Author: smumford Date: 2011-04-07 19:50:42 -0400 (Thu, 07 Apr 2011) New Revision: 6178 Removed: epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-openldap.xml Modified: epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-msad.xml epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity/LDAP.xml Log: Refined new LDAP content Modified: epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-msad.xml =================================================================== --- epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-msad.xml 2011-04-07 19:57:54 UTC (rev 6177) +++ epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-msad.xml 2011-04-07 23:50:42 UTC (rev 6178) @@ -1,28 +1,5 @@ - <repository> - <id>PortalRepository</id> - <class>org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository</class> - <external-config/> - <default-identity-store-id>HibernateStore</default-identity-store-id> - <default-attribute-store-id>HibernateStore</default-attribute-store-id> - <identity-store-mappings> - <identity-store-mapping> - <identity-store-id>PortalLDAPStore</identity-store-id> - <identity-object-types> - <identity-object-type>USER</identity-object-type> - <identity-object-type>msad_roles_type</identity-object-type> - </identity-object-types> - <options> - <option> - <name>readOnly</name> - <value>true</value> - </option> - </options> - </identity-store-mapping> - </identity-store-mappings> - <options> - <option> - <name>allowNotDefinedAttributes</name> - <value>true</value> - </option> - </options> - </repository> \ No newline at end of file + <identity-store-id>PortalLDAPStore</identity-store-id> + <identity-object-types> + <identity-object-type>USER</identity-object-type> + <identity-object-type>msad_roles_type</identity-object-type> + </identity-object-types> Deleted: epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-openldap.xml =================================================================== --- epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-openldap.xml 2011-04-07 19:57:54 UTC (rev 6177) +++ epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-openldap.xml 2011-04-07 23:50:42 UTC (rev 6178) @@ -1,29 +0,0 @@ -<repository> - <id>PortalRepository</id> - <class>org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository</class> - <external-config/> - <default-identity-store-id>HibernateStore</default-identity-store-id> - <default-attribute-store-id>HibernateStore</default-attribute-store-id> - <identity-store-mappings> - <identity-store-mapping> - <identity-store-id>PortalLDAPStore</identity-store-id> - <identity-object-types> - <identity-object-type>USER</identity-object-type> - <identity-object-type>acme_roles_type</identity-object-type> - <identity-object-type>acme_ou_type</identity-object-type> - </identity-object-types> - <options> - <option> - <name>readOnly</name> - <value>true</value> - </option> - </options> - </identity-store-mapping> - </identity-store-mappings> - <options> - <option> - <name>allowNotDefinedAttributes</name> - <value>true</value> - </option> - </options> - </repository> \ No newline at end of file Modified: epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity/LDAP.xml =================================================================== --- epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity/LDAP.xml 2011-04-07 19:57:54 UTC (rev 6177) +++ epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity/LDAP.xml 2011-04-07 23:50:42 UTC (rev 6178) @@ -30,8 +30,6 @@ The following table is a list of Directory Servers that are supported and certified in &PRODUCT;. </para> -<remark>DOCS NOTE: Are these still the correct versions of the various Directory Servers supported in EPP? And how can I find that info out for myself?</remark> - <table> <title>Supported and Certified directory servers</title> <tgroup cols="2"> @@ -90,6 +88,11 @@ </tbody> </tgroup> </table> +<!