Differences between revisions 9 and 10
Revision 9 as of 2012-03-15 16:47:07
Size: 9814
Editor: JeromeDupont
Comment:
Revision 10 as of 2012-07-06 08:00:19
Size: 11494
Editor: JeromeDupont
Comment: adding "Define a backup ldap server" paragraph + little prettifying
Deletions are marked like this. Additions are marked like this.
Line 18: Line 18:

----------
STEP 1: Setup a LDAP server.
  1. Define a backup ldap server

----------
= Create a simple ldap configuration from the demo =
== STEP 1: Setup a LDAP server. ==
Line 29: Line 30:
STEP 2: Installing Jetspeed demo
== STEP 2: Installing Jetspeed demo ==
Line 34: Line 34:
STEP 3: Setup jetspeed ldap mode
== STEP 3: Setup jetspeed ldap mode ==
Line 39: Line 38:
STEP 4: Setup jetspeed properties file
== STEP 4: Setup jetspeed properties file ==
Line 46: Line 44:
STEP 5: Populating Ldap with sample users
== STEP 5: Populating Ldap with sample users ==
Line 75: Line 72:
Line 187: Line 183:
= Define a backup ldap server =
In some cases, several ldap servers are defined in your infrastructure, and if one of them collapses, applications are supposed to balance themselves to the backup ldap server. That is possible to do this with jetspeed, modifying '''WEB-INF/assembly/security-ldap.xml'''''' '''file. In this file, the connection to ldap is defined in the ''org.springframework.ldap.core.support.LdapContextSource'' bean, in the ''url'' element. You have to replace url without ''s'' by elements ''urls'' with s, and to list the differents ldap servers.

Jetspeed tries to connect to the first ldap server, and if it fails to the second one, etc. Note that in this case, the synchronisation between ldaps is NOT done by jetspeed but by the ldap infrastructure. Jetspeed synchronises only the ldap server it works with.

See above the example for '''security ldap.xml''':

{{{
    <property name="contextSource">
      <bean class="org.springframework.ldap.core.support.LdapContextSource">
        <property name="urls" value="${ldap.url}"/>
        <property name="base" value="${ldap.base}"/>
        <property name="userDn" value="${ldap.userDn}"/>
        <property name="password" value="${ldap.password}"/>
        <property name="baseEnvironmentProperties" ref="ldapEnvironmentProperties"/>
        <property name="pooled" value="false"/>
      </bean>
    </property>
}}}
{ldap.url} is defined in the '''WEB-INF/conf/override.properties '''file:

{{{
ldap.url=ldap://asl20.pfvd.nt.bnf.fr:389, ldap://asl21.pfvd.nt.bnf.fr:389
}}}
  1. Create a simple ldap configuration from the demo
    1. Setup a ldap server (using apacheDS)
    2. Installing demo
    3. Setup jetspeed ldap mode
    4. Setup jetspeed propertie file
    5. Populating Ldap with sample users
  2. Adapting jetspeed to an existing schema
    1. Adding user attributes
    2. Changing relationship with user and role
    3. Changing the direction a ldap search to check role a User has
  3. Giving default roles to a new user
  4. Create a user in jetspeed already defined in ldap.
  5. Create a simple ldap configuration from the demo
    1. Setup a ldap server (using apacheDS)
  6. Create a simple ldap configuration from the demo
    1. Define a backup ldap server


Create a simple ldap configuration from the demo

STEP 1: Setup a LDAP server.

- Install Apache Directory Studio. (Play around with this to get to know the user interface) Once you know.

- Create any LDAP server - prefer 1.5.5+. right click & open configuration on the newly create LDAP server. click on partition tab -> click add. ID: (must be same as you saw in jetspeed.properties) sevenSeas Suffix: o=sevenSeas. (CTRL-S to save) Start up the server.

- Make connection with LDAP server using (connection Tab in Apache Directory Studio) hostname: localhost port:10389 click on next: Bind DN: uid=admin,ou=system bindpassword: secret. (finish) open connection.


STEP 2: Installing Jetspeed demo

Jetspeed-2.2.2 (Demo or Minimal) either one. Apache Directory Studio 2.0 (this allow you to have apacheDS 1.5.3 up to 2.0) which is good for different test setup.


STEP 3: Setup jetspeed ldap mode

To configure Jetspeed-2.2.2 to work with LDAP - open spring-filter-key.properties (webapps/jetspeed/WEB-INF/conf) and change: spring.filter.key=portal to spring.filter.key=portal.ldap. (this will make jetspeed connect to LDAP).


