GateIn with LDAP in readonly mode

This tutorial describes how to add LDAP users and organizations to GateIn portal. All default accounts and groups that comes with GateIn will be created in DB. LDAP will be configured in readonly mode. This means that while users and groups will be consumed from directory server all new entries created using portal UI will be stored in database.

 

GateIn Portal comes with several example configuration files that can be found in portal.war/WEB-INF/conf/organization/picketlink-idm/examples.


Quick Setup using OpenDS

 

  • Install and populate LDAP server using instructions LDAP setup for local testing (and ldif file attached there)
    • Download and unzip OpenDS
    • Run OpenDS/setup (setup --cli for commandline)
    • Use following values in the configuration:
      • root user DN: cn=Directory Manager
      • password: password
      • port: 1389
      • admin port: 4444
      • base DN: dc=example,dc=com
      • "Only create the base entry"
      • no SSO, no TLS
    • Start server: OpenDS/bin/start-ds
    • Import attached ldif: ./OpenDS/bin/ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password -a -f gatein-sample.ldif
  • Download GateIn and unzip portal.war
    • For Tomcat tomcat/webapps/portal.war should became /tomcat/webapps/portal
    • For JBoss jboss/server/default/deploy/gatein.ear/02portal.war should became expanded archive
  • In portal.war edit WEB-INF/conf/organization/idm-configuration.xml and uncomment:
    • war:/conf/organization/picketlink-idm/examples/picketlink-idm-ldap-acme-config.xml (file attached)

      <component>
          <key>org.exoplatform.services.organization.idm.PicketLinkIDMService</key>
          <type>org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl</type>
          <init-params>
            <value-param>
              <name>config</name>
              <value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-ldap-acme-config.xml</value>

    • Following groupTypeMappings:

      <component>
          <key>org.exoplatform.services.organization.OrganizationService</key>
          <type>org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</type>
          <init-params>
            <object-param>
              <name>configuration</name>
              <object type="org.exoplatform.services.organization.idm.Config">
                ...
                <field name="groupTypeMappings">
                  <map type="java.util.HashMap">
                    <entry>
                      <key><string>/</string></key>
                      <value><string>root_type</string></value>
                    </entry>
                    <entry>
                      <key><string>/acme/roles/*</string></key>
                      <value><string>acme_roles_type</string></value>
                    </entry>
                    <entry>
                      <key><string>/acme/organization_units/*</string></key>
                      <value><string>acme_ou_type</string></value>
                    </entry>

                   ...

  • Start the server
  • Log into portal (http://localhost:8080/portal) user: root password: gtn
  • Go into "Users and groups management" (http://localhost:8080/portal/private/classic/organization/management)
    • Under root create group "acme"
    • Create two subgroups under "acme" - "roles" and "organization_units"

 

At the moment users defined in LDAP should be visable in "Users and groups management" and groups from LDAP should be present as children of /acme/roles and /acme/organization_units

 

To use different LDAP server setup or directory data please edit file /WEB-INF/conf/organization/picketlink-idm/examples/picketlink-idm-ldap-acme-config.xml and change following values:

 

  • ctxDNs options values:
    • ou=People,o=acme,dc=example,dc=com
    • ou=Roles,o=acme,dc=example,dc=com
    • ou=OrganizationUnits,o=acme,dc=example,dc=com
  • providerURL  option value
    • ldap://localhost:1389
  • adminDN option value
    • cn=Directory Manager
  • adminPassword
    • password

 

For additional customizations please read PicketLink IDM Reference Guide and dedicated chapter of GateIn Reference Guide.

 

How does it work

 

  • groupTypeMappings option defines that all groups under /acme/roles should be stored in PicketLink IDM with the acme_roles_type group type name and groups under /acme/organization_units should be stored in PicketLink IDM with acme_ou_type group type name.
  • In PicketLink IDM configuration file repository mapps users and those two group types to be stored in LDAP. Additional option defines that nothing should be written (exept password update) there.