-- Source Metadata +URL: http://www.jboss.com/products/platforms/portals/testedconfigurations/ +Author [w/email]: Red Hat Inc +License: +--> <note> <title>Examples</title> <para> @@ -103,38 +106,26 @@ <section id="sect-Reference_Guide-LDAP-LDAP_in_Readonly_Mode"> <title>LDAP in Readonly Mode</title> <para> - This section describes how to add LDAP users and organizations to &PRODUCT;. + This section will show you how to add LDAP in readonly mode. This means that user data entries (both pre-existing, and newly added through the &PRODUCT; User Interface) will be consumed though the Directory Server and LDAP services, but written to the underlying database. The only exception is that passwords updated via the UI will also be propagated into the appropriate LDAP entry. </para> - <para> - This section will show you how to add LDAP in readonly mode. This means that user data entries (both pre-existing, and newly added through the &PRODUCT; User Interface) will be consumed though the Directory Server and LDAP services, but written to the underlying database. - </para> - -<remark>DOCS NOTE: Is the above paragraph an accurate description of LDAP in Readonly mode? The Wiki original was a little unclear on this. -</remark> -<!-- Original draft content. Can be removed if current para gets approval. - <para> - All default accounts and groups that are already configured in &PRODUCT; will be created in the underlying database and the LDAP service will be configured in <emphasis>readonly</emphasis> mode. This means that, while users and groups will be consumed from the directory server, all new entries created using &PRODUCT;'s User Interface will be stored in the database. - </para> --> <procedure id="Reference_Guide-LDAP-LDAP_in_Readonly_Mode-LDAP_Set_Up"> <title>LDAP Set Up</title> <step> - <para> - Install and populate your LDAP server. - </para> - <para> - If you are installing the Red Hat Directory Server, you should refer to the Installation Guide at <ulink type="http" url="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/inde...;. - </para> - <para> - If you are using a third party directory server (OpenDS, OpenLDAP or MSAD), refer the appropriate documentation for that product. - </para> <substeps> <step> <para> + Install your <application>LDAP</application> server. + </para> + <para> + If you are installing the <application>Red Hat Directory Server</application> (RHDS), you should refer to the Installation Guide at <ulink type="http" url="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/inde...;. + </para> + <para> + If you are using a third party directory server (<application>OpenDS</application>, <application>OpenLDAP</application> or <application>Miscrosoft Active Directory</application> (MSAD)), refer the appropriate documentation for that product. + </para> + <para> The following values provide an example of working configuration settings for the different Directory Servers: </para> -<remark>DOCS NOTE: This table is a little light, using the info in the wiki article. Where can I find more settings (I've looked into documentation for the products). Alternatively, if this is straightforward for administrators, can this part be removed? -</remark> <table> <title></title> <tgroup cols="8"> @@ -265,12 +256,20 @@ </tbody> </tgroup> </table> + <para> + These, and other appropriate settings, should be adjusted to suit your circumstances. + </para> </step> <step> <para> - Start the Directory Server and, if desired, import an <filename>ldif</filename> file. + <emphasis role="bold">Optional</emphasis>: Import an <filename>ldif</filename> file and populate the Directory Server. </para> </step> + <step> + <para> + Start the Directory Server. + </para> + </step> </substeps> </step> <step> @@ -280,7 +279,7 @@ </step> <step> <para> - Open the <filename><replaceable>LDAP_HOME</replaceable>/WEB-INF/conf/organization/idm-configuration.xml</filename> file and choose a procedure below depending on which Directory Server you are implementing. + Open the <filename><replaceable>LDAP_HOME</replaceable>/WEB-INF/conf/organization/idm-configuration.xml</filename> file and edit it as described below (depending on which Directory Server you are implementing): </para> <itemizedlist> <listitem> @@ -299,23 +298,29 @@ </para> </listitem> </itemizedlist> - -<remark>DOCS NOTE: Rather than re-write the same steps in theree procedures, I tried forking the one procedure in three directions. This is an EXPERIMENT! Let me know how you think it works. -</remark> <procedure id="proc-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-RHDS_or_OpenDS"> <title>Red Hat Directory Server or OpenDS</title> <step> <para> - Uncomment the line under "<emphasis role="bold">Read Only "ACME" LDAP Example</emphasis>": + Uncomment the line under "<emphasis>Read Only "ACME" LDAP Example</emphasis>": </para> <programlisting language="XML" role="XML"><![CDATA[<!