Author: smumford Date: 2011-04-05 03:19:12 -0400 (Tue, 05 Apr 2011) New Revision: 6161 Added: epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/ epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-msad.xml epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-opends.xml epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-openldap.xml epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity/LDAP.xml Modified: epp/docs/branches/5.1/Reference_Guide/en-US/Author_Group.xml epp/docs/branches/5.1/Reference_Guide/en-US/Book_Info.xml epp/docs/branches/5.1/Reference_Guide/en-US/Reference_Guide.xml epp/docs/branches/5.1/Reference_Guide/en-US/Revision_History.xml epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity.xml epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml epp/docs/branches/5.1/Reference_Guide/en-US/modules/WSRP.xml epp/docs/branches/5.1/Reference_Guide/publican.cfg Log: JBEPP-727: Adding new content for LDAP section. Modified: epp/docs/branches/5.1/Reference_Guide/en-US/Author_Group.xml =================================================================== --- epp/docs/branches/5.1/Reference_Guide/en-US/Author_Group.xml 2011-04-01 02:40:05 UTC (rev 6160) +++ epp/docs/branches/5.1/Reference_Guide/en-US/Author_Group.xml 2011-04-05 07:19:12 UTC (rev 6161) @@ -11,7 +11,6 @@ <shortaffil>Red Hat</shortaffil> <orgdiv>JBoss Engineering</orgdiv> </affiliation> - <email&gt;ltexier(a)redhat.com&lt;/email&gt; </editor> <editor> <firstname>Thomas</firstname> @@ -20,16 +19,14 @@ <shortaffil>Red Hat</shortaffil> <orgdiv>JBoss Engineering</orgdiv> </affiliation> - <email&gt;theute(a)redhat.com&lt;/email&gt; </editor> <editor> <firstname>Wesley</firstname> <surname>Hales</surname> <affiliation> <shortaffil>Red Hat</shortaffil> - <orgdiv></orgdiv> + <orgdiv>JBoss Engineering</orgdiv> </affiliation> - <email&gt;whales(a)redhat.com&lt;/email&gt; </editor> <editor> <firstname>Scott</firstname> @@ -38,7 +35,6 @@ <shortaffil>Red Hat</shortaffil> <orgdiv>Engineering Content Services</orgdiv> </affiliation> - <email&gt;smumford(a)redhat.com&lt;/email&gt; </editor> <othercredit> <affiliation> Modified: epp/docs/branches/5.1/Reference_Guide/en-US/Book_Info.xml =================================================================== --- epp/docs/branches/5.1/Reference_Guide/en-US/Book_Info.xml 2011-04-01 02:40:05 UTC (rev 6160) +++ epp/docs/branches/5.1/Reference_Guide/en-US/Book_Info.xml 2011-04-05 07:19:12 UTC (rev 6161) @@ -9,7 +9,7 @@ <productname>JBoss Enterprise Portal Platform</productname> <productnumber>5.1</productnumber> <edition>1</edition> - <pubsnumber>5.2</pubsnumber> + <pubsnumber>5.3</pubsnumber> <abstract> <para> This Reference Guide is a high-level usage document. It deals with more advanced topics than the Installation and User Guides, adding new content or taking concepts discussed in the earlier documents further. It aims to provide supporting documentation for advanced users of the &PRODUCT; product. Its primary focus is on advanced use of the product and it assumes an intermediate or advanced knowledge of the technology and terms. Modified: epp/docs/branches/5.1/Reference_Guide/en-US/Reference_Guide.xml =================================================================== --- epp/docs/branches/5.1/Reference_Guide/en-US/Reference_Guide.xml 2011-04-01 02:40:05 UTC (rev 6160) +++ epp/docs/branches/5.1/Reference_Guide/en-US/Reference_Guide.xml 2011-04-05 07:19:12 UTC (rev 6161) @@ -3,7 +3,7 @@ <!ENTITY % BOOK_ENTITIES SYSTEM "Reference_Guide.ent"> %BOOK_ENTITIES; ]> -<book> +<book status="draft"> <xi:include href="Book_Info.xml" xmlns:xi="http://www.w3.org/2001/XInclude" /> <xi:include href="Preface.xml" xmlns:xi="http://www.w3.org/2001/XInclude" /> <xi:include href="modules/Introduction.xml" xmlns:xi="http://www.w3.org/2001/XInclude" /> Modified: epp/docs/branches/5.1/Reference_Guide/en-US/Revision_History.xml =================================================================== --- epp/docs/branches/5.1/Reference_Guide/en-US/Revision_History.xml 2011-04-01 02:40:05 UTC (rev 6160) +++ epp/docs/branches/5.1/Reference_Guide/en-US/Revision_History.xml 2011-04-05 07:19:12 UTC (rev 6161) @@ -8,6 +8,20 @@ <simpara> <revhistory> <revision> + <revnumber>1-5.3</revnumber> + <date>Tue Apr 5 2011</date> + <author> + <firstname>Scott</firstname> + <surname>Mumford</surname> + <email&gt;smumford(a)redhat.com&lt;/email&gt; + </author> + <revdescription> + <simplelist> + <member>Completed first draft of new LDAP section.