 

   <repository>
      <id>PortalRepository</id>
      <class>org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository</class>
      <external-config/>
      <default-identity-store-id>HibernateStore</default-identity-store-id>
      <default-attribute-store-id>HibernateStore</default-attribute-store-id>
      <identity-store-mappings>
        <identity-store-mapping>
          <identity-store-id>PortalLDAPStore</identity-store-id>
          <identity-object-types>
            <identity-object-type>USER</identity-object-type>
            <identity-object-type>acme_roles_type</identity-object-type>
            <identity-object-type>acme_ou_type</identity-object-type>
          </identity-object-types>
          <options>
            <option>
              <name>readOnly</name>
              <value>true</value>
            </option>

          </options>
        </identity-store-mapping>
      </identity-store-mappings>
      <options>
        <option>
          <name>allowNotDefinedAttributes</name>
          <value>true</value>
        </option>
      </options>
    </repository>


Active Directory configuration

 

Sample config file that can be found in portal.war/WEB-INF/conf/organization/picketlink-idm/examples/picketlink-idm-msad-readonly-config.xml (or attached here) configures PicketLink IDM to use Active Directory default shape. Portal should be able to consume users and groups present in MSAD on clean installation of Windows 2008 Server (both stored under DN: CN=Users,...). With some customizations it can be used to cover different organization structures.

 

  • Prepare Active Directory server.
  • Download GateIn and unzip portal.war
    • For Tomcat tomcat/webapps/portal.war should became /tomcat/webapps/portal
    • For JBoss jboss/server/default/deploy/gatein.ear/02portal.war should became expanded archive
  • In portal.war edit WEB-INF/conf/organization/idm-configuration.xml and uncomment:
    • war:/conf/organization/picketlink-idm/examples/picketlink-idm-msad-readonly-config.xml (file attached)

      <component>
          <key>org.exoplatform.services.organization.idm.PicketLinkIDMService</key>
          <type>org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl</type>
          <init-params>
            <value-param>
              <name>config</name>
              <value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-msad-readonly-config.xml</value>

    • Following groupTypeMappings:

      <component>
          <key>org.exoplatform.services.organization.OrganizationService</key>
          <type>org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</type>
          <init-params>
            <object-param>
              <name>configuration</name>
              <object type="org.exoplatform.services.organization.idm.Config">
                ...
                <field name="groupTypeMappings">
                  <map type="java.util.HashMap">
                    <entry>
                      <key><string>/</string></key>
                      <value><string>root_type</string></value>
                    </entry>
                    <entry>
                      <key><string>/acme/roles/*</string></key>
                      <value><string>msad_roles_type</string></value>
                    </entry>

                   ...

  • Edit file portal.war/WEB-INF/conf/organization/picketlink-idm/examples/picketlink-idm-msad-readonly-config.xml and update following values to proper ones for you MSAD configuration:
    • ctxDNs options value:
      • CN=Users,DC=test,DC=domain (in two places)
    • providerURL  option value
      • Should use SSL connection (ldaps://xxx:636) if password update or entry creation is expected to work
    • adminDN option value
      • TEST\Administrator
    • customSystemProperties option if SSL connection is configured
    • adminPassword
      • password
  • Start the server
  • Log into portal (http://localhost:8080/portal) user: root password: gtn
  • Go into "Users and groups management" (http://localhost:8080/portal/private/classic/organization/management)
    • Under root create group "acme"
    • Create subgroup under "acme" - "roles"

 

At the moment users defined in MSAD should be visable in "Users and groups management" and groups from LDAP should be present as children of /acme/roles and /acme/organization_units

 

How does it work

 

Exactly the same as in the above example with OpenDS server... The only difference is that configuration maps only one group type and points to the same place (container) in LDAP for both users and mapped group.

