2.9.2. Advanced topics

Automatic directory population

eXo organizational model has User, Group, Membership and Profile entities. For each, eXo defines a base dn that should be below baseURL. At startup, if either of userURL, groupsURL, membershipTypeURL or profileURL does not exist fully, eXo will attempt to create the missing subtree by parsing the dn and creating entries on-the-fly. To determine the classes of the created entries, the following rules are applied:

  • ou=...: objectClass=top,objectClass=organizationalUnit

  • cn=...: objectClass=top,objectClass=organizationalRole

  • c=...: objectClass=country

  • o=...: objectClass=organization

  • dc=...: objectClass=top,objectClass=dcObject,objectClass=organization

For example, if baseURL is o=MyCompany,c=com and groupsURL is dc=groups,cn=Extranet,c=France,ou=EMEA,o=MyCompany,c=com, the following subtree will be created:

ou=EMEA,o=MyCompany,c=com
  objectClass: top
  objectClass: organizationalUnit
  …
    c=France,ou=EMEA,o=MyCompany,c=com
      objectClass: top
      objectClass: country
      …
      cn=Extranet,c=France,ou=EMEA,o=MyCompany,c=com
        objectClass: top
        objectClass: organizationalRole
        …
        dc=groups,cn=Extranet,c=France,ou=EMEA,o=MyCompany,c=com
          objectClass: top
          objectClass: dcObject
          objectClass: organization            
          …

Active Directory sample configuration

Here is an alternative configuration for Active Directory that you can find sample configurations of:

  • LDAP Connection in activedirectory-service-configuration.xml.

    
    <component>
      <key>org.exoplatform.services.ldap.LDAPService</key>
      <type>org.exoplatform.services.ldap.impl.LDAPServiceImpl</type>
      <init-params>
         <object-param>
            <name>ldap.config</name>
            <description>Default ldap config</description>
            <object type="org.exoplatform.services.ldap.impl.LDAPConnectionConfig">
               <!-- for multiple ldap servers, use comma seperated list of host:port (Ex. ldap://127.0.0.1:389,10.0.0.1:389) -->
               <!-- whether or not to enable ssl, if ssl is used ensure that the javax.net.ssl.keyStore & java.net.ssl.keyStorePassword properties are set -->
               <!-- exo portal default installed javax.net.ssl.trustStore with file is java.home/lib/security/cacerts-->
               <!-- ldap service will check protocol, if protocol is ldaps, ssl is enable (Ex. for enable ssl: ldaps://10.0.0.3:636 ;for disable ssl: ldap://10.0.0.3:389 ) -->
               <!-- when enable ssl, ensure server name is *.directory and port (Ex. active.directory) -->
               <field name="providerURL">
                  <string>ldaps://10.0.0.3:636</string>
               </field>
               <field name="rootdn">
                  <string>CN=Administrator,CN=Users,DC=exoplatform,DC=org</string>
               </field>
               <field name="password">
                  <string>exo</string>
               </field>
               <field name="version">
                  <string>3</string>
               </field>
               <field name="minConnection">
                  <int>5</int>
               </field>
               <field name="maxConnection">
                  <int>10</int>
               </field>
               <field name="referralMode">
                  <string>ignore</string>
               </field>
               <field name="serverName">
                  <string>active.directory</string>
               </field>
            </object>
         </object-param>
      </init-params>
    </component>
  • LDAP Attribute Mapping in activedirectory-organization-configuration.xml.

    
    <component xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.exoplatform.org/xml/ns/kernel_1_2.xsd http://www.exoplatform.org/xml/ns/kernel_1_2.xsd"
    xmlns="http://www.exoplatform.org/xml/ns/kernel_1_2.xsd">
        <key>org.exoplatform.services.organization.OrganizationService</key>
        .....