STEP 4: Setup jetspeed properties file

To verify the connection between jetspeed and LDAP: open jetspeed.properties in (webapps/jetspeed/WEB-INF/conf) - Default connection for jetspeed to LDAP is should be the same as already configured in this section. Make sure you understand what is here. LDAP require: (1 organism, 3 organization unit) o=sevenSeas (change this if you want to name something else, make sure it is same when configured in LDAP). ou=Users ou=Roles ou=Group

Good. You are now done with setup jetspeed-2.2.2 to connect to LDAP ApacheDS.


STEP 5: Populating Ldap with sample users

Creating partition for sevenSeas on LDAP Server.

This must be done in order to load any sevenSeas.ldif file you have successful or create your own without loading ldif file.

Go to LDAP Browser Manually -

Right click on Root DSE - select new Entry. create from scratch - add object class: organization - RDN = o=sevenSeas

right click on o=sevenSeas - add object class: OrganizationUnit - RDN = ou=Groups Repeat and create for RDN=ou=Roles, RDN=ou=Users.

To get you started to login into Jetspeed. right click on ou=Users in the LDAP Browser and create new entry - objectclass is inetOrgPerson, sn=admin, cn=admin,uid=admin,userPassword=password; Note: Right click on the editor page to create "new attribute" for userPassword and uid.

Good you are now ready to do a test run.

Start up Jetspeed. Login with user: admin/password

If you login successful, you good to go. If you have problem, make sure LDAP setup is matching with what configured in jetspeed.properties LDAP section.

Other thought on adding a new user. simply just create new user in jetspeed and you will able see it display on LDAP Server when you refresh.

This new user won't be admin. To make this user become admin,

Go to LDAP Browser - right click on Roles - new entry - select object class: extensibleObject & groupofNames. cn=admin member - cn=admin,ou=Roles,o=sevenSeas member- uid=(newlycreateusername),ou=Users,o=sevenSeas


Adapting jetspeed to an existing ldap schema

This paragraphs shows how to configure Jestspeed to adapt it to a specific ldap model.

Adding user attributes

You can add user attribute in your Ldap configuration file: WEB-INF/assembly/security-ldap.xml and configure UserDaoConfiguration bean

In the example below, two main changes have been done to adapt to ldap model:

Changing id attribute and user class:

    <property name="ldapIdAttribute" value="BnFIdentifiant" />
    <property name="objectClasses" value="BNFUser"/>

In the Ldap, the attribute used to identify an entry is BnFIdentifiant, and the user object belongs to BNFUser class.

After that, we have defined 3 attributes defined in each ldap user entities, that we want to use during authentification process.

This is an example of an attribute definition::

        <bean class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
          <constructor-arg index="0" value="BnFMemberOf" />
          <constructor-arg index="1" value="true" />
          <constructor-arg index="2" value="false" />
          <property name="required" value="false"/>
          <property name="idAttribute" value="false"/>
        </bean>

constructor-arg index="0" defines the name of the attribute.

constructor-arg index="1" defines if the attribute is multivalued

constructor-arg index="2" defines if the attribute is mapped in jetspeed database.

This is the coplete example of UserDaoConfiguration bean:

  <bean id="UserDaoConfiguration" class="org.apache.jetspeed.security.mapping.ldap.dao.LDAPEntityDAOConfiguration" init-method="initialize">
    <meta key="j2:cat" value="ldapSecurity" />
    <property name="ldapBase" value="${ldap.base}" />
    <property name="searchBase" value="${ldap.user.searchBase}" />
    <property name="searchFilter">
      <bean class="org.apache.jetspeed.security.mapping.ldap.filter.SimpleFilter">
        <constructor-arg index="0" value="${ldap.user.filter}" />
      </bean>
    </property>
    <property name="ldapIdAttribute" value="BnFIdentifiant" />
    <property name="objectClasses" value="BNFUser"/>
    <property name="attributeDefinitions">
      <set>
        <bean class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
          <constructor-arg index="0" value="BnFIdentifiant" />
          <constructor-arg index="1" value="false" />
          <constructor-arg index="2" value="false" />
          <property name="required" value="true"/>
          <property name="idAttribute" value="true"/>
        </bean>
        <bean class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
          <constructor-arg index="0" value="cn" />
          <constructor-arg index="1" value="false" />
          <constructor-arg index="2" value="false" />
          <property name="required" value="true"/>
          <property name="idAttribute" value="true"/>
        </bean>
        <bean class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
          <constructor-arg index="0" value="BnFMemberOf" />
          <constructor-arg index="1" value="true" />
          <constructor-arg index="2" value="false" />
          <property name="required" value="false"/>
          <property name="idAttribute" value="false"/>
        </bean>
      </set>
    </property>
    <property name="entityType" value="user" />
  </bean>