--Read Only "ACME" LDAP Example--> <value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-ldap-acme-config.xml</value> ]]></programlisting> +<remark>DOCS NOTE: Once a 'value' line has been uncommented, does the current/previous 'value' line need to be commented?</remark> +<para> +</para> +<remark>Currently the <parameter>config</parameter> value-param has <parameter>war:/conf/organization/picketlink-idm/picketlink-idm-config.xml</parameter> uncommented. +</remark> +<para> +</para> +<remark>Can the <filename>idm-configuration.xml</filename> file have two unobscured <parameter>value</parameter> entries under <parameter>config</parameter>? +</remark> </step> <step> <para> - Uncomment the <emphasis>groupTypeMappings</emphasis> under "<emphasis role="bold">Uncomment for ACME LDAP example</emphasis>": + Uncomment the <parameter>groupTypeMappings</parameter> under "<emphasis>Uncomment for ACME LDAP example</emphasis>": </para> <programlisting language="XML" role="XML"><![CDATA[<entry> <key><string>/acme/roles/*</string></key> @@ -326,36 +331,8 @@ <value><string>acme_ou_type</string></value> </entry> ]]></programlisting> - <para > - These <emphasis>groupTypeMappings</emphasis> correspond to <emphasis>identity-object-type</emphasis> options defined in the <filename>picketlink-idm-ldap-acme-config.xml</filename> file (referenced above in <emphasis role="bold">Sub-step a</emphasis>): - </para> - - <programlistingco> - <areaspec> - <areaset id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-opends" coords=""> - <area coords="10 40" id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-users-opends" /> - <area coords="14 40" id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-groups-opends" /> - </areaset> - <area coords="17 40" id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-readonly-opends" /> - </areaspec> -<programlisting language="XML" role="XML"><xi:include href="../../extras/Authentication_Identity_LDAP/readonly-opends.xml" parse="text" xmlns:xi="http://www.w3.org/2001/XInclude" /></programlisting> - <calloutlist> - <!--#1--> - <callout arearefs="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-opends"> - <para> - The PicketLink IDM configuration file dictates that users and those two group types be stored in LDAP. - </para> - </callout> - <!--#2--> - <callout arearefs="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-readonly-opends"> - <para> - An additional option defines that nothing else (except password updates) should be written there. - </para> - </callout> - </calloutlist> - </programlistingco> <para> - All groups under <emphasis role="bold">/acme/roles</emphasis> will be stored in PicketLink IDM with the <emphasis role="bold">acme_roles_type</emphasis> group type name and groups under <emphasis role="bold">/acme/organization_units</emphasis> will be stored in PicketLink IDM with <emphasis role="bold">acme_ou_type group</emphasis> type name. + Refer to <xref linkend="exam-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-Examples-groupTypeMappings"/> for more information about how these <parameter>groupTypeMappings</parameter> operate. </para> </step> <step> @@ -369,15 +346,15 @@ <title>Microsoft Active Directory</title> <step> <para> - Uncomment the line under "<emphasis role="bold">MSAD Read Only "ACME" LDAP Example</emphasis>": + Uncomment the line under "<emphasis>MSAD Read Only "ACME" LDAP Example</emphasis>": </para> <programlisting language="XML" role="XML"><![CDATA[<!--MSAD Read Only "ACME" LDAP Example--> -<!