</member> + </simplelist> + </revdescription> + </revision> + <revision> <revnumber>1-5.2</revnumber> <date>Wed Mar 23 2011</date> <author> Added: epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-msad.xml =================================================================== --- epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-msad.xml (rev 0) +++ epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-msad.xml 2011-04-05 07:19:12 UTC (rev 6161) @@ -0,0 +1,28 @@ + <repository> + <id>PortalRepository</id> + <class>org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository</class> + <external-config/> + <default-identity-store-id>HibernateStore</default-identity-store-id> + <default-attribute-store-id>HibernateStore</default-attribute-store-id> + <identity-store-mappings> + <identity-store-mapping> + <identity-store-id>PortalLDAPStore</identity-store-id> + <identity-object-types> + <identity-object-type>USER</identity-object-type> + <identity-object-type>msad_roles_type</identity-object-type> + </identity-object-types> + <options> + <option> + <name>readOnly</name> + <value>true</value> + </option> + </options> + </identity-store-mapping> + </identity-store-mappings> + <options> + <option> + <name>allowNotDefinedAttributes</name> + <value>true</value> + </option> + </options> + </repository> \ No newline at end of file Added: epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-opends.xml =================================================================== --- epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-opends.xml (rev 0) +++ epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-opends.xml 2011-04-05 07:19:12 UTC (rev 6161) @@ -0,0 +1,29 @@ +<repository> + <id>PortalRepository</id> + <class>org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository</class> + <external-config/> + <default-identity-store-id>HibernateStore</default-identity-store-id> + <default-attribute-store-id>HibernateStore</default-attribute-store-id> + <identity-store-mappings> + <identity-store-mapping> + <identity-store-id>PortalLDAPStore</identity-store-id> + <identity-object-types> + <identity-object-type>USER</identity-object-type> + <identity-object-type>acme_roles_type</identity-object-type> + <identity-object-type>acme_ou_type</identity-object-type> + </identity-object-types> + <options> + <option> + <name>readOnly</name> + <value>true</value> + </option> + </options> + </identity-store-mapping> + </identity-store-mappings> + <options> + <option> + <name>allowNotDefinedAttributes</name> + <value>true</value> + </option> + </options> + </repository> \ No newline at end of file Added: epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-openldap.xml =================================================================== --- epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-openldap.xml (rev 0) +++ epp/docs/branches/5.1/Reference_Guide/en-US/extras/Authentication_Identity_LDAP/readonly-openldap.xml 2011-04-05 07:19:12 UTC (rev 6161) @@ -0,0 +1,29 @@ +<repository> + <id>PortalRepository</id> + <class>org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository</class> + <external-config/> + <default-identity-store-id>HibernateStore</default-identity-store-id> + <default-attribute-store-id>HibernateStore</default-attribute-store-id> + <identity-store-mappings> + <identity-store-mapping> + <identity-store-id>PortalLDAPStore</identity-store-id> + <identity-object-types> + <identity-object-type>USER</identity-object-type> + <identity-object-type>acme_roles_type</identity-object-type> + <identity-object-type>acme_ou_type</identity-object-type> + </identity-object-types> + <options> + <option> + <name>readOnly</name> + <value>true</value> + </option> + </options> + </identity-store-mapping> + </identity-store-mappings> + <options> + <option> + <name>allowNotDefinedAttributes</name> + <value>true</value> + </option> + </options> + </repository> \ No newline at end of file Modified: epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml =================================================================== --- epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml 2011-04-01 02:40:05 UTC (rev 6160) +++ epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml 2011-04-05 07:19:12 UTC (rev 6161) @@ -19,9 +19,6 @@ <para> The identity models represented in the <literal>org.exoplatform.services.organization</literal> interfaces and the one used in <emphasis role="bold">PicketLink IDM</emphasis> have some major differences. </para> - <!