 

OpenLDAP

  • This tutorial assumes that OpenLDAP is installed and available with connection details listed below.
    • rootDN: dc=my-domain,dc=com
    • admin user: cn=Manager,dc=my-domain,dc=com
    • admin password: secret
    • host: localhost
    • port 1389
  • Populate server with "initial-openldap.ldif" file that is attached to this document. Modify the ldif file if you have different root suffix.
  • Download GateIn and unzip
  • With GateIn 3.0 Final attached file "picketlink-idm-openldap-acme-config.xml" needs to be placed under "(gatein.ear)/portal.war/WEB-INF/conf/organization/picketlink-idm/examples/"
  • In portal.war edit WEB-INF/conf/organization/idm-configuration.xml and uncomment:
    • war:/conf/organization/picketlink-idm/examples/picketlink-idm-openldap-acme-config.xml (file attached)
      (for GateIn 3.0 you will need to create this value entry)

     

       <component>
        <key>org.exoplatform.services.organization.idm.PicketLinkIDMService</key>
        <type>org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl</type>
        <init-params>
          <value-param>
            <name>config</name>
            <value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-openldap-acme-config.xml</value>

    • Following groupTypeMappings:

      <component>
          <key>org.exoplatform.services.organization.OrganizationService</key>
          <type>org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</type>
          <init-params>
            <object-param>
              <name>configuration</name>
              <object type="org.exoplatform.services.organization.idm.Config">
                ...
                <field name="groupTypeMappings">
                  <map type="java.util.HashMap">
                    <entry>
                      <key><string>/</string></key>
                      <value><string>root_type</string></value>
                    </entry>
                    <entry>
                      <key><string>/acme/roles/*</string></key>
                      <value><string>acme_roles_type</string></value>
                    </entry>
                    <entry>
                      <key><string>/acme/organization_units/*</string></key>
                      <value><string>acme_ou_type</string></value>
                    </entry>

                   ...

  • Start the server
  • Log into portal (http://localhost:8080/portal) user: root password: gtn
  • Go into "Users and groups management" (http://localhost:8080/portal/private/classic/organization/management)
    • Under root create group "acme"
    • Create two subgroups under "acme" - "roles" and "organization_units"

 

At the moment users defined in LDAP should be visable in "Users and groups management" and groups from LDAP should be present as children of /acme/roles and /acme/organization_units

 

To use different LDAP server setup or directory data please edit file /WEB-INF/conf/organization/picketlink-idm/examples/picketlink-idm-openldap-acme-config.xml and change following values:

 

  • ctxDNs options values:
    • ou=People,o=acme,dc=my-domain,dc=com
    • ou=Roles,o=acme,dc=my-domain,dc=com
    • ou=OrganizationUnits,o=acme,dc=my-domain,dc=com
  • providerURL  option value
    • ldap://localhost:1389
  • adminDN option value
    • cn=Manager,dc=my-domain,dc=com
  • adminPassword
    • secret

 

For additional customizations please read PicketLink IDM Reference Guide and dedicated chapter of GateIn Reference Guide.

 

How does it work

 

In the same way as explained for OpenDS and MSAD... There are few special configuration tweaks for OpenLDAP:

 

 

  • Special option disables use of Sort LDAP control as it is not supported by OpenLDAP

<option>
     <name>sortExtensionSupported</name>
     <value>false</value>
  </option>

  • OpenLDAP uses a strict and RFC compliant schema in which 'member' attribute is required by 'groupOfNames' object class. This means that every entry of such objectClass needs to have at least one member assigned. PicketLink IDM workarounds this by adding a special "placeholder" entry that is ignored during relationship resolution. This options would only be needed if configuration changed to not user readonly mode.

 

<option>
     <name>parentMembershipAttributePlaceholder</name>
     <value>ou=placeholder,o=portal,o=gatein,dc=my-domain,dc=com</value>

</option>

<option>
<name>createEntryAttributeValues</name>
     <value>objectClass=top</value>
     <value>objectClass=groupOfNames</value>
     <value>member=ou=placeholder,o=portal,o=gatein,dc=my-domain,dc=com</value>
</option>


Authentication

 

Even that users from LDAP can be visable from Portal UI additional steps are needed to enable them to sign in into portal. The easies way is to assign make them members of "/platform/users" group. Enabling authentication of users belonging to different groups is discussed in GateIn Identity and Security FAQ (Question 3)