--<value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-msad-readonly-config.xml</value>--> +<value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-msad-readonly-config.xml</value> ]]></programlisting> </step> <step> <para> - Uncomment the <emphasis>groupTypeMappings</emphasis> under "<emphasis role="bold">Uncomment for MSAD ReadOnly LDAP example</emphasis>": + Uncomment the <parameter>groupTypeMappings</parameter> under "<emphasis>Uncomment for MSAD ReadOnly LDAP example</emphasis>": </para> <programlisting language="XML" role="XML"><![CDATA[<entry> <key><string>/acme/roles/*</string></key> @@ -385,9 +362,13 @@ </entry> ]]></programlisting> <para> - These <emphasis>groupTypeMappings</emphasis> correspond to <emphasis>identity-object-type</emphasis> options defined in the <filename>picketlink-idm-msad-readonly-config.xml</filename> file (referenced above in <emphasis role="bold">Sub-step a</emphasis>): + Refer to <xref linkend="exam-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-Examples-groupTypeMappings"/> for more information about how these <parameter>groupTypeMappings</parameter> operate. </para> +<!-- <para> + These <parameter>groupTypeMappings</parameter> correspond to <emphasis>identity-object-type</emphasis>s defined in the <filename>picketlink-idm-msad-readonly-config.xml</filename> file (referenced in <emphasis role="bold">Sub-step a</emphasis>): + </para> + <programlistingco> <areaspec> <areaset id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-MSAD" coords=""> @@ -398,13 +379,11 @@ </areaspec> <programlisting language="XML" role="XML"><xi:include href="../../extras/Authentication_Identity_LDAP/readonly-msad.xml" parse="text" xmlns:xi="http://www.w3.org/2001/XInclude" /></programlisting> <calloutlist> - <!--#1--> <callout arearefs="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-MSAD"> <para> The PicketLink IDM configuration file dictates that users and those two group types be stored in LDAP. </para> </callout> - <!--#2--> <callout arearefs="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-readonly-MSAD"> <para> An additional option defines that nothing else (except password updates) should be written there. @@ -414,28 +393,28 @@ </programlistingco> <para> All groups under <emphasis role="bold">/acme/roles</emphasis> will be stored in PicketLink IDM with the <emphasis role="bold">acme_roles_type</emphasis> group type name and groups under <emphasis role="bold">/acme/organization_units</emphasis> will be stored in PicketLink IDM with <emphasis role="bold">acme_ou_type group</emphasis> type name. - </para> - </step> + </para> --> + </step> <step> <para> Continue to <xref linkend="step-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-LDAP_Set_Up-Step-4"/>. </para> - </step> + </step> </procedure> <procedure id="proc-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-OpenLDAP"> <title>OpenLDAP</title> <step> <para> - Uncomment the line under "<emphasis role="bold">OpenLDAP ReadOnly "ACME" LDAP Example</emphasis>": + Uncomment the line under "<emphasis>OpenLDAP ReadOnly "ACME" LDAP Example</emphasis>": </para> <programlisting language="XML" role="XML"><![CDATA[<!--OpenLDAP ReadOnly "ACME" LDAP Example--> -<!--<value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-openldap-acme-config.xml</value>--> +<value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-openldap-acme-config.xml</value> ]]></programlisting> </step> <step> <para> - Uncomment the <emphasis>groupTypeMappings</emphasis> under "<emphasis role="bold">Uncomment for ACME LDAP example</emphasis>": + Uncomment the <parameter>groupTypeMappings</parameter> under "<emphasis>Uncomment for ACME LDAP example</emphasis>": </para> <programlisting language="XML" role="XML"><![CDATA[<entry> <key><string>/acme/roles/*</string></key> @@ -447,9 +426,13 @@ </entry> ]]></programlisting> <para> - These <emphasis>groupTypeMappings</emphasis> correspond to <emphasis>identity-object-type</emphasis> options defined in the <filename>picketlink-idm-ldap-acme-config.xml</filename> file (referenced above in <emphasis role="bold">Sub-step a</emphasis>): + Refer to <xref linkend="exam-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-Examples-groupTypeMappings"/> for more information about how these <parameter>groupTypeMappings</parameter> operate. </para> +<!