-- <para> -TODO: tell more about org.exoplatform.services.organization -</para> --> <para> For example; <literal>PicketLink IDM</literal> provides greater abstraction. It is possible for groups in the <emphasis role="bold">IDM</emphasis> framework to form memberships with many parents (which requires recursive ID translation), while the <literal>org.exoplatform.services.organization</literal> model allows only pure tree-like membership structures. </para> Added: epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity/LDAP.xml =================================================================== --- epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity/LDAP.xml (rev 0) +++ epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity/LDAP.xml 2011-04-05 07:19:12 UTC (rev 6161) @@ -0,0 +1,648 @@ +<?xml version='1.0' encoding='utf-8' ?> +<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ +%BOOK_ENTITIES; +<!ENTITY % BOOK_ENTITIES SYSTEM "Reference_Guide.ent"> +]> + +<section id="sect-Reference_Guide-LDAP"> + <title>LDAP Integration - PLEASE REVIEW</title> + <note> + <title>Notational Device</title> + <para> + For ease of readability the following section uses the notational device <replaceable>LDAP_HOME</replaceable> to represent the file path <filename><replaceable>JBOSS_HOME</replaceable>/server/<replaceable>&lt;PROFILE&gt;</replaceable>/deploy/gatein.ear/02portal.war/</filename>. + </para> + </note> + <para> + <emphasis role="bold">LDAP</emphasis> (Lightweight Directory Access Protocol) is a set of open protocols used to access centrally stored information over a network. It is based on the X.500 standard for directory sharing, but is less complex and resource-intensive + </para> + <para> + Using a client/server architecture, LDAP provides a reliable means to create a central information directory accessible from the network. When a client attempts to modify information within this directory, the server verifies the user has permission to make the change, and then adds or updates the entry as requested. To ensure the communication is secure, the Secure Sockets Layer (<emphasis>SSL</emphasis>) or Transport Layer Security (<emphasis>TLS</emphasis>) cryptographic protocols can be used to prevent an attacker from intercepting the transmission. + </para> +<!-- Source Metadata +URL: http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_L... +Author [email]: Red Hat ECS Platform Team +License: Copyright © 2010, 2011 Red Hat, Inc. +--> + <para> + LDAP provides the protocols required to manage the data stored in a Directory Server. A Directory Server contains information about resources available (user accounts and printers for example) and their location on the network. + </para> + <para> + The following table is a list of Directory Servers that are supported and certified in &PRODUCT;. + </para> + +<remark>DOCS NOTE: Are these still the correct versions of the various Directory Servers supported in EPP? And how can I find that info out for myself?</remark> + + <table> + <title>Supported and Certified directory servers</title> + <tgroup cols="2"> + <colspec colnum="1" colname="LDAP" colwidth="1*"></colspec> + <thead> + <row> + <entry> + <emphasis>Directory Server</emphasis> + </entry> + <entry> + <emphasis>Version</emphasis> + </entry> + </row> + </thead> + <tbody> + <row> + <entry> + OpenDS + </entry> + <entry> + 1.2 + </entry> + </row> + <row> + <entry> + OpenDS + </entry> + <entry> + 2.0 + </entry> + </row> + <row> + <entry> + OpenLDAP + </entry> + <entry> + 2.4 + </entry> + </row> + <row> + <entry> + Red Hat Directory Server (RHDS) + </entry> + <entry> + 7.1 + </entry> + </row> + <row> + <entry> + Microsoft Active Directory (MSAD) + </entry> + <entry> + Windows Server 2008 + </entry> + </row> + </tbody> + </tgroup> + </table> + <note> + <title>Examples</title> + <para> + &PRODUCT; includes several example LDAP configuration <filename>.xml</filename> files and <filename>.ldif</filename> (LDAP Data Interchange Format) data files. + </para> + <para> + These examples are in the <filename><replaceable>LDAP_HOME</replaceable>/WEB-INF/conf/organization/picketlink-idm/examples</filename> directory and can be deployed in a testing environment to assist in configuring LDAP. + </para> + </note> + + <section id="sect-Reference_Guide-LDAP-LDAP_in_Readonly_Mode"> + <title>LDAP in Readonly Mode</title> + <para> + This section describes how to add LDAP users and organizations to &PRODUCT;. + </para> + <para> + This section will show you how to add LDAP in readonly mode. This means that user data entries (both pre-existing, and newly added through the &PRODUCT; User Interface) will be consumed though the Directory Server and LDAP services, but written to the underlying database. + </para> + +<remark>DOCS NOTE: Is the above paragraph an accurate description of LDAP in Readonly mode? The Wiki original was a little unclear on this. +</remark> + +<!-- Original draft content. Can be removed if current para gets approval. + <para> + All default accounts and groups that are already configured in &PRODUCT; will be created in the underlying database and the LDAP service will be configured in <emphasis>readonly</emphasis> mode. This means that, while users and groups will be consumed from the directory server, all new entries created using &PRODUCT;'s User Interface will be stored in the database. + </para> --> + <procedure id="Reference_Guide-LDAP-LDAP_in_Readonly_Mode-LDAP_Set_Up"> + <title>LDAP Set Up</title> + <step> + <para> + Install and populate your LDAP server. + </para> + <para> + If you are installing the Red Hat Directory Server, you should refer to the Installation Guide at <ulink type="http" url="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/inde...;. + </para> + <para> + If you are using a third party directory server (OpenDS, OpenLDAP or MSAD), refer the appropriate documentation for that product. + </para> + <substeps> + <step> + <para> + The following values provide an example of working configuration settings for the different Directory Servers: + </para> +<remark>DOCS NOTE: This table is a little light, using the info in the wiki article. Where can I find more settings (I've looked into documentation for the products). Alternatively, if this is straightforward for administrators, can this part be removed? +</remark> + <table> + <title></title> + <tgroup cols="8"> + <colspec colname="1"></colspec> + <colspec colname="2"></colspec> + <colspec colname="3"></colspec> + <colspec colname="4"></colspec> + <colspec colname="5"></colspec> + <colspec colname="6"></colspec> + <colspec colname="7"></colspec> + <colspec colname="8"></colspec> + <spanspec spanname="vspan" namest="2" nameend="8"></spanspec> + <thead> + <row> + <entry> + Directory Server + </entry> + <entry spanname="vspan"> + Value + </entry> + </row> + </thead> + <tbody> + <row> + <entry> + + </entry> + <entry> + <emphasis role="bold">root user DN</emphasis> + </entry> + <entry> + <emphasis role="bold">Password</emphasis> + </entry> + <entry> + <emphasis role="bold">Port</emphasis> + </entry> + <entry> + <emphasis role="bold">Admin Port</emphasis> + </entry> + <entry> + <emphasis role="bold">Base DN</emphasis> + </entry> + <entry> + <emphasis role="bold">Database Population</emphasis> + </entry> + <entry> + <emphasis role="bold">SSO/TLS</emphasis> + </entry> + </row> + <row> + <entry> + <emphasis role="bold">RHDS and OpenDS</emphasis> + </entry> + <entry> + cn=Directory Manager + </entry> + <entry> + password + </entry> + <entry> + 1389 + </entry> + <entry> + 4444 + </entry> + <entry> + dc=example,dc=com + </entry> + <entry> + "Only create the base entry" + </entry> + <entry> + no SSO, no TLS + </entry> + </row> + <row> + <entry> + <emphasis role="bold">MSAD</emphasis> + </entry> + <entry> + CN=Users + </entry> + <entry> + + </entry> + <entry> + + </entry> + <entry> + + </entry> + <entry> + + </entry> + <entry> + + </entry> + <entry> + + </entry> + </row> + <row> + <entry> + <emphasis role="bold">OpenLDAP</emphasis> + </entry> + <entry> + cn=Manager,dc=example,dc=com + </entry> + <entry> + secret + </entry> + <entry> + 1389 + </entry> + <entry> + + </entry> + <entry> + dc=example,dc=com + </entry> + <entry> + + </entry> + <entry> + + </entry> + </row> + </tbody> + </tgroup> + </table> + </step> + <step> + <para> + Start the Directory