[jboss-user] [JBoss Portal] - Re: JbossPortal and ldap
kahotep
do-not-reply at jboss.com
Thu Feb 21 17:03:36 EST 2008
I was able to get everything but add/remove users to work. I don't think add/remove LDAP users/roles is supported in JBoss Portal yet, so this will have to be done in another way besides the user administration module currently in use (please correct me if I am wrong).
I learned this after reading:
http://lists.jboss.org/pipermail/jboss-dev-forums/2006-October/002831.html
btw: I would highly recommend phpLDAPadmin for modifying the LDAP setup. It made life much easier for me, since I am not very well versed in using LDAP's command line utilities.
http://phpldapadmin.sourceforge.net/
In my setup, I used OpenLDAP, which I installed into my Ubuntu Linux system with:
apt-get install slapd ldap-utils
Here is a simple LDIF that worked for me. It has three users and two roles:
version: 1
|
| # LDIF Export for: dc=cobracombat,dc=com
| # Generated by phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) on February 21, 2008 4:49 pm
| # Server: My LDAP Server (localhost)
| # Search Scope: sub
| # Search Filter: (objectClass=*)
| # Total Entries: 8
|
| dn: dc=cobracombat,dc=com
| objectClass: top
| objectClass: dcObject
| objectClass: organization
| dc: cobracombat
| o: cobracombat
|
| dn: ou=People,dc=cobracombat,dc=com
| objectClass: top
| objectClass: organizationalUnit
| ou: People
|
| dn: uid=admin,ou=People,dc=cobracombat,dc=com
| objectClass: top
| objectClass: inetOrgPerson
| objectClass: person
| title: n/a
| uid: admin
| userPassword: lbjd7896
| cn: Administrator
| mail: cbcase at drs-tem.com
| sn: Administrator
|
| dn: uid=cbcase,ou=People,dc=cobracombat,dc=com
| objectClass: top
| objectClass: inetOrgPerson
| objectClass: person
| uid: cbcase
| cn: Chris Case
| mail: cbcase at drs-tem.com
| sn: Case
| userPassword: lbjd7896
|
| dn: uid=user,ou=People,dc=cobracombat,dc=com
| cn: user
| mail: email at email.com
| objectClass: top
| objectClass: inetOrgPerson
| objectClass: person
| sn: Portal User
| uid: user
| userPassword: user
|
| dn: ou=Roles,dc=cobracombat,dc=com
| objectClass: top
| objectClass: organizationalUnit
| ou: Roles
|
| dn: cn=Admin,ou=Roles,dc=cobracombat,dc=com
| cn: Admin
| description: Portal admin role
| objectClass: top
| objectClass: groupOfNames
| member: uid=admin,ou=People,dc=cobracombat,dc=com
|
| dn: cn=User,ou=Roles,dc=cobracombat,dc=com
| cn: User
| description: Portal user role
| objectClass: top
| objectClass: groupOfNames
| member: uid=admin,ou=People,dc=cobracombat,dc=com
| member: uid=user,ou=People,dc=cobracombat,dc=com
| member: uid=cbcase,ou=People,dc=cobracombat,dc=com
|
Here is slapd.conf, the configuration file for my LDAP server.
# This is the main slapd configuration file. See slapd.conf(5) for more
| # info on the configuration options.
|
| #######################################################################
| # Global Directives:
|
| # Features to permit
| #allow bind_v2
|
| # Schema and objectClass definitions
| include /etc/ldap/schema/core.schema
| include /etc/ldap/schema/cosine.schema
| include /etc/ldap/schema/nis.schema
| include /etc/ldap/schema/inetorgperson.schema
|
| # Where the pid file is put. The init.d script
| # will not stop the server if you change this.
| pidfile /var/run/slapd/slapd.pid
|
| # List of arguments that were passed to the server
| argsfile /var/run/slapd/slapd.args
|
| # Read slapd.conf(5) for possible values
| loglevel 0
|
| # Where the dynamically loaded modules are stored
| modulepath /usr/lib/ldap
| moduleload back_bdb
|
| # The maximum number of entries that is returned for a search operation
| sizelimit 500
|
| # The tool-threads parameter sets the actual amount of cpu's that is used
| # for indexing.
| tool-threads 1
|
| #######################################################################
| # Specific Backend Directives for bdb:
| # Backend specific directives apply to this backend until another
| # 'backend' directive occurs
| backend bdb
| checkpoint 512 30
|
| #######################################################################
| # Specific Backend Directives for 'other':
| # Backend specific directives apply to this backend until another
| # 'backend' directive occurs
| #backend <other>
|
| #######################################################################
| # Specific Directives for database #1, of type bdb:
| # Database specific directives apply to this databasse until another
| # 'database' directive occurs
| database bdb
|
| # The base of your directory in database #1
| suffix "dc=cobracombat,dc=com"
|
| # rootdn directive for specifying a superuser on the database. This is needed
| # for syncrepl.
| #rootdn "cn=Manager,dc=cobracombat,dc=com"
| rootdn "uid=admin,ou=People,dc=cobracombat,dc=com"
| rootpw lbjd7896
|
| # Where the database file are physically stored for database #1
| directory "/var/lib/ldap"
|
| # For the Debian package we use 2MB as default but be sure to update this
| # value if you have plenty of RAM
| dbconfig set_cachesize 0 2097152 0
|
| # Sven Hartge reported that he had to set this value incredibly high
| # to get slapd running at all. See http://bugs.debian.org/303057
| # for more information.
|
| # Number of objects that can be locked at the same time.
| dbconfig set_lk_max_objects 1500
| # Number of locks (both requested and granted)
| dbconfig set_lk_max_locks 1500
| # Number of lockers
| dbconfig set_lk_max_lockers 1500
|
| # Indexing options for database #1
| index objectClass eq
|
| # Save the time that the entry gets modified, for database #1
| lastmod on
|
| # Where to store the replica logs for database #1
| # replogfile /var/lib/ldap/replog
|
| # The userPassword by default can be changed
| # by the entry owning it if they are authenticated.
| # Others should not be able to see it, except the
| # admin entry below
| # These access lines apply to database #1 only
| access to attrs=userPassword,shadowLastChange
| by dn="cn=admin,dc=cobracombat" write
| by anonymous auth
| by self write
| by * none
|
| # Ensure read access to the base for things like
| # supportedSASLMechanisms. Without this you may
| # have problems with SASL not knowing what
| # mechanisms are available and the like.
| # Note that this is covered by the 'access to *'
| # ACL below too but if you change that as people
| # are wont to do you'll still need this if you
| # want SASL (and possible other things) to work
| # happily.
| access to dn.base="" by * read
|
| # The admin dn has full write access, everyone else
| # can read everything.
| access to *
| by dn="cn=admin,dc=cobracombat" write
| by * read
|
| # For Netscape Roaming support, each user gets a roaming
| # profile for which they have write access to
| #access to dn=".*,ou=Roaming,o=morsnet"
| # by dn="cn=admin,dc=nodomain" write
| # by dnattr=owner write
|
| #######################################################################
| # Specific Directives for database #2, of type 'other' (can be bdb too):
| # Database specific directives apply to this databasse until another
| # 'database' directive occurs
| #database <other>
|
| # The base of your directory for database #2
| #suffix "dc=debian,dc=org"
|
Here is my ldap_identity-config.xml
<?xml version="1.0" encoding="UTF-8"?>
| <!--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| ~ JBoss, a division of Red Hat ~
| ~ Copyright 2006, Red Hat Middleware, LLC, and individual ~
| ~ contributors as indicated by the @authors tag. See the ~
| ~ copyright.txt in the distribution for a full listing of ~
| ~ individual contributors. ~
| ~ ~
| ~ This is free software; you can redistribute it and/or modify it ~
| ~ under the terms of the GNU Lesser General Public License as ~
| ~ published by the Free Software Foundation; either version 2.1 of ~
| ~ the License, or (at your option) any later version. ~
| ~ ~
| ~ This software is distributed in the hope that it will be useful, ~
| ~ but WITHOUT ANY WARRANTY; without even the implied warranty of ~
| ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ~
| ~ Lesser General Public License for more details. ~
| ~ ~
| ~ You should have received a copy of the GNU Lesser General Public ~
| ~ License along with this software; if not, write to the Free ~
| ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA ~
| ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org. ~
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~-->
|
| <!--<!DOCTYPE identity-configuration PUBLIC
| "-//JBoss Portal//DTD JBoss Identity Configuration 1.0//EN"
| "http://www.jboss.org/portal/dtd/identity-config_1_0.dtd">-->
|
| <identity-configuration>
| <datasources>
| <datasource>
| <name>LDAP</name>
| <config>
| <option>
| <name>host</name>
| <value>192.168.1.102</value>
| </option>
| <option>
| <name>port</name>
| <value>389</value>
| </option>
| <option>
| <name>adminDN</name>
| <value>uid=admin,ou=People,dc=cobracombat,dc=com</value>
| </option>
| <option>
| <name>adminPassword</name>
| <value>lbjd7896</value>
| </option>
| <!-- <option>
| <name>protocol</name>
| <value>ssl</value>
| </option> -->
| </config>
| </datasource>
| </datasources>
| <modules>
| <module>
| <!--type used to correctly map in IdentityContext registry-->
| <type>User</type>
| <implementation>LDAP</implementation>
| <class>
| org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl
| </class>
| <config/>
| </module>
| <module>
| <type>Role</type>
| <implementation>LDAP</implementation>
| <class>
| org.jboss.portal.identity.ldap.LDAPExtRoleModuleImpl
| </class>
| <config/>
| </module>
| <module>
| <type>Membership</type>
| <implementation>LDAP</implementation>
| <config/>
| </module>
| <module>
| <type>UserProfile</type>
| <implementation>DELEGATING</implementation>
| <config>
| <option>
| <name>ldapModuleJNDIName</name>
| <value>java:/portal/LDAPUserProfileModule</value>
| </option>
| </config>
| </module>
| <module>
| <type>DBDelegateUserProfile</type>
| <implementation>DB</implementation>
| <config>
| <option>
| <name>randomSynchronizePassword</name>
| <value>true</value>
| </option>
| </config>
| </module>
| <module>
| <type>LDAPDelegateUserProfile</type>
| <implementation>LDAP</implementation>
| <config/>
| </module>
| </modules>
|
| <options>
| <option-group>
| <group-name>common</group-name>
| <option>
| <name>userCtxDN</name>
| <value>ou=People,dc=cobracombat,dc=com</value>
| </option>
| <option>
| <name>userSearchFilter</name>
| <value><![CDATA[(&((uid={0})(objectClass=person)))]]></value>
| </option>
| <option>
| <name>roleCtxDN</name>
| <value>ou=Roles,dc=cobracombat,dc=com</value>
| </option>
| <option>
| <name>roleSearchFilter</name>
| <value><![CDATA[(&((cn={0})(objectClass=groupOfNames)))]]></value>
| </option>
| </option-group>
|
| </options>
| </identity-configuration>
|
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4131224#4131224
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4131224
More information about the jboss-user
mailing list