        <init-params>
         ......
         <object-param>
            <name>ldap.attribute.mapping</name>
            <description>ldap attribute mapping</description>
            <object type="org.exoplatform.services.organization.ldap.LDAPAttributeMapping">
               <field name="userLDAPClasses">
                  <string>top,person,organizationalPerson,user</string>
               </field>
               <field name="profileLDAPClasses">
                  <string>top,organizationalPerson</string>
               </field>
               <field name="groupLDAPClasses">
                  <string>top,organizationalUnit</string>
               </field>
               <field name="membershipTypeLDAPClasses">
                  <string>top,group</string>
               </field>
               <field name="membershipLDAPClasses">
                  <string>top,group</string>
               </field>
               <field name="baseURL">
                  <string>DC=exoplatform,DC=org</string>
               </field>
               <field name="groupsURL">
                  <string>OU=groups,OU=portal,DC=exoplatform,DC=org</string>
               </field>
               <field name="membershipTypeURL">
                  <string>OU=memberships,OU=portal,DC=exoplatform,DC=org</string>
               </field>
               <field name="userURL">
                  <string>OU=users,OU=portal,DC=exoplatform,DC=org</string>
               </field>
               <field name="profileURL">
                  <string>OU=profiles,OU=portal,DC=exoplatform,DC=org</string>
               </field>
               <field name="userUsernameAttr">
                  <string>sAMAccountName</string>
               </field>
               <field name="userPassword">
                  <string>unicodePwd</string>
               </field>
               <!--unicodePwd-->
               <field name="userFirstNameAttr">
                  <string>givenName</string>
               </field>
               <field name="userLastNameAttr">
                  <string>sn</string>
               </field>
               <field name="userDisplayNameAttr">
                  <string>displayName</string>
               </field>
               <field name="userMailAttr">
                  <string>mail</string>
               </field>
               <field name="userObjectClassFilter">
                  <string>objectClass=user</string>
               </field>
               <field name="membershipTypeMemberValue">
                  <string>member</string>
               </field>
               <field name="membershipTypeRoleNameAttr">
                  <string>cn</string>
               </field>
               <field name="membershipTypeNameAttr">
                  <string>cn</string>
               </field>
               <field name="membershipTypeObjectClassFilter">
                  <string>objectClass=group</string>
               </field>
               <field name="membershiptypeObjectClass">
                  <string>group</string>
               </field>
               <field name="groupNameAttr">
                  <string>ou</string>
               </field>
               <field name="groupLabelAttr">
                  <string>l</string>
               </field>
               <field name="groupObjectClass">
                  <string>organizationalUnit</string>
               </field>
               <field name="groupObjectClassFilter">
                  <string>objectClass=organizationalUnit</string>
               </field>
               <field name="membershipObjectClass">
                  <string>group</string>
               </field>
               <field name="membershipObjectClassFilter">
                  <string>objectClass=group</string>
               </field>
               <field name="ldapCreatedTimeStampAttr">
                  <string>createdTimeStamp</string>
               </field>
               <field name="ldapModifiedTimeStampAttr">
                  <string>modifiedTimeStamp</string>
               </field>
               <field name="ldapDescriptionAttr">
                  <string>description</string>
               </field>
            </object>
         </object-param>
        </init-params>
    </component>

Note

There is a Microsoft limitation: The password cannot be set in AD via unsecured connection, so you have to use the LDAPS protocol.

Using LDAPS protocol with Active Directory

  1. Set up AD to use SSL as follows:

    • i. Add the Active Directory Certificate Services role.

    • ii. Install the right certificate for the DC machine.

  2. Enable Java VM to use the certificate from AD as follows:

    • i. Import the root CA used in AD to keystore, like below:

      keytool -importcert -file 2008.cer -keypass changeit -keystore /home/user/java/jdk1.6/jre/lib/security/cacerts
    • ii. Set the JAVA options.

      JAVA_OPTS="${JAVA_OPTS} -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStore=/home/user/java/jdk1.6/jre/lib/security/cacerts"

OpenLDAP dynlist overlays

If you use OpenLDAP, you may want to use the overlays. Here is how you can use the dynlist overlay to have memberships dynamically populated.

The main idea is to have your memberships populated dynamically by an LDAP query. Thus, you no longer have to maintain manually the roles on users.

To configure the dynlist, add the following to your slapd.conf:

dynlist-attrset         ExoMembership membershipURL member

This snipet means: On entries that have ExoMembership class, use the URL defined in the value of attribute membershipURL as a query and populate results under the multivalues attribute member.

Now you need to declare the corresponding schema (replacing XXXXX to adapt to your own IANA code):

attributeType ( 1.3.6.1.4.1.XXXXX.1.59 NAME 'membershipURL' SUP memberURL )

membershipURL inherits from memberURL.

objectClass ( 1.3.6.1.4.1.XXXXX.2.12  NAME 'ExoMembership' SUP top MUST ( cn ) MAY (membershipURL $ member $ description ) )

ExoMembership must define cn and can have attributes:

  • membershipURL: Trigger for the dynlist.

  • member: Attribute populated by the dynlist.

  • description: Used by eXo for display.

# the TestGroup group
dn: ou=testgroup,ou=groups,ou=portal,o=MyCompany,c=com
objectClass: top
objectClass: organizationalUnit
ou: testgroup
l: TestGroup
description: the Test Group

On this group, you can bind an eXo membership where the overlay will occur:

# the manager membership on group TestGroup
dn: cn=manager, ou=TestGroup,ou=groups,ou=portal,o=MyCompany,c=com
objectClass: top
objectClass: ExoMembership
membershipURL: ldap:///ou=users,ou=portal,o=MyCompany,c=com??sub?(uid=*)
cn: manager

This dynlist assigns the manager:/testgroup role to any user.

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus