From do-not-reply at jboss.org Wed Apr 27 02:25:30 2011 Content-Type: multipart/mixed; boundary="===============4781577450717059447==" MIME-Version: 1.0 From: do-not-reply at jboss.org To: gatein-commits at lists.jboss.org Subject: [gatein-commits] gatein SVN: r6353 - epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity. Date: Wed, 27 Apr 2011 02:25:29 -0400 Message-ID: <201104270625.p3R6PTAm008403@svn01.web.mwc.hst.phx2.redhat.com> --===============4781577450717059447== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Author: smumford Date: 2011-04-27 02:25:29 -0400 (Wed, 27 Apr 2011) New Revision: 6353 Modified: epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIde= ntity/LDAP.xml Log: JBEPP-727: Finalized LDAP Integration section Modified: epp/docs/branches/5.1/Reference_Guide/en-US/modules/Authenticatio= nAndIdentity/LDAP.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndId= entity/LDAP.xml 2011-04-27 06:01:09 UTC (rev 6352) +++ epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndId= entity/LDAP.xml 2011-04-27 06:25:29 UTC (rev 6353) @@ -108,7 +108,7 @@ - Install your LDAP= server. + Install your LDAP= server by following the installation instructions provided for the product= you are using. If you are installing the Red H= at Directory Server (RHDS), you should refer to the Installat= ion Guide at . @@ -267,14 +267,14 @@ = -
- LDAP in Readonly Mode +
+ LDAP in Read-only Mode - This section will show you how to add LDAP in readonly mode= . This means that user data entries (both pre-existing, and newly added thr= ough the JBoss Enterprise Portal Platform User Interface) will be consumed = though the Directory Server and LDAP services, but written to the underlyin= g database. The only exception is that passwords updated via the UI will al= so be propagated into the appropriate LDAP entry. + This section will show you how to add LDAP in read-only mod= e. This means that user data entries (both pre-existing, and newly added th= rough the JBoss Enterprise Portal Platform User Interface) will be consumed= though the Directory Server and LDAP services, but written to the underlyi= ng database. The only exception is that passwords updated via the UI will a= lso be propagated into the appropriate LDAP entry. = - - Set up LDAP readonly Mode + + Set up LDAP read-only Mode Open the ID_HOME/idm-configuration.xml file. = @@ -295,22 +295,22 @@ - + + - + = - + Red Hat Directory Server or OpenDS @@ -335,17 +335,17 @@ ]]> - Refer to for more information = about how these groupTypeMappings operate. + Refer to for more in= formation about how these groupTypeMappings operate. - Continue to . = + Continue to . = = - + Microsoft Active Directory @@ -365,20 +365,25 @@ ]]> - Refer to for more information = about how these groupTypeMappings operate. + Refer to for more in= formation about how these groupTypeMappings operate. = - Continue to . = + Continue to . = = = - + OpenLDAP + If you have not done so already, install = your LDAP server. Refer to for some assistance. + + + + Uncomment the line under "OpenL= DAP ReadOnly "ACME" LDAP Example": @@ -399,18 +404,18 @@ ]]> - Refer to for more information = about how these groupTypeMappings operate. + Refer to for more in= formation about how these groupTypeMappings operate. - Continue to . = + Continue to . = = - + To use a different LDAP server or directory data, = edit the DS-specific .xml file you uncommented in Substep 3a above and change the values to su= it your requirements. @@ -467,7 +472,7 @@ = - Users defined in LDAP should be visable in "Users= and groups management" and groups from LDAP should be present a= s children of /acme/roles and /acme/organiza= tion_units. + Users defined in LDAP should be visible in "Users= and groups management" and groups from LDAP should be present a= s children of /acme/roles and /acme/organiza= tion_units. More information about configuration can be found in and in the Pi= cketLink project Reference Guide. @@ -477,12 +482,20 @@