Server and, if desired, import an <filename>ldif</filename> file. + </para> + </step> + </substeps> + </step> + <step> + <para> + Ensure that <filename><replaceable>LDAP_HOME</replaceable></filename> is fully expanded in your &PRODUCT; installation. + </para> + </step> + <step> + <para> + Open the <filename><replaceable>LDAP_HOME</replaceable>/WEB-INF/conf/organization/idm-configuration.xml</filename> file and choose a procedure below depending on which Directory Server you are implementing. + </para> + <itemizedlist> + <listitem> + <para> + <xref linkend="proc-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-RHDS_or_OpenDS"/> + </para> + </listitem> + <listitem> + <para> + <xref linkend="proc-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-MSAD"/> + </para> + </listitem> + <listitem> + <para> + <xref linkend="proc-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-OpenLDAP"/> + </para> + </listitem> + </itemizedlist> + +<remark>DOCS NOTE: Rather than re-write the same steps in theree procedures, I tried forking the one procedure in three directions. This is an EXPERIMENT! Let me know how you think it works. +</remark> + + <procedure id="proc-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-RHDS_or_OpenDS"> + <title>Red Hat Directory Server or OpenDS</title> + <step> + <para> + Uncomment the line under "<emphasis role="bold">Read Only "ACME" LDAP Example</emphasis>": + </para> +<programlisting language="XML" role="XML"><![CDATA[<!--Read Only "ACME" LDAP Example--> +<value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-ldap-acme-config.xml</value> +]]></programlisting> + </step> + <step> + <para> + Uncomment the <emphasis>groupTypeMappings</emphasis> under "<emphasis role="bold">Uncomment for ACME LDAP example</emphasis>": + </para> +<programlisting language="XML" role="XML"><![CDATA[<entry> + <key><string>/acme/roles/*</string></key> + <value><string>acme_roles_type</string></value> +</entry> +<entry> + <key><string>/acme/organization_units/*</string></key> + <value><string>acme_ou_type</string></value> +</entry> +]]></programlisting> + <para > + These <emphasis>groupTypeMappings</emphasis> correspond to <emphasis>identity-object-type</emphasis> options defined in the <filename>picketlink-idm-ldap-acme-config.xml</filename> file (referenced above in <emphasis role="bold">Sub-step a</emphasis>): + </para> + + <programlistingco> + <areaspec> + <areaset id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-opends" coords=""> + <area coords="10 40" id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-users-opends" /> + <area coords="14 40" id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-groups-opends" /> + </areaset> + <area coords="17 40" id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-readonly-opends" /> + </areaspec> +<programlisting language="XML" role="XML"><xi:include href="../../extras/Authentication_Identity_LDAP/readonly-opends.xml" parse="text" xmlns:xi="http://www.w3.org/2001/XInclude" /></programlisting> + <calloutlist> + <!--#1--> + <callout arearefs="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-opends"> + <para> + The PicketLink IDM configuration file dictates that users and those two group types be stored in LDAP. + </para> + </callout> + <!--#2--> + <callout arearefs="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-readonly-opends"> + <para> + An additional option defines that nothing else (except password updates) should be written there. + </para> + </callout> + </calloutlist> + </programlistingco> + <para> + All groups under <emphasis role="bold">/acme/roles</emphasis> will be stored in PicketLink IDM with the <emphasis role="bold">acme_roles_type</emphasis> group type name and groups under <emphasis role="bold">/acme/organization_units</emphasis> will be stored in PicketLink IDM with <emphasis role="bold">acme_ou_type group</emphasis> type name. + </para> + </step> + <step> + <para> + Continue to <xref linkend="step-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-LDAP_Set_Up-Step-4"/>. + </para> + </step> + </procedure> + + <procedure id="proc-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-MSAD"> + <title>Microsoft Active Directory</title> + <step> + <para> + Uncomment the line under "<emphasis role="bold">MSAD Read Only "ACME" LDAP Example</emphasis>": + </para> +<programlisting language="XML" role="XML"><![CDATA[<!