-- <para> + These <parameter>groupTypeMappings</parameter> correspond to <emphasis>identity-object-type</emphasis>s defined in the <filename>picketlink-idm-ldap-acme-config.xml</filename> file (referenced in <emphasis role="bold">Sub-step a</emphasis>): + </para> + <programlistingco> <areaspec> <areaset id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-OpenLDAP" coords=""> @@ -458,15 +441,13 @@ </areaset> <area coords="17 40" id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-readonly-OpenLDAP" /> </areaspec> -<programlisting language="XML" role="XML"><xi:include href="../../extras/Authentication_Identity_LDAP/readonly-openldap.xml" parse="text" xmlns:xi="http://www.w3.org/2001/XInclude" /></programlisting> +<programlisting language="XML" role="XML"><xi:include href="../../extras/Authentication_Identity_LDAP/readonly-opends.xml" parse="text" xmlns:xi="http://www.w3.org/2001/XInclude" /></programlisting> <calloutlist> - <!--#1--> <callout arearefs="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-OpenLDAP"> <para> The PicketLink IDM configuration file dictates that users and those two group types be stored in LDAP. </para> </callout> - <!--#2--> <callout arearefs="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-readonly-OpenLDAP"> <para> An additional option defines that nothing else (except password updates) should be written there. @@ -476,7 +457,7 @@ </programlistingco> <para> All groups under <emphasis role="bold">/acme/roles</emphasis> will be stored in PicketLink IDM with the <emphasis role="bold">acme_roles_type</emphasis> group type name and groups under <emphasis role="bold">/acme/organization_units</emphasis> will be stored in PicketLink IDM with <emphasis role="bold">acme_ou_type group</emphasis> type name. - </para> + </para> --> </step> <step> <para> @@ -488,6 +469,14 @@ <step id="step-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-LDAP_Set_Up-Step-4"> <para> + To use a different LDAP server or directory data, edit the DS-specific <filename>.xml</filename> file you uncommented in <emphasis role="bold">Substep 3a</emphasis> above and change the values to suit your requirements. + </para> + <para> + Refer to the list in <xref linkend="exam-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-Examples-LDAP_configuration_options"/> for some examples or refer to the product-specific documentation for more information. + </para> + </step> + <step> + <para> Start the server. </para> </step> @@ -534,115 +523,190 @@ </step> </procedure> - <para> Users defined in LDAP should be visable in "<emphasis>Users and groups management</emphasis>" and groups from LDAP should be present as children of <emphasis>/acme/roles</emphasis> and <emphasis>/acme/organization_units</emphasis>. </para> <para> - To use a different LDAP server or directory data, edit the <filename><replaceable>LDAP_HOME</replaceable>/WEB-INF/conf/organization/picketlink-idm/examples/picketlink-idm-ldap-acme-config.xml</filename> file and change the following values to suit your requirements: + More information about configuration can be found in <xref linkend="sect-Reference_Guide-PicketLink_IDM_integration"/> and in the PicketLink project <ulink type="http" url="http://anonsvn.jboss.org/repos/picketlink/idm/downloads/docs/1.... Guide</ulink>. </para> - <variablelist> - <title>LDAP configuration options:</title> - -<remark>DOCS NOTE: Again, I tried collapsing content into one place, as opposed to three. Is this confusing? -</remark> - - <varlistentry> - <term>ctxDNs</term> - <listitem> + <section> + <title>Examples</title> + <example id="exam-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-Examples-LDAP_configuration_options"> + <title>LDAP configuration</title> <para> - This is the DN that will be used as context for <emphasis>IdentityObject</emphasis> searches. More than one value can be specified. + The following settings are stored in the Picketlink configuration file that is nominated in the <filename>idm-configuration.xml</filename> file of your deployment (under the <parameter>config</parameter> parameter of the <parameter>PicketLinkIDMService</parameter> component): </para> <para> - Some examples are: + This file could be: </para> <itemizedlist> - <listitem> - <para> - ou=People,o=acme,dc=example,dc=com - </para> - </listitem> - <listitem> - <para> - ou=Roles,o=acme,dc=example,dc=com - </para> - </listitem> - <listitem> - <para> - ou=OrganizationUnits,o=acme,dc=example,dc=com - </para> - </listitem> - <listitem> - <para> - <emphasis role="bold">MSAD</emphasis>: CN=Users,DC=test,DC=domain (in two places) - </para> - </listitem> + <listitem> + <para> + The default <filename>picketlink-idm-config.xml</filename>. + </para> + </listitem> + <listitem> + <para> + One of the three example configuration files discussed in <xref linkend="Reference_Guide-LDAP-LDAP_in_Readonly_Mode-LDAP_Set_Up"/>: + </para> + <simplelist> + <member><filename>picketlink-idm-ldap-acme-config.xml</filename></member> + <member><filename>picketlink-idm-msad-readonly-config.xml</filename></member> + <member><filename>picketlink-idm-openldap-acme-config.xml</filename></member> + </simplelist> + </listitem> + <listitem> + <para> + A custom file created by modifying one of the above files. + </para> + </listitem> </itemizedlist> - </listitem> - </varlistentry> - <varlistentry> - <term>providerURL</term> - <listitem> + <variablelist> + <title>Configuration options</title> + <varlistentry> + <term>ctxDNs</term> + <listitem> + <para> + This is the DN that will be used as context for <emphasis>IdentityObject</emphasis> searches. More than one value can be specified. + </para> + <para> + Some examples are: + </para> + <itemizedlist> + <listitem> + <para> + ou=People,o=acme,dc=example,dc=com + </para> + </listitem> + <listitem> + <para> + ou=Roles,o=acme,dc=example,dc=com + </para> + </listitem> + <listitem> + <para> + ou=OrganizationUnits,o=acme,dc=example,dc=com + </para> + </listitem> + <listitem> + <para> + <emphasis role="bold">MSAD</emphasis>: CN=Users,DC=test,DC=domain (in two places) + </para> + </listitem> + </itemizedlist> + </listitem> + </varlistentry> + <varlistentry> + <term>providerURL</term> + <listitem> + <para> + The LDAP server connection URL. Formatted as "ldap://localhost:<replaceable>&lt;PORT&gt;</replaceable>". The default setting is: <emphasis>ldap://localhost:1389</emphasis>. + </para> + <para> + <emphasis role="bold">MSAD</emphasis>: Should use SSL connection (ldaps://xxx:636) if password update or entry creation is expected to work. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>adminDN</term> + <listitem> + <para> + The LDAP entry used to connect to the server. + </para> + <para> + Some possible values are: + </para> + <itemizedlist> + <listitem> + <para> + <emphasis role="bold">RHDS or OpenDS</emphasis>: cn=Directory Manager + </para> + </listitem> + <listitem> + <para> + <emphasis role="bold">OpenLDAP</emphasis>: cn=Manager,dc=my-domain,dc=com + </para> + </listitem> + <listitem> + <para> + <emphasis role="bold">MSAD</emphasis>: TEST\Administrator + </para> + </listitem> + </itemizedlist> + </listitem> + </varlistentry> + <varlistentry> + <term>adminPassword</term> + <listitem> + <para> + The password associated with the <emphasis role="bold">adminDN</emphasis>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>customSystemProperties</term> + <listitem> + <para> + This option defines the values needed to use SSL encryption with LDAP. + </para> + <para> + To use it, ensure that it is is uncommented and that the path to the <filename>.truststore</filename> file and passward are correct. + </para> +<remark>DOCS NOTE: I didn't include the <emphasis>keytool</emphasis> command or the code snippet here, as +</remark> + </listitem> + </varlistentry> + </variablelist> + </example> +<!-- Source Metadata +URL: http://anonsvn.jboss.org/repos/picketlink/idm/downloads/docs/1.0.0.GA/Ref... +Author [w/email]: Bolesław Dawidowicz (bdawidow(a)redhat.com), Jeff Yu +License: ?? +--> + <example id="exam-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-Examples-groupTypeMappings"> + <title>groupTypeMappings</title> <para> - The LDAP server connection URL. Formatted as "ldap://localhost:<replaceable>&lt;PORT&gt;</replaceable>". The default setting is: <emphasis>ldap://localhost:1389</emphasis>. + The <parameter>groupTypeMappings</parameter> exposed in the <filename>idm-configuration.xml</filename> file correspond