Author: bdaw
Date: 2007-03-15 12:23:28 -0400 (Thu, 15 Mar 2007)
New Revision: 6690
Modified:
docs/trunk/referenceGuide/en/modules/ldap.xml
Log:
doco update
Modified: docs/trunk/referenceGuide/en/modules/ldap.xml
===================================================================
--- docs/trunk/referenceGuide/en/modules/ldap.xml 2007-03-15 14:36:24 UTC (rev 6689)
+++ docs/trunk/referenceGuide/en/modules/ldap.xml 2007-03-15 16:23:28 UTC (rev 6690)
@@ -679,24 +679,26 @@
</para>
<sect2>
<title>Keeping users membership in role entries</title>
- <para>TODO></para>
- <para>Tree:
+ <para>TODO:</para>
+ <para>Example tree shape in LDAP browser
<mediaobject>
<imageobject>
<imagedata align="center" valign="middle"
fileref="images/ldap/tree1-1.png"/>
</imageobject>
</mediaobject>
</para>
- <para>Tree:
+ <para>
<mediaobject>
<imageobject>
<imagedata align="center" valign="middle"
fileref="images/ldap/tree1-2.png"/>
</imageobject>
</mediaobject>
</para>
- <para>Example LDIF:
- <programlisting>
- <![CDATA[
+ <sect3>
+ <title>Example LDIF</title>
+ <para>
+ <programlisting>
+ <![CDATA[
dn: dc=example,dc=com
objectclass: top
objectclass: dcObject
@@ -719,6 +721,16 @@
userPassword: user
mail: email(a)email.com
+dn: uid=admin,ou=People,dc=example,dc=com
+objectclass: top
+objectclass: inetOrgPerson
+objectclass: person
+uid: admin
+cn: JBoss Portal admin
+sn: admin
+userPassword: admin
+mail: email(a)email.com
+
dn: ou=Roles,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
@@ -730,16 +742,118 @@
cn: User
description: the JBoss Portal user group
member: uid=user,ou=People,dc=example,dc=com
+
+dn: cn=Admin,ou=Roles,dc=example,dc=com
+objectClass: top
+objectClass: groupOfNames
+cn: Echo
+description: the JBoss Portal admin group
+member: uid=admin,ou=People,dc=example,dc=com
]]>
- </programlisting>
- </para>
- <para>Example identity configuration:
- <programlisting>
- <![CDATA[
+ </programlisting>
+ </para>
+ </sect3>
+ <sect3>
+ <title>Example identity configuration</title>
+ <para>
+ <programlisting>
+ <![CDATA[
+ <modules>
+ <module>
+ <!--type used to correctly map in IdentityContext registry-->
+ <type>User</type>
+ <implementation>LDAP</implementation>
+ <config/>
+ </module>
+ <module>
+ <type>Role</type>
+ <implementation>LDAP</implementation>
+ <config/>
+ </module>
+ <module>
+ <type>Membership</type>
+ <implementation>LDAP</implementation>
+ <config/>
+ </module>
+ <module>
+ <type>UserProfile</type>
+ <implementation>DELEGATING</implementation>
+ <config>
+ <option>
+ <name>ldapModuleJNDIName</name>
+ <value>java:/portal/LDAPUserProfileModule</value>
+ </option>
+ </config>
+ </module>
+ <module>
+ <type>DBDelegateUserProfile</type>
+ <implementation>DB</implementation>
+ <config>
+ <option>
+ <name>randomSynchronizePassword</name>
+ <value>true</value>
+ </option>
+ </config>
+ </module>
+ <module>
+ <type>LDAPDelegateUserProfile</type>
+ <implementation>LDAP</implementation>
+ <config/>
+ </module>
+ </modules>
+ <options>
+ <option-group>
+ <group-name>common</group-name>
+ <option>
+ <name>userCtxDN</name>
+ <value>ou=People,dc=example,dc=com</value>
+ </option>
+ <option>
+ <name>roleCtxDN</name>
+ <value>ou=Roles,dc=example,dc=com</value>
+ </option>
+ </option-group>
+ <option-group>
+ <group-name>userCreateAttibutes</group-name>
+ <option>
+ <name>objectClass</name>
+ <!--This objectclasses should work with Red Hat Directory-->
+ <value>top</value>
+ <value>person</value>
+ <value>inetOrgPerson</value>
+ </option>
+ <!--Schema requires those to have initial value-->
+ <option>
+ <name>cn</name>
+ <value>none</value>
+ </option>
+ <option>
+ <name>sn</name>
+ <value>none</value>
+ </option>
+ </option-group>
+ <option-group>
+ <group-name>roleCreateAttibutes</group-name>
+ <!--Schema requires those to have initial value-->
+ <option>
+ <name>cn</name>
+ <value>none</value>
+ </option>
+ <!--Some directory servers require this attribute to be valid DN-->
+ <!--For safety reasons point to the admin user here-->
+ <option>
+ <name>member</name>
+ <value>uid=admin,ou=People,dc=example,dc=com</value>
+ </option>
+ </option-group>
+ </options>
+
]]>
- </programlisting>
- </para>
+ </programlisting>
+ </para>
+ </sect3>
+
</sect2>
<sect2>
<title>Keeping users membership in user entries</title>
@@ -750,23 +864,25 @@
</imageobject>
</mediaobject>