--MSAD Read Only "ACME" LDAP Example--> +<!--<value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-msad-readonly-config.xml</value>--> +]]></programlisting> + </step> + <step> + <para> + Uncomment the <emphasis>groupTypeMappings</emphasis> under "<emphasis role="bold">Uncomment for MSAD ReadOnly LDAP example</emphasis>": + </para> +<programlisting language="XML" role="XML"><![CDATA[<entry> + <key><string>/acme/roles/*</string></key> + <value><string>msad_roles_type</string></value> +</entry> +]]></programlisting> + <para> + These <emphasis>groupTypeMappings</emphasis> correspond to <emphasis>identity-object-type</emphasis> options defined in the <filename>picketlink-idm-msad-readonly-config.xml</filename> file (referenced above in <emphasis role="bold">Sub-step a</emphasis>): + </para> + + <programlistingco> + <areaspec> + <areaset id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-MSAD" coords=""> + <area coords="10 40" id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-users-MSAD" /> + <area coords="13 40" id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-groups-MSAD" /> + </areaset> + <area coords="16 40" id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-readonly-MSAD" /> + </areaspec> +<programlisting language="XML" role="XML"><xi:include href="../../extras/Authentication_Identity_LDAP/readonly-msad.xml" parse="text" xmlns:xi="http://www.w3.org/2001/XInclude" /></programlisting> + <calloutlist> + <!--#1--> + <callout arearefs="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-MSAD"> + <para> + The PicketLink IDM configuration file dictates that users and those two group types be stored in LDAP. + </para> + </callout> + <!--#2--> + <callout arearefs="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-readonly-MSAD"> + <para> + An additional option defines that nothing else (except password updates) should be written there. + </para> + </callout> + </calloutlist> + </programlistingco> + <para> + All groups under <emphasis role="bold">/acme/roles</emphasis> will be stored in PicketLink IDM with the <emphasis role="bold">acme_roles_type</emphasis> group type name and groups under <emphasis role="bold">/acme/organization_units</emphasis> will be stored in PicketLink IDM with <emphasis role="bold">acme_ou_type group</emphasis> type name. + </para> + </step> + <step> + <para> + Continue to <xref linkend="step-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-LDAP_Set_Up-Step-4"/>. + </para> + </step> + </procedure> + + <procedure id="proc-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-OpenLDAP"> + <title>OpenLDAP</title> + <step> + <para> + Uncomment the line under "<emphasis role="bold">OpenLDAP ReadOnly "ACME" LDAP Example</emphasis>": + </para> +<programlisting language="XML" role="XML"><![CDATA[<!--OpenLDAP ReadOnly "ACME" LDAP Example--> +<!--<value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-openldap-acme-config.xml</value>--> +]]></programlisting> + </step> + <step> + <para> + Uncomment the <emphasis>groupTypeMappings</emphasis> under "<emphasis role="bold">Uncomment for ACME LDAP example</emphasis>": + </para> +<programlisting language="XML" role="XML"><![CDATA[<entry> + <key><string>/acme/roles/*</string></key> + <value><string>acme_roles_type</string></value> +</entry> +<entry> + <key><string>/acme/organization_units/*</string></key> + <value><string>acme_ou_type</string></value> +</entry> +]]></programlisting> + <para> + These <emphasis>groupTypeMappings</emphasis> correspond to <emphasis>identity-object-type</emphasis> options defined in the <filename>picketlink-idm-ldap-acme-config.xml</filename> file (referenced above in <emphasis role="bold">Sub-step a</emphasis>): + </para> + + <programlistingco> + <areaspec> + <areaset id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-OpenLDAP" coords=""> + <area coords="10 40" id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-users-OpenLDAP" /> + <area coords="14 40" id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-groups-OpenLDAP" /> + </areaset> + <area coords="17 40" id="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-readonly-OpenLDAP" /> + </areaspec> +<programlisting language="XML" role="XML"><xi:include href="../../extras/Authentication_Identity_LDAP/readonly-openldap.xml" parse="text" xmlns:xi="http://www.w3.org/2001/XInclude" /></programlisting> + <calloutlist> + <!