to <parameter>identity-object-type</parameter> values defined in the DS-specific configuration file referenced in <emphasis>Sub-step 3a</emphasis> of the DS-specific procedure. </para> <para> - <emphasis role="bold">MSAD</emphasis>: Should use SSL connection (ldaps://xxx:636) if password update or entry creation is expected to work. + For RHDS, OpenDS and OpenLDAP the <filename>picketlink-idm-ldap-acme-config.xml</filename> and <filename>picketlink-idm-openldap-acme-config.xml</filename> files contain the following values: </para> - </listitem> - </varlistentry> - <varlistentry> - <term>adminDN</term> - <listitem> + <programlistingco> + <areaspec> + <areaset id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-Examples-config-opends" coords=""> + <area coords="10 40" id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-Examples-config-users-opends" /> + <area coords="14 40" id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-Examples-config-groups-opends" /> + </areaset> + <area coords="17 40" id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-Examples-config-readonly-opends" /> + </areaspec> +<programlisting language="XML" role="XML"><xi:include href="../../extras/Authentication_Identity_LDAP/readonly-opends.xml" parse="text" xmlns:xi="http://www.w3.org/2001/XInclude" /></programlisting> + <calloutlist> + <!--#1--> + <callout arearefs="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-Examples-config-opends"> + <para> + The PicketLink IDM configuration file dictates that users and those two group types be stored in LDAP. + </para> + </callout> + <!--#2--> + <callout arearefs="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-Examples-config-readonly-opends"> + <para> + An additional option defines that nothing else (except password updates) should be written there. + </para> + </callout> + </calloutlist> + </programlistingco> + <para> - The LDAP entry used to connect to the server. + All groups under <emphasis role="bold">/acme/roles</emphasis> will be stored in PicketLink IDM with the <emphasis role="bold">acme_roles_type</emphasis> group type name and groups under <emphasis role="bold">/acme/organization_units</emphasis> will be stored in PicketLink IDM with <emphasis role="bold">acme_ou_type group</emphasis> type name. </para> <para> - Some possible values are: + For MSAD, the <parameter>identity-object-types</parameter> values in <filename>picketlink-idm-msad-readonly-config.xml</filename> change to: </para> - <itemizedlist> - <listitem> - <para> - <emphasis role="bold">RHDS or OpenDS</emphasis>: cn=Directory Manager - </para> - </listitem> - <listitem> - <para> - <emphasis role="bold">OpenLDAP</emphasis>: cn=Manager,dc=my-domain,dc=com - </para> - </listitem> - <listitem> - <para> - <emphasis role="bold">MSAD</emphasis>: TEST\Administrator - </para> - </listitem> - </itemizedlist> - </listitem> - </varlistentry> - <varlistentry> - <term>adminPassword</term> - <listitem> +<programlisting language="XML" role="XML"><xi:include href="../../extras/Authentication_Identity_LDAP/readonly-msad.xml" parse="text" xmlns:xi="http://www.w3.org/2001/XInclude" /></programlisting> <para> - The password associated with the <emphasis role="bold">adminDN</emphasis>. + The difference is that this configuration maps only one group type and points to the same container in LDAP for both users and mapped groups. </para> - </listitem> - </varlistentry> - <varlistentry> - <term>customSystemProperties</term> - <listitem> - <para> - <emphasis role="bold">MSAD</emphasis>: option if SSL connection is configured. - </para> - </listitem> - </varlistentry> - </variablelist> -<!-- Source Metadata -URL: http://anonsvn.jboss.org/repos/picketlink/idm/downloads/docs/1.0.0.GA/Ref... -Author [w/email]: Bolesław Dawidowicz (bdawidow(a)redhat.com), Jeff Yu -License: ?? ---> - <para> - More information about configuration can be found in <xref linkend="sect-Reference_Guide-PicketLink_IDM_integration"/> and in the PicketLink project <ulink type="http" url="http://anonsvn.jboss.org/repos/picketlink/idm/downloads/docs/1.... Guide</ulink>. - </para> + </example> + </section> </section> </section> \ No newline at end of file