Dear Wiki user, You have subscribed to a wiki page or wiki category on "Portals Wiki" for change notification.
The "Jetspeed2/LDAP-howto" page has been changed by Dupont: http://wiki.apache.org/portals/Jetspeed2/LDAP-howto?action=diff&rev1=5&rev2=6 1. Create a simple ldap configuration from the demo 1. Setup a ldap server (using apacheDS) - ---------------------------------------------------------- + + 1. Create a simple ldap configuration from the demo + + ---------- STEP 1: Setup a LDAP server. - - Install Apache Directory Studio. (Play around with this to get to know the + - Install Apache Directory Studio. (Play around with this to get to know the user interface) Once you know. - user interface) - Once you know. + - Create any LDAP server - prefer 1.5.5+. right click & open configuration on the newly create LDAP server. click on partition tab -> click add. ID: (must be same as you saw in jetspeed.properties) sevenSeas Suffix: o=sevenSeas. (CTRL-S to save) Start up the server. - - Create any LDAP server - prefer 1.5.5+. - right click & open configuration on the newly create LDAP server. - click on partition tab -> click add. - ID: (must be same as you saw in jetspeed.properties) sevenSeas - Suffix: o=sevenSeas. (CTRL-S to save) Start up the server. + - Make connection with LDAP server using (connection Tab in Apache Directory Studio) hostname: localhost port:10389 click on next: Bind DN: uid=admin,ou=system bindpassword: secret. (finish) open connection. - - Make connection with LDAP server using (connection Tab in Apache Directory - Studio) - hostname: localhost - port:10389 - click on next: Bind DN: uid=admin,ou=system - bindpassword: secret. (finish) - open connection. - ---------------------------------------------------------- + ---------- STEP 2: Installing Jetspeed demo + Jetspeed-2.2.2 (Demo or Minimal) either one. Apache Directory Studio 2.0 (this allow you to have apacheDS 1.5.3 up to 2.0) which is good for different test setup. + + ---------- - Jetspeed-2.2.2 (Demo or Minimal) either one. - Apache Directory Studio 2.0 (this allow you to have apacheDS 1.5.3 up to - 2.0) which is good for different test setup. - ---------------------------------------------------------- STEP 3: Setup jetspeed ldap mode + To configure Jetspeed-2.2.2 to work with LDAP - open spring-filter-key.properties (webapps/jetspeed/WEB-INF/conf) and change: spring.filter.key=portal to spring.filter.key=portal.ldap. (this will make jetspeed connect to LDAP). + + ---------- - To configure Jetspeed-2.2.2 to work with LDAP - - open spring-filter-key.properties (webapps/jetspeed/WEB-INF/conf) and - change: - spring.filter.key=portal to spring.filter.key=portal.ldap. (this will make - jetspeed connect to LDAP). - ---------------------------------------------------------- STEP 4: Setup jetspeed properties file + To verify the connection between jetspeed and LDAP: open jetspeed.properties in (webapps/jetspeed/WEB-INF/conf) - Default connection for jetspeed to LDAP is should be the same as already configured in this section. Make sure you understand what is here. LDAP require: (1 organism, 3 organization unit) o=sevenSeas (change this if you want to name something else, make sure it is same when configured in LDAP). ou=Users ou=Roles ou=Group - To verify the connection between jetspeed and LDAP: - open jetspeed.properties in (webapps/jetspeed/WEB-INF/conf) - - Default connection for jetspeed to LDAP is should be the same as already - configured in this section. - Make sure you understand what is here. - LDAP require: (1 organism, 3 organization unit) - o=sevenSeas (change this if you want to name something else, make sure it is - same when configured in LDAP). - ou=Users - ou=Roles - ou=Group - Good. You are now done with setup jetspeed-2.2.2 to connect to LDAP + Good. You are now done with setup jetspeed-2.2.2 to connect to LDAP ApacheDS. - ApacheDS. - ---------------------------------------------------------- + ---------- STEP 5: Populating Ldap with sample users - Creating partition for sevenSeas on LDAP Server. + This must be done in order to load any sevenSeas.ldif file you have successful or create your own without loading ldif file. - This must be done in order to load any sevenSeas.ldif file you have - successful or create your own without loading ldif file. - Go to LDAP Browser Manually - + Go to LDAP Browser Manually - - Right click on Root DSE - select new Entry. - create from scratch - add object class: organization - RDN = o=sevenSeas + Right click on Root DSE - select new Entry. create from scratch - add object class: organization - RDN = o=sevenSeas + right click on o=sevenSeas - add object class: OrganizationUnit - RDN = ou=Groups Repeat and create for RDN=ou=Roles, RDN=ou=Users. - right click on o=sevenSeas - add object class: OrganizationUnit - RDN = - ou=Groups - Repeat and create for RDN=ou=Roles, RDN=ou=Users. + To get you started to login into Jetspeed. right click on ou=Users in the LDAP Browser and create new entry - objectclass is inetOrgPerson, sn=admin, cn=admin,uid=admin,userPassword=password; Note: Right click on the editor page to create "new attribute" for userPassword and uid. - To get you started to login into Jetspeed. - right click on ou=Users in the LDAP Browser and create new entry - - objectclass is inetOrgPerson, sn=admin, - cn=admin,uid=admin,userPassword=password; - Note: Right click on the editor page to create "new attribute" for - userPassword and uid. Good you are now ready to do a test run. - Start up Jetspeed. - Login with user: admin/password + Start up Jetspeed. Login with user: admin/password + If you login successful, you good to go. If you have problem, make sure LDAP setup is matching with what configured in jetspeed.properties LDAP section. - If you login successful, you good to go. - If you have problem, make sure LDAP setup is matching with what configured - in jetspeed.properties