/02portal.war should became expanded archive
  • In portal.war edit WEB-INF/conf/organization/idm-configuration.xml and uncomment:
    • war:/conf/organization/picketlink-idm/examples/picketlink-idm-msad-config.xml (file attached)

      <component>
          <key>org.exoplatform.services.organization.idm.PicketLinkIDMService</key>
          <type>org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl</type>
          <init-params>
            <value-param>
              <name>config</name>
              <value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-msad-config.xml</value>

    • Following groupTypeMappings:

      <component>
          <key>org.exoplatform.services.organization.OrganizationService</key>
          <type>org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</type>
          <init-params>
            <object-param>
              <name>configuration</name>
              <object type="org.exoplatform.services.organization.idm.Config">
                ...
                <field name="groupTypeMappings">
                  <map type="java.util.HashMap">
                    <entry>
                      <key><string>/</string></key>
                      <value><string>root_type</string></value>
                    </entry>
                    <entry>
                      <key><string>/platform/*</string></key>
                      <value><string>platform_type</string></value>
                    </entry>
                    <entry>
                      <key><string>/organization/*</string></key>
                      <value><string>organization_type</string></value>
                    </entry>

                   ...

  • Prepare truststore file containing valid certificate for MSAD
    • keytool -import -file ldapcert.der -keystore ldap.truststore
  • Edit file portal.war/WEB-INF/conf/organization/picketlink-idm/examples/picketlink-idm-msad-config.xml and update following values to proper ones for you MSAD configuration:
    • ctxDNs options values to have the proper DN:
      • .......,DC=test,DC=domain (in three places)
    • providerURL  option value
      • Should use SSL connection (ldaps://xxx:636) for password update or entry creation to work
    • customSystemProperties option to point to file with proper MSAD certification (for  SSL connection to work). Those are simply properties set at JVM level and can be set in the server configuration with -D switches.
      • <value>javax.net.ssl.trustStore=/some/path/to/file/msad.truststore</value>
        <value>javax.net.ssl.trustStorePassword=password</value>
    • adminDN option value
      • TEST\Administrator
    • adminPassword
      • password
  • Default passwords used for GateIn users ("gtn") won't be accepted by MSAD password policy and initial data population will fail. Edit file portal.war/WEB-INF/conf/organization/organization-configuration.xml and change every occurance of "<field  name="password"><string>gtn</string></field>" to something valid for MSAD password policy. This one should work:
    • <field  name="password"><string>Password2000</string></field>
  • Start the server
  • Log into portal (http://localhost:8080/portal) user: root password: Password2000

 

At the MSAD should be populated with default GateIn users and groups from /platform and /organization parts of group tree

 

How does it work

 

Exactly the same as in the above example with OpenDS server...

 

 

OpenLDAP

 

  • This tutorial assumes that OpenLDAP is installed and available with connection details listed below.
    • rootDN: dc=my-domain,dc=com
    • admin user: cn=Manager,dc=my-domain,dc=com
    • admin password: secret
    • host: localhost
    • port 1389
  • Populate server with "initial-openldap.ldif" file that is attached to this document. Modify the ldif file if you have different root suffix.
  • Download GateIn and unzip
  • With GateIn 3.0 Final attached file "picketlink-idm-openldap-config.xml" needs to be placed under "(gatein.ear)/portal.war/WEB-INF/conf/organization/picketlink-idm/examples/"
  • In portal.war (in JBoss under gatein.ear) edit WEB-INF/conf/organization/idm-configuration.xml and uncomment:
    • war:/conf/organization/picketlink-idm/examples/picketlink-idm-openldap-config.xml (file attached)

      (for GateIn 3.0 you will need to create this value entry)
      <component>
          <key>org.exoplatform.services.organization.idm.PicketLinkIDMService</key>
          <type>org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl</type>
          <init-params>
            <value-param>
              <name>config</name>
              <value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-openldap-config.xml</value>

    • Following groupTypeMappings:

      <component>
          <key>org.exoplatform.services.organization.OrganizationService</key>
          <type>org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</type>
          <init-params>
            <object-param>
              <name>configuration</name>
              <object type="org.exoplatform.services.organization.idm.Config">
                ...
                <field name="groupTypeMappings">
                  <map type="java.util.HashMap">
                    <entry>
                      <key><string>/</string></key>
                      <value><string>root_type</string></value>
                    </entry>
                    <entry>
                      <key><string>/platform/*</string></key>
                      <value><string>platform_type</string></value>
                    </entry>
                    <entry>
                      <key><string>/organization/*</string></key>
                      <value><string>organization_type</string></value>
                    </entry>

                   ...

  • Start the server
  • Log into portal (http://localhost:8080/portal) user: root password: gtn

 

In LDAP you can see that:

  • ou=People,o=portal,o=gatein,dc=my-domain,dc=com contains all portal users
  • ou=Platform,o=portal,o=gatein,dc=my-domain,dc=com contains portal groups stored under /platform. Those groups contain references to users with "member" attribute.
  • ou=Organization,o=portal,o=gatein,dc=my-domain,dc=com contains portal groups stored under /organization. Those groups contain membership information (member attribute) that represents tree structure from GateIn.

 

To use different LDAP server setup or directory data please edit file /WEB-INF/conf/organization/picketlink-idm/examples/picketlink-idm-openldap-config.xml and change following values:

 

  • ctxDNs options values:
    • ou=People,o=portal,o=gatein,dc=my-domain,dc=com
    • ou=Platform,o=portal,o=gatein,dc=my-domain,dc=com
    • ou=Organization,o=portal,o=gatein,dc=my-domain,dc=com
  • providerURL  option value
    • ldap://localhost:1389
  • adminDN option value
    • cn=Manager,dc=my-domain,dc=com
  • adminPassword
    • secret

 

For additional customizations please read PicketLink IDM Reference Guide and dedicated chapter of GateIn Reference Guide.

 

How does it work

 

In the same way as explained for OpenDS and MSAD... There are few special configuration tweaks for OpenLDAP:

 

 

  • Special option disables use of Sort LDAP control as it is not supported by OpenLDAP

<option>
     <name>sortExtensionSupported</name>
     <value>false</value>
  </option>

  • OpenLDAP uses a strict and RFC compliant schema in which 'member' attribute is required by 'groupOfNames' object class. This means that every entry of such objectClass needs to have at least one member assigned. PicketLink IDM workarounds this by adding a special "placeholder" entry that is ignored during relationship resolution:

 

<option>
     <name>parentMembershipAttributePlaceholder</name>
     <value>ou=placeholder,o=portal,o=gatein,dc=my-domain,dc=com</value>

</option>

<option>
<name>createEntryAttributeValues</name>
     <value>objectClass=top</value>
     <value>objectClass=groupOfNames</value>
     <value>member=ou=placeholder,o=portal,o=gatein,dc=my-domain,dc=com</value>
</option>