1. Create a simple ldap configuration from the demo
    1. Setup a ldap server (using apacheDS)
    2. Installing demo
    3. Setup jetspeed ldap mode
    4. Setup jetspeed propertie file
    5. Populating Ldap with sample users
  2. Adapting jetspeed to an existing schema
    1. Adding user attributes
    2. Changing relationship with user and role
    3. Changing the direction a ldap search to check role a User has
  3. Giving default roles to a new user
  4. Create a user in jetspeed already defined in ldap.
  5. Create a simple ldap configuration from the demo
    1. Setup a ldap server (using apacheDS)
  6. Create a simple ldap configuration from the demo
    1. Define a backup ldap server


Create a simple ldap configuration from the demo

STEP 1: Setup a LDAP server.

- Install Apache Directory Studio. (Play around with this to get to know the user interface) Once you know.

- Create any LDAP server - prefer 1.5.5+. right click & open configuration on the newly create LDAP server. click on partition tab -> click add. ID: (must be same as you saw in jetspeed.properties) sevenSeas Suffix: o=sevenSeas. (CTRL-S to save) Start up the server.

- Make connection with LDAP server using (connection Tab in Apache Directory Studio) hostname: localhost port:10389 click on next: Bind DN: uid=admin,ou=system bindpassword: secret. (finish) open connection.


STEP 2: Installing Jetspeed demo

Jetspeed-2.2.2 (Demo or Minimal) either one. Apache Directory Studio 2.0 (this allow you to have apacheDS 1.5.3 up to 2.0) which is good for different test setup.


STEP 3: Setup jetspeed ldap mode

To configure Jetspeed-2.2.2 to work with LDAP - open spring-filter-key.properties (webapps/jetspeed/WEB-INF/conf) and change: spring.filter.key=portal to spring.filter.key=portal.ldap. (this will make jetspeed connect to LDAP).


STEP 4: Setup jetspeed properties file

To verify the connection between jetspeed and LDAP: open jetspeed.properties in (webapps/jetspeed/WEB-INF/conf) - Default connection for jetspeed to LDAP is should be the same as already configured in this section. Make sure you understand what is here. LDAP require: (1 organism, 3 organization unit) o=sevenSeas (change this if you want to name something else, make sure it is same when configured in LDAP). ou=Users ou=Roles ou=Group

Good. You are now done with setup jetspeed-2.2.2 to connect to LDAP ApacheDS.


STEP 5: Populating Ldap with sample users

Creating partition for sevenSeas on LDAP Server.

This must be done in order to load any sevenSeas.ldif file you have successful or create your own without loading ldif file.

Go to LDAP Browser Manually -

Right click on Root DSE - select new Entry. create from scratch - add object class: organization - RDN = o=sevenSeas

right click on o=sevenSeas - add object class: OrganizationUnit - RDN = ou=Groups Repeat and create for RDN=ou=Roles, RDN=ou=Users.

To get you started to login into Jetspeed. right click on ou=Users in the LDAP Browser and create new entry - objectclass is inetOrgPerson, sn=admin, cn=admin,uid=admin,userPassword=password; Note: Right click on the editor page to create "new attribute" for userPassword and uid.

Good you are now ready to do a test run.

Start up Jetspeed. Login with user: admin/password

If you login successful, you good to go. If you have problem, make sure LDAP setup is matching with what configured in jetspeed.properties LDAP section.

Other thought on adding a new user. simply just create new user in jetspeed and you will able see it display on LDAP Server when you refresh.

This new user won't be admin. To make this user become admin,

Go to LDAP Browser - right click on Roles - new entry - select object class: extensibleObject & groupofNames. cn=admin member - cn=admin,ou=Roles,o=sevenSeas member- uid=(newlycreateusername),ou=Users,o=sevenSeas


Adapting jetspeed to an existing ldap schema

This paragraphs shows how to configure Jestspeed to adapt it to a specific ldap model.

Adding user attributes

You can add user attribute in your Ldap configuration file: WEB-INF/assembly/security-ldap.xml and configure UserDaoConfiguration bean

In the example below, two main changes have been done to adapt to ldap model:

Changing id attribute and user class:

    <property name="ldapIdAttribute" value="BnFIdentifiant" />
    <property name="objectClasses" value="BNFUser"/>

In the Ldap, the attribute used to identify an entry is BnFIdentifiant, and the user object belongs to BNFUser class.

After that, we have defined 3 attributes defined in each ldap user entities, that we want to use during authentification process.

This is an example of an attribute definition::

        <bean class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
          <constructor-arg index="0" value="BnFMemberOf" />
          <constructor-arg index="1" value="true" />
          <constructor-arg index="2" value="false" />
          <property name="required" value="false"/>
          <property name="idAttribute" value="false"/>
        </bean>

constructor-arg index="0" defines the name of the attribute.

constructor-arg index="1" defines if the attribute is multivalued

constructor-arg index="2" defines if the attribute is mapped in jetspeed database.