And the user defined in the ldap (ldif format).

dn: BnfIdentifiant=user_etablissement9@bnf.fr,ou=comptes,ou=clients,dc=public,dc=bnf,dc=fr
objectClass: BNFUser
BnfIdentifiant: user_etablissement9@bnf.fr
BnfMemberOf: cn=partenaires_bibliotheque,ou=groupes,ou=clients,dc=public,dc=bnf,dc=fr
BnfMemberOf: cn=partenaires_moissonnage_gallica_partenaire,ou=groupes,ou=clients,dc=public,dc=bnf,dc=fr
cn: user_etablissement9@bnf.fr
userPassword:: e1NIQX1mRXFOQ2NvM1lxOWg1WlVnbEQzQ1pKVDRsQnM9

Changing relationship with user and role, name and direction

If you want to change the attribute used to describe the relationship between User and Role, you can do it, in the Ldap configuration file: WEB-INF/assembly/security-ldap.xml. In our example, we want to use BnFMemberOf relation, in the user to role direction.

  • First, you have to declare it in the UserDaoConfiguration, like shown in the above example

  • Second, you have to change the UserRoleRelationDAO' the relationAttribute; property permits to define the attribute used to store the relation.

  • Moreover, it's possible to define the direction Jetspeed uses t find roles have a user (2 possibities: the default one which is searching in all roles which ones are related to the authentificating user, the second way is to look from User entities which roles he has) Depending how your ldap is configured, the two methods can be used, or only one. In our case, the method chosen is the second one: for performance reasons, the attributes are stored in the User entities. To handle that, the useFromEntityAttribute was set to true.

This is an example configuration:

  <bean id="UserRoleRelationDAO" class="org.apache.jetspeed.security.mapping.ldap.dao.impl.AttributeBasedRelationDAO">
    <meta key="j2:cat" value="ldapSecurity" />
    <property name="relationAttribute" value="BnFMemberOf" />
    <property name="attributeContainsInternalId" value="true" />
    <property name="useFromEntityAttribute" value="true" />
    <property name="relationType">
      <bean class="org.apache.jetspeed.security.mapping.impl.SecurityEntityRelationTypeImpl">
        <constructor-arg index="0" value="isMemberOf" />
        <constructor-arg index="1" value="user" />
        <constructor-arg index="2" value="role" />
      </bean>
    </property>
  </bean>

Define a backup ldap server

In some cases, several ldap servers are defined in your infrastructure, and if one of them collapses, applications are supposed to balance themselves to the backup ldap server. That is possible to do this with jetspeed, modifying WEB-INF/assembly/security-ldap.xml file. In this file, the connection to ldap is defined in the org.springframework.ldap.core.support.LdapContextSource bean, in the url element. You have to replace url without s by elements urls with s, and to list the differents ldap servers.

Jetspeed tries to connect to the first ldap server, and if it fails to the second one, etc. Note that in this case, the synchronisation between ldaps is NOT done by jetspeed but by the ldap infrastructure. Jetspeed synchronises only the ldap server it works with.

See above the example for security ldap.xml:

    <property name="contextSource">
      <bean class="org.springframework.ldap.core.support.LdapContextSource">
        <property name="urls" value="${ldap.url}"/>
        <property name="base" value="${ldap.base}"/>
        <property name="userDn" value="${ldap.userDn}"/>
        <property name="password" value="${ldap.password}"/>
        <property name="baseEnvironmentProperties" ref="ldapEnvironmentProperties"/>
        <property name="pooled" value="false"/>
      </bean>
    </property>

{ldap.url} is defined in the WEB-INF/conf/override.properties file:

ldap.url=ldap://asl20.pfvd.nt.bnf.fr:389, ldap://asl21.pfvd.nt.bnf.fr:389

Jetspeed2/LDAP-howto (last edited 2012-07-06 08:00:19 by JeromeDupont)