LDAP as Default Store - The procedure to set LDAP up as the default identity sto= re for JBoss Enterprise Portal Platform. + Follow the procedure below to set LDAP up as the default= identity store for JBoss Enterprise Portal Platform. All default accounts = and some of groups that comes with JBoss Enterprise Portal Platform will be= created in the LDAP store. + + The LDAP server will be configured to store part of the = JBoss Enterprise Portal Platform group tree. This means that groups under s= pecified part of the tree will be stored in directory server while all othe= rs will be stored in database. + Set up LDAP as Default Indentity Store + If you have not done so already, install your LDAP= server. Refer to for some assistance. + + + + Open the ID_HOME/idm-configuration.xml file. = @@ -496,129 +509,101 @@ - Uncomment the appropriate sample configuration val= ues as described below, depending on which Directory Server you are impleme= nting: + Uncomment the appropriate LDAP configuration entry= depending on your LDAP server: - - - - - - - - - - - - - - - - - - - - Red Hat Directory Server or OpenDS + + For RHDS and OpenDS - Uncomment the line under "Read = Only "ACME" LDAP Example": - - -war:/conf/organization/picketlink-idm/examples/picketlink-idm-ldap-= acme-config.xml + Expose the entry under "Sample LDA= P config": + + +war:/conf/organization/picketlink-idm/examples/picketlink-idm-ldap-= config.xml ]]> - = - Uncomment the groupTypeMapping= s under "Uncomment for ACME LDAP example": + Continue to - - /acme/roles/* - acme_roles_type - - - /acme/organization_units/* - acme_ou_type - -]]> - - Refer to for more information = about how these groupTypeMappings operate. - - - - Continue to . = - - - = - - Microsoft Active Directory - - - Uncomment the line under "MSAD = Read Only "ACME" LDAP Example": - - -war:/conf/organization/picketlink-idm/examples/picketlink-idm-msad-= readonly-config.xml + + For MSAD + + + Expose the entry under "MSAD LDAP = Example": + + +war:/conf/organization/picketlink-idm/examples/picketlink-idm-msad-= config.xml ]]> + + To use SSL encryption with MSAD:</tit= le> + <step> + <para> + Open the <filename><replaceable>ID_= HOME</replaceable>/picketlink-idm/examples/picketlink-idm-msad-config.xml</= filename>. + </para> + </step> + <step> + <para> + Ensure the following entries are un= commented and that the path to the <filename>truststore</filename> file and= password are correct: + </para> +<programlisting><option> + <name>customSystemProperties</name> + <value>javax.net.ssl.trustStore=3D<replaceable>/path/to/truststore= </replaceable></value> + <value>javax.net.ssl.trustStorePassword=3D<replaceable>password</r= eplaceable></value> +</option> +</programlisting> + <para> + You can import a custom certificate = by replacing the <replaceable>certificate</replaceable> and <replaceable>tr= uststore</replaceable> details in the following command: + </para> +<programlisting><command>keytool -import -file <filename><replaceable>cert= ificate</replaceable></filename> -keystore <filename><replaceable>truststor= e</replaceable></filename></command> +</programlisting> + </step> + </procedure> </step> <step> <para> - Uncomment the <parameter>groupTypeMapping= s</parameter> under "<emphasis>Uncomment for MSAD ReadOnly LDAP example</em= phasis>": + Continue to <xref linkend=3D"step-Referen= ce_Guide-LDAP_Integration-LDAP_as_Default_Store-Set_up_LDAP_as_Default_Inde= ntity_Store-Step-5"/> </para> -<programlisting language=3D"XML" role=3D"XML"><![CDATA[<entry> - <key><string>/acme/roles/*</string></key> - <value><string>msad_roles_type</string></value> -</entry> -]]></programlisting> - <para> - Refer to <xref linkend=3D"exam-Reference= _Guide-LDAP_Integration-Examples-groupTypeMappings"/> for more information = about how these <parameter>groupTypeMappings</parameter> operate. - </para> - </step> = + </step> + </procedure> + <procedure> + <title>For OpenLDAP - Continue to . = + Expose the entry under "OpenLDA= P LDAP config": - = - - - - OpenLDAP - - - Uncomment the line under "OpenL= DAP ReadOnly "ACME" LDAP Example": - - -war:/conf/organization/picketlink-idm/examples/picketlink-idm-openl= dap-acme-config.xml + +war:/conf/organization/picketlink-idm/examples/picketlink-idm-openl= dap-config.xml ]]> - Uncomment the groupTypeMapping= s under "Uncomment for ACME LDAP example": + Continue to + + + + + + Uncomment the groupTypeMappings under "Uncomment for sample