</para>-->
- <para>Tree:
+ <para>Example tree shape in LDAP browser
<mediaobject>
<imageobject>
<imagedata align="center" valign="middle"
fileref="images/ldap/tree2-3.png"/>
</imageobject>
</mediaobject>
</para>
- <para>Tree:
+ <para>
<mediaobject>
<imageobject>
<imagedata align="center" valign="middle"
fileref="images/ldap/tree2-4.png"/>
</imageobject>
</mediaobject>
</para>
- <para>Example LDIF:
- <programlisting>
- <![CDATA[
+ <sect3>
+ <title>Example LDIF</title>
+ <para>
+ <programlisting>
+ <![CDATA[
dn: dc=example,dc=com
objectclass: top
objectclass: dcObject
@@ -795,29 +911,152 @@
mail: email(a)email.com
memberOf: cn=Admin,ou=Roles,o=example2,dc=example,dc=com
+dn: uid=user,ou=People,o=example2,dc=example,dc=com
+objectclass: top
+objectclass: inetOrgPerson
+objectclass: inetUser
+uid: user
+cn: JBoss Portal user
+sn: user
+userPassword: user
+mail: email(a)email.com
+memberOf: cn=User,ou=Roles,o=example2,dc=example,dc=com
+
dn: ou=Roles,o=example2,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: Roles
+dn: cn=User,ou=Roles,o=example2,dc=example,dc=com
+objectClass: top
+objectClass: organizationalRole
+cn: User
+description: the JBoss Portal user group
+
dn: cn=Admin,ou=Roles,o=example2,dc=example,dc=com
objectClass: top
objectClass: organizationalRole
cn: Echo
-description: the JBossAdmin group
+description: the JBoss Portal admin group
]]>
- </programlisting>
- </para>
- <para>Example identity configuration:
- <programlisting>
- <![CDATA[
+ </programlisting>
+ </para>
+ </sect3>
+ <sect3>
+ <title>Example identity configuration</title>
+ <para>
+ <programlisting>
+ <![CDATA[
+ <modules>
+ <module>
+ <!--type used to correctly map in IdentityContext registry-->
+ <type>User</type>
+ <implementation>LDAP</implementation>
+ <config/>
+ </module>
+ <module>
+ <type>Role</type>
+ <implementation>LDAP</implementation>
+ <config/>
+ </module>
+ <module>
+ <type>Membership</type>
+ <implementation>LDAP</implementation>
+
<class>org.jboss.portal.identity.ldap.LDAPStaticRoleMembershipModuleImpl</class>
+ <config/>
+ </module>
+ <module>
+ <type>UserProfile</type>
+ <implementation>DELEGATING</implementation>
+ <config>
+ <option>
+ <name>ldapModuleJNDIName</name>
+ <value>java:/portal/LDAPUserProfileModule</value>
+ </option>
+ </config>
+ </module>
+ <module>
+ <type>DBDelegateUserProfile</type>
+ <implementation>DB</implementation>
+ <config>
+ <option>
+ <name>randomSynchronizePassword</name>
+ <value>true</value>
+ </option>
+ </config>
+ </module>
+ <module>
+ <type>LDAPDelegateUserProfile</type>
+ <implementation>LDAP</implementation>
+ <config/>
+ </module>
+ </modules>
+ <options>
+ <option-group>
+ <group-name>common</group-name>
+ <option>
+ <name>userCtxDN</name>
+ <value>ou=People,dc=example,dc=com</value>
+ </option>
+ <option>
+ <name>roleCtxDN</name>
+ <value>ou=Roles,dc=example,dc=com</value>
+ </option>
+ <option>
+ <name>membershipAttributeID</name>
+ <value>memberOf</value>
+ </option>
+ </option-group>
+ <option-group>
+ <group-name>userCreateAttibutes</group-name>
+ <option>
+ <name>objectClass</name>
+ <!--This objectclasses should work with Red Hat Directory-->
+ <value>top</value>
+ <value>person</value>
+ <value>inetOrgPerson</value>
+ </option>
+ <!--Schema requires those to have initial value-->
+ <option>
+ <name>cn</name>
+ <value>none</value>
+ </option>
+ <option>
+ <name>sn</name>
+ <value>none</value>
+ </option>
+ </option-group>
+ <option-group>
+ <group-name>roleCreateAttibutes</group-name>
+ <!--Schema requires those to have initial value-->
+ <option>
+ <name>cn</name>
+ <value>none</value>
+ </option>
+ <!--Some directory servers require this attribute to be valid DN-->
+ <!--For safety reasons point to the admin user here-->
+ <option>
+ <name>member</name>
+ <value>uid=admin,ou=People,dc=example,dc=com</value>
+ </option>
+ </option-group>
+ </options>
]]>
- </programlisting>
- </para>
+ </programlisting>
+ </para>
+ </sect3>
+
+
</sect2>
</sect1>
<sect1>
+ <title>Synchronizing LDAP configuration</title>
+ <para>
+ TODO:
+ </para>
+ </sect1>
+ <sect1>
<title>Supported LDAP servers</title>
<para>LDAP servers support depends on few conditions. In most cases thy
differ in schema support - various objectClass
objects are not present by default in server schema. Sometimes it can be
workarounded by manually