This is the coplete example of UserDaoConfiguration bean:

  <bean id="UserDaoConfiguration" class="org.apache.jetspeed.security.mapping.ldap.dao.LDAPEntityDAOConfiguration" init-method="initialize">
    <meta key="j2:cat" value="ldapSecurity" />
    <property name="ldapBase" value="${ldap.base}" />
    <property name="searchBase" value="${ldap.user.searchBase}" />
    <property name="searchFilter">
      <bean class="org.apache.jetspeed.security.mapping.ldap.filter.SimpleFilter">
        <constructor-arg index="0" value="${ldap.user.filter}" />
      </bean>
    </property>
    <property name="ldapIdAttribute" value="BnFIdentifiant" />
    <property name="objectClasses" value="BNFUser"/>
    <property name="attributeDefinitions">
      <set>
        <bean class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
          <constructor-arg index="0" value="BnFIdentifiant" />
          <constructor-arg index="1" value="false" />
          <constructor-arg index="2" value="false" />
          <property name="required" value="true"/>
          <property name="idAttribute" value="true"/>
        </bean>
        <bean class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
          <constructor-arg index="0" value="cn" />
          <constructor-arg index="1" value="false" />
          <constructor-arg index="2" value="false" />
          <property name="required" value="true"/>
          <property name="idAttribute" value="true"/>
        </bean>
        <bean class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
          <constructor-arg index="0" value="BnFMemberOf" />
          <constructor-arg index="1" value="true" />
          <constructor-arg index="2" value="false" />
          <property name="required" value="false"/>
          <property name="idAttribute" value="false"/>
        </bean>
      </set>
    </property>
    <property name="entityType" value="user" />
  </bean>

And the user defined in the ldap (ldif format).

dn: BnfIdentifiant=user_etablissement9@bnf.fr,ou=comptes,ou=clients,dc=public,dc=bnf,dc=fr
objectClass: BNFUser
BnfIdentifiant: user_etablissement9@bnf.fr
BnfMemberOf: cn=partenaires_bibliotheque,ou=groupes,ou=clients,dc=public,dc=bnf,dc=fr
BnfMemberOf: cn=partenaires_moissonnage_gallica_partenaire,ou=groupes,ou=clients,dc=public,dc=bnf,dc=fr
cn: user_etablissement9@bnf.fr
userPassword:: e1NIQX1mRXFOQ2NvM1lxOWg1WlVnbEQzQ1pKVDRsQnM9

Changing relationship with user and role, name and direction

If you want to change the attribute used to describe the relationship between User and Role, you can do it, in the Ldap configuration file: WEB-INF/assembly/security-ldap.xml. In our example, we want to use BnFMemberOf relation, in the user to role direction.

This is an example configuration:

  <bean id="UserRoleRelationDAO" class="org.apache.jetspeed.security.mapping.ldap.dao.impl.AttributeBasedRelationDAO">
    <meta key="j2:cat" value="ldapSecurity" />
    <property name="relationAttribute" value="BnFMemberOf" />
    <property name="attributeContainsInternalId" value="true" />
    <property name="useFromEntityAttribute" value="true" />
    <property name="relationType">
      <bean class="org.apache.jetspeed.security.mapping.impl.SecurityEntityRelationTypeImpl">
        <constructor-arg index="0" value="isMemberOf" />
        <constructor-arg index="1" value="user" />
        <constructor-arg index="2" value="role" />
      </bean>
    </property>
  </bean>

Define a backup ldap server

In some cases, several ldap servers are defined in your infrastructure, and if one of them collapses, applications are supposed to balance themselves to the backup ldap server. That is possible to do this with jetspeed, modifying WEB-INF/assembly/security-ldap.xml file. In this file, the connection to ldap is defined in the org.springframework.ldap.core.support.LdapContextSource bean, in the url element. You have to replace url without s by elements urls with s, and to list the differents ldap servers.

Jetspeed tries to connect to the first ldap server, and if it fails to the second one, etc. Note that in this case, the synchronisation between ldaps is NOT done by jetspeed but by the ldap infrastructure. Jetspeed synchronises only the ldap server it works with.

See above the example for security ldap.xml:

    <property name="contextSource">
      <bean class="org.springframework.ldap.core.support.LdapContextSource">
        <property name="urls" value="${ldap.url}"/>
        <property name="base" value="${ldap.base}"/>
        <property name="userDn" value="${ldap.userDn}"/>
        <property name="password" value="${ldap.password}"/>
        <property name="baseEnvironmentProperties" ref="ldapEnvironmentProperties"/>
        <property name="pooled" value="false"/>
      </bean>
    </property>

{ldap.url} is defined in the WEB-INF/conf/override.properties file:

ldap.url=ldap://asl20.pfvd.nt.bnf.fr:389, ldap://asl21.pfvd.nt.bnf.fr:389