LDAP configuration": + - /acme/roles/* - acme_roles_type + /platform/* + platform_type - /acme/organization_units/* - acme_ou_type + /organization/* + organization_type ]]> - - Refer to for more information = about how these groupTypeMappings operate. - - - - - Continue to . = - - - + + Refer to for more information a= bout how these groupTypeMappings operate. + - = - + - To use a different LDAP server or directory data, = edit the DS-specific .xml file you uncommented in Substep 3a above and change the values to su= it your requirements. + To use a different LDAP server or directory data, = edit the DS-specific .xml file you uncommented in Step 4 above and change the values to suit y= our requirements. Refer to the list in for some e= xamples or refer to the product-specific documentation for more information. @@ -634,42 +619,6 @@ Navigate to the portal homepage () and log in as an adminis= trator. - - - Navigate to - Group - Organization - Users and groups management - . - - - - - Create a new group called acme under the root node. - - - - - - - For RHDS, Open= DS and OpenLDAP: - - - Create two sub-groups called roles and organization_units. - - - - - For MSAD: - - - Create a subgroup called rol= es. - - - - - -
= @@ -691,7 +640,7 @@ - One of the three example configuration file= s discussed in : + One of the three example configuration file= s discussed in : picketlink-idm-ldap-acme-= config.xml @@ -734,7 +683,7 @@ - MSAD: CN=3DUsers,DC=3Dtest,DC=3Ddomain (in two places) + MSAD: CN=3DUsers,DC=3Dtest,DC=3Ddomain (in two places). @@ -747,7 +696,7 @@ The LDAP server connection URL. Format= ted as "ldap://localhost:<PORT>". The defa= ult setting is: ldap://localhost:1389. - MSAD: Should use SSL connection (ldaps://xxx:636) if password update or entry = creation is expected to work. + MSAD: Should use SSL connection (ldaps://xxx:636) for password update or creat= ion to work. @@ -793,11 +742,6 @@ This option defines the values needed = to use SSL encryption with LDAP. - - To use it, ensure that it is is uncomm= ented and that the path to the .truststore file and pa= ssward are correct. - -DOCS NOTE: I didn't include the keytool comma= nd or the code snippet here, as = - @@ -807,32 +751,32 @@ Author [w/email]: Boles=C5=82aw Dawidowicz (bdawidow(a)redhat.com), Jeff Y= u = License: ?? --> - - groupTypeMappings + + Read Only groupTypeMappings - The groupTypeMappings expos= ed in the idm-configuration.xml file correspond to identity-object-type values defined in the DS-specific = configuration file referenced in Sub-step 3a of the DS= -specific procedure. + The groupTypeMappings expos= ed in the idm-configuration.xml file correspond to identity-object-type values defined in the DS-specific = configuration file (referenced in Sub-step 3a of the D= S-specific procedure above). For RHDS, OpenDS and OpenLDAP the picket= link-idm-ldap-acme-config.xml and picketlink-idm-openl= dap-acme-config.xml files contain the following values: - - - + + + - + - + The PicketLink IDM configuration file dic= tates that users and those two group types be stored in LDAP. - + An additional option defines that nothing= else (except password updates) should be written there. @@ -851,5 +795,35 @@ The difference is that this configuration maps only= one group type and points to the same container in LDAP for both users and= mapped groups. + = + + Default groupTypeMappings + + The groupTypeMappings expos= ed in the idm-configuration.xml file correspond to identity-object-type values defined in the DS-specific = configuration file (referenced in Sub-step 3a of the D= S-specific procedure above). + + + All of the supported LDAP configurations use the f= ollowing values when implemented as the default identity store: + + + + + + + + + + + + + + The groupTypeMappings define that all groups under /platform should b= e stored in PicketLink IDM with the platform_type gr= oup type name and groups under /organization should = be stored in PicketLink IDM with organization_type g= roup type name. + + + The PicketLink IDM configuration file rep= ository maps users and those two group types as stored in LDAP. = + + + + +
\ No newline at end of file --===============4781577450717059447==--