--#1--> + <callout arearefs="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-OpenLDAP"> + <para> + The PicketLink IDM configuration file dictates that users and those two group types be stored in LDAP. + </para> + </callout> + <!--#2--> + <callout arearefs="area-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-config-readonly-OpenLDAP"> + <para> + An additional option defines that nothing else (except password updates) should be written there. + </para> + </callout> + </calloutlist> + </programlistingco> + <para> + All groups under <emphasis role="bold">/acme/roles</emphasis> will be stored in PicketLink IDM with the <emphasis role="bold">acme_roles_type</emphasis> group type name and groups under <emphasis role="bold">/acme/organization_units</emphasis> will be stored in PicketLink IDM with <emphasis role="bold">acme_ou_type group</emphasis> type name. + </para> + </step> + <step> + <para> + Continue to <xref linkend="step-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-LDAP_Set_Up-Step-4"/>. + </para> + </step> + </procedure> + </step> + + <step id="step-Reference_Guide-LDAP-LDAP_in_Readonly_Mode-LDAP_Set_Up-Step-4"> + <para> + Start the server. + </para> + </step> + <step> + <para> + Navigate to the portal homepage (<ulink type="http" url="http://localhost:8080/portal"></ulink>) and log in as an administrator. + </para> + </step> + <step> + <para> + Navigate to <menuchoice> + <guimenu>Group</guimenu> + <guimenuitem>Organization</guimenuitem> + <guimenuitem>Users and groups management</guimenuitem> + </menuchoice>. + </para> + <substeps> + <step> + <para> + Create a new group called <emphasis>acme</emphasis> under the root node. + </para> + </step> + <step> + <itemizedlist> + <listitem> + <para> + <emphasis role="bold">For RHDS, OpenDS and OpenLDAP</emphasis>: + </para> + <para> + Create two sub-groups called <emphasis>roles</emphasis> and <emphasis>organization_units</emphasis>. + </para> + </listitem> + <listitem> + <para> + <emphasis role="bold">For MSAD:</emphasis> + </para> + <para> + Create a subgroup called <emphasis>roles</emphasis>. + </para> + </listitem> + </itemizedlist> + </step> + </substeps> + </step> + </procedure> + + + <para> + Users defined in LDAP should be visable in "<emphasis>Users and groups management</emphasis>" and groups from LDAP should be present as children of <emphasis>/acme/roles</emphasis> and <emphasis>/acme/organization_units</emphasis>. + </para> + <para> + To use a different LDAP server or directory data, edit the <filename><replaceable>LDAP_HOME</replaceable>/WEB-INF/conf/organization/picketlink-idm/examples/picketlink-idm-ldap-acme-config.xml</filename> file and change the following values to suit your requirements: + </para> + <variablelist> + <title>LDAP configuration options:</title> + +<remark>DOCS NOTE: Again, I tried collapsing content into one place, as opposed to three. Is this confusing? +</remark> + + <varlistentry> + <term>ctxDNs</term> + <listitem> + <para> + This is the DN that will be used as context for <emphasis>IdentityObject</emphasis> searches. More than one value can be specified. + </para> + <para> + Some examples are: + </para> + <itemizedlist> + <listitem> + <para> + ou=People,o=acme,dc=example,dc=com + </para> + </listitem> + <listitem> + <para> + ou=Roles,o=acme,dc=example,dc=com + </para> + </listitem> + <listitem> + <para> + ou=OrganizationUnits,o=acme,dc=example,dc=com + </para> + </listitem> + <listitem> + <para> + <emphasis role="bold">MSAD</emphasis>: CN=Users,DC=test,DC=domain (in two places) + </para> + </listitem> + </itemizedlist> + </listitem> + </varlistentry> + <varlistentry> + <term>providerURL</term> + <listitem> + <para> + The LDAP server connection URL. Formatted as "ldap://localhost:<replaceable>&lt;PORT&gt;</replaceable>". The default setting is: <emphasis>ldap://localhost:1389</emphasis>. + </para> + <para> + <emphasis role="bold">MSAD</emphasis>: Should use SSL connection (ldaps://xxx:636) if password update or entry creation is expected to work. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>adminDN</term> + <listitem> + <para> + The LDAP entry used to connect to the server. + </para> + <para> + Some possible values are: + </para> + <itemizedlist> + <listitem> + <para> + <emphasis role="bold">RHDS or OpenDS</emphasis>: cn=Directory Manager + </para> + </listitem> + <listitem> + <para> + <emphasis role="bold">OpenLDAP</emphasis>: cn=Manager,dc=my-domain,dc=com + </para> + </listitem> + <listitem> + <para> + <emphasis role="bold">MSAD</emphasis>: TEST\Administrator + </para> + </listitem> + </itemizedlist> + </listitem> + </varlistentry> + <varlistentry> + <term>adminPassword</term> + <listitem> + <para> + The password associated with the <emphasis role="bold">adminDN</emphasis>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>customSystemProperties</term> + <listitem> + <para> + <emphasis role="bold">MSAD</emphasis>: option if SSL connection is configured. + </para> + </listitem> + </varlistentry> + </variablelist> +<!-- Source Metadata +URL: http://anonsvn.jboss.org/repos/picketlink/idm/downloads/docs/1.0.0.GA/Ref... +Author [w/email]: Bolesław Dawidowicz (bdawidow(a)redhat.com), Jeff Yu +License: ?? +--> + <para> + More information about configuration can be found in <xref linkend="sect-Reference_Guide-PicketLink_IDM_integration"/> and in the PicketLink project <ulink type="http" url="http://anonsvn.jboss.org/repos/picketlink/idm/downloads/docs/1.... Guide</ulink>. + </para> + </section> +</section> \ No newline at end of file Modified: epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml =================================================================== --- epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2011-04-01 02:40:05 UTC (rev 6160) +++ epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2011-04-05 07:19:12 UTC (rev 6161) @@ -832,8 +832,7 @@ <para> Start the &PRODUCT;; </para> - <!-- <programlisting language="Java" role="Java"><xi:include parse="text" href="../../extras/Authentication_Identity_SSO/default130.java" xmlns:xi="http://www.w3.org/2001/XInclude" /></programlisting> --> -<programlisting><command>sudo ./run.sh -Djava.security.krb5.realm=LOCAL.NETWORK -Djava.security.krb5.kdc=server.local.network -c <replaceable>PROFILE</replaceable> -b server.local.network</command></programlisting> +<programlisting language="Java" role="Java"><xi:include parse="text" href="../../extras/Authentication_Identity_SSO/default130.java" xmlns:xi="http://www.w3.org/2001/XInclude" /></programlisting> <para> The <replaceable>PROFILE</replaceable> parameter in the above command should be replaced with the server profile modified with the above configuration. </para> Modified: epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity.xml =================================================================== --- epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity.xml 2011-04-01 02:40:05 UTC (rev 6160) +++ epp/docs/branches/5.1/Reference_Guide/en-US/modules/AuthenticationAndIdentity.xml 2011-04-05 07:19:12 UTC (rev 6161) @@ -11,4 +11,5 @@ <xi:include href="AuthenticationAndIdentity/OrganizationAPI.xml" xmlns:xi="http://www.w3.org/2001/XInclude" /> <xi:include href="AuthenticationAndIdentity/AccessingUserProfile.xml" xmlns:xi="http://www.w3.org/2001/XInclude" /> <xi:include href="AuthenticationAndIdentity/SSO.xml" xmlns:xi="http://www.w3.org/2001/XInclude" /> + <xi:include href="AuthenticationAndIdentity/LDAP.xml" xmlns:xi="http://www.w3.org/2001/XInclude" /> </chapter> Modified: epp/docs/branches/5.1/Reference_Guide/en-US/modules/WSRP.xml =================================================================== --- epp/docs/branches/5.1/Reference_Guide/en-US/modules/WSRP.xml 2011-04-01 02:40:05 UTC (rev 6160) +++ epp/docs/branches/5.1/Reference_Guide/en-US/modules/WSRP.xml 2011-04-05 07:19:12 UTC (rev 6161) @@ -1305,7 +1305,7 @@ </section> <section id="sect-Reference_Guide-Web_Services_for_Remote_Portlets_WSRP-Removing_WSRP"> - <title>Removing WSRP</title> + <title>Removing WSRP - PLEASE REVIEW</title> <para> If you are not going to use WSRP in your &PRODUCT; instance, your installation will not be adversely affected should you leave the WSRP files in place. </para> Modified: epp/docs/branches/5.1/Reference_Guide/publican.cfg =================================================================== --- epp/docs/branches/5.1/Reference_Guide/publican.cfg 2011-04-01 02:40:05 UTC (rev 6160) +++ epp/docs/branches/5.1/Reference_Guide/publican.cfg 2011-04-05 07:19:12 UTC (rev 6161) @@ -5,4 +5,4 @@ type: Book brand: JBoss debug:1 - +show_remarks: 1