LDAP section. + Other thought on adding a new user. simply just create new user in jetspeed and you will able see it display on LDAP Server when you refresh. - Other thought on adding a new user. simply just create new user in jetspeed - and you will able see it display on LDAP Server when you refresh. + This new user won't be admin. To make this user become admin, - This new user won't be admin. - To make this user become admin, + Go to LDAP Browser - right click on Roles - new entry - select object class: extensibleObject & groupofNames. cn=admin member - cn=admin,ou=Roles,o=sevenSeas member- uid=(newlycreateusername),ou=Users,o=sevenSeas - Go to LDAP Browser - right click on Roles - new entry - select object class: - extensibleObject & groupofNames. - cn=admin - member - cn=admin,ou=Roles,o=sevenSeas - member- uid=(newlycreateusername),ou=Users,o=sevenSeas + ------ + . Adapting jetspeed to an existing schema + . This paragraphs shows how to configure Jestspeed to adapt it to a specific ldap model. + . + + == Adding user attributes == + You can add user attribute in your Ldap configuration file: '''WEB-INF/assembly/security-ldap.xml''' and configure '''UserDaoConfiguration''' bean + + In the example below, two main changes have been done to adapt to ldap model: + + Changing id attribute and user class: + + {{{#!xml + <property name="ldapIdAttribute" value="BnFIdentifiant" /> + <property name="objectClasses" value="BNFUser"/> + }}} + In the Ldap, the attribute used to identify an entry is BnFIdentifiant, and the user object belongs to BNFUser class. + + After that, we have defined 3 attributes defined in each ldap user entities, that we want to use during authentification process. + + This is an example of an attribute definition:: + + {{{ + <bean class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl"> + <constructor-arg index="0" value="BnFMemberOf" /> + <constructor-arg index="1" value="true" /> + <constructor-arg index="2" value="false" /> + <property name="required" value="false"/> + <property name="idAttribute" value="false"/> + </bean> + }}} + {{{constructor-arg index="0"}}} defines the name of the attribute. + + {{{constructor-arg index="1"}}} defines if the attribute is multivalued + + {{{constructor-arg index="2"}}} defines if the attribute is mapped in jetspeed database. + + This is the coplete example of UserDaoConfiguration bean: + + {{{#!xml + <bean id="UserDaoConfiguration" class="org.apache.jetspeed.security.mapping.ldap.dao.LDAPEntityDAOConfiguration" init-method="initialize"> + <meta key="j2:cat" value="ldapSecurity" /> + <property name="ldapBase" value="${ldap.base}" /> + <property name="searchBase" value="${ldap.user.searchBase}" /> + <property name="searchFilter"> + <bean class="org.apache.jetspeed.security.mapping.ldap.filter.SimpleFilter"> + <constructor-arg index="0" value="${ldap.user.filter}" /> + </bean> + </property> + <property name="ldapIdAttribute" value="BnFIdentifiant" /> + <property name="objectClasses" value="BNFUser"/> + <property name="attributeDefinitions"> + <set> + <bean class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl"> + <constructor-arg index="0" value="BnFIdentifiant" /> + <constructor-arg index="1" value="false" /> + <constructor-arg index="2" value="false" /> + <property name="required" value="true"/> + <property name="idAttribute" value="true"/> + </bean> + <bean class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl"> + <constructor-arg index="0" value="cn" /> + <constructor-arg index="1" value="false" /> + <constructor-arg index="2" value="false" /> + <property name="required" value="true"/> + <property name="idAttribute" value="true"/> + </bean> + <bean class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl"> + <constructor-arg index="0" value="BnFMemberOf" /> + <constructor-arg index="1" value="true" /> + <constructor-arg index="2" value="false" /> + <property name="required" value="false"/> + <property name="idAttribute" value="false"/> + </bean> + </set> + </property> + <property name="entityType" value="user" /> + </bean> + }}} + == Changing relationship with user and role, name and direction == + If you want to change the attribute used to describe the relationship between User and Role, you can do it, in the Ldap configuration file: '''WEB-INF/assembly/security-ldap.xml'''. In our example, we want to use BnFMemberOf relation, in the user to role direction. + + * First, you have to declare it in the ''UserDaoConfiguration'', like shown in the above example + * Second, you have to change the ''UserRoleRelationDAO'''' ''the ''relationAttribute''; property permits to define the attribute used to store the relation. + * Moreover, it's possible to define the direction Jetspeed uses t find roles have a user (2 possibities: the default one which is searching in all roles which ones are related to the authentificating user, the second way is to look from User entities which roles he has) Depending how your ldap is configured, the two methods can be used, or only one. In our case, the method chosen is the second one: for performance reasons, the attributes are stored in the User entities. To handle that, the ''useFromEntityAttribute'' was set to true. + + This is an example configuration: + + {{{#!xml + <bean id="UserRoleRelationDAO" class="org.apache.jetspeed.security.mapping.ldap.dao.impl.AttributeBasedRelationDAO"> + <meta key="j2:cat" value="ldapSecurity" /> + <property name="relationAttribute" value="BnFMemberOf" /> + <property name="attributeContainsInternalId" value="true" /> + <property name="useFromEntityAttribute" value="true" /> + <property name="relationType"> + <bean class="org.apache.jetspeed.security.mapping.impl.SecurityEntityRelationTypeImpl"> + <constructor-arg index="0" value="isMemberOf" /> + <constructor-arg index="1" value="user" /> + <constructor-arg index="2" value="role" /> + </bean> + </property> + </bean> + }}} +
