eXo organizational model has User, Group, Membership and Profile entities. For each, eXo defines a base dn that should be below baseURL. At startup, if either of userURL, groupsURL, membershipTypeURL or profileURL does not exist fully, eXo will attempt to create the missing subtree by parsing the dn and creating entries on-the-fly. To determine the classes of the created entries, the following rules are applied:
ou=...: objectClass=top,objectClass=organizationalUnit
cn=...: objectClass=top,objectClass=organizationalRole
c=...: objectClass=country
o=...: objectClass=organization
dc=...: objectClass=top,objectClass=dcObject,objectClass=organization
For example, if baseURL is o=MyCompany,c=com and groupsURL is dc=groups,cn=Extranet,c=France,ou=EMEA,o=MyCompany,c=com, the following subtree will be created:
ou=EMEA,o=MyCompany,c=com objectClass: top objectClass: organizationalUnit … c=France,ou=EMEA,o=MyCompany,c=com objectClass: top objectClass: country … cn=Extranet,c=France,ou=EMEA,o=MyCompany,c=com objectClass: top objectClass: organizationalRole … dc=groups,cn=Extranet,c=France,ou=EMEA,o=MyCompany,c=com objectClass: top objectClass: dcObject objectClass: organization …
Here is an alternative configuration for Active Directory that you can find sample configurations of:
LDAP Connection in activedirectory-service-configuration.xml
.
<component>
<key>org.exoplatform.services.ldap.LDAPService</key>
<type>org.exoplatform.services.ldap.impl.LDAPServiceImpl</type>
<init-params>
<object-param>
<name>ldap.config</name>
<description>Default ldap config</description>
<object type="org.exoplatform.services.ldap.impl.LDAPConnectionConfig">
<!-- for multiple ldap servers, use comma seperated list of host:port (Ex. ldap://127.0.0.1:389,10.0.0.1:389) -->
<!-- whether or not to enable ssl, if ssl is used ensure that the javax.net.ssl.keyStore & java.net.ssl.keyStorePassword properties are set -->
<!-- exo portal default installed javax.net.ssl.trustStore with file is java.home/lib/security/cacerts-->
<!-- ldap service will check protocol, if protocol is ldaps, ssl is enable (Ex. for enable ssl: ldaps://10.0.0.3:636 ;for disable ssl: ldap://10.0.0.3:389 ) -->
<!-- when enable ssl, ensure server name is *.directory and port (Ex. active.directory) -->
<field name="providerURL">
<string>ldaps://10.0.0.3:636</string>
</field>
<field name="rootdn">
<string>CN=Administrator,CN=Users,DC=exoplatform,DC=org</string>
</field>
<field name="password">
<string>exo</string>
</field>
<field name="version">
<string>3</string>
</field>
<field name="minConnection">
<int>5</int>
</field>
<field name="maxConnection">
<int>10</int>
</field>
<field name="referralMode">
<string>ignore</string>
</field>
<field name="serverName">
<string>active.directory</string>
</field>
</object>
</object-param>
</init-params>
</component>
LDAP Attribute Mapping in activedirectory-organization-configuration.xml
.
<component xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.exoplatform.org/xml/ns/kernel_1_2.xsd http://www.exoplatform.org/xml/ns/kernel_1_2.xsd"
xmlns="http://www.exoplatform.org/xml/ns/kernel_1_2.xsd">
<key>org.exoplatform.services.organization.OrganizationService</key>
.....
<init-params>
......
<object-param>
<name>ldap.attribute.mapping</name>
<description>ldap attribute mapping</description>
<object type="org.exoplatform.services.organization.ldap.LDAPAttributeMapping">
<field name="userLDAPClasses">
<string>top,person,organizationalPerson,user</string>
</field>
<field name="profileLDAPClasses">
<string>top,organizationalPerson</string>
</field>
<field name="groupLDAPClasses">
<string>top,organizationalUnit</string>
</field>
<field name="membershipTypeLDAPClasses">
<string>top,group</string>
</field>
<field name="membershipLDAPClasses">
<string>top,group</string>
</field>
<field name="baseURL">
<string>DC=exoplatform,DC=org</string>
</field>
<field name="groupsURL">
<string>OU=groups,OU=portal,DC=exoplatform,DC=org</string>
</field>
<field name="membershipTypeURL">
<string>OU=memberships,OU=portal,DC=exoplatform,DC=org</string>
</field>
<field name="userURL">
<string>OU=users,OU=portal,DC=exoplatform,DC=org</string>
</field>
<field name="profileURL">
<string>OU=profiles,OU=portal,DC=exoplatform,DC=org</string>
</field>
<field name="userUsernameAttr">
<string>sAMAccountName</string>
</field>
<field name="userPassword">
<string>unicodePwd</string>
</field>
<!--unicodePwd-->
<field name="userFirstNameAttr">
<string>givenName</string>
</field>
<field name="userLastNameAttr">
<string>sn</string>
</field>
<field name="userDisplayNameAttr">
<string>displayName</string>
</field>
<field name="userMailAttr">
<string>mail</string>
</field>
<field name="userObjectClassFilter">
<string>objectClass=user</string>
</field>
<field name="membershipTypeMemberValue">
<string>member</string>
</field>
<field name="membershipTypeRoleNameAttr">
<string>cn</string>
</field>
<field name="membershipTypeNameAttr">
<string>cn</string>
</field>
<field name="membershipTypeObjectClassFilter">
<string>objectClass=group</string>
</field>
<field name="membershiptypeObjectClass">
<string>group</string>
</field>
<field name="groupNameAttr">
<string>ou</string>
</field>
<field name="groupLabelAttr">
<string>l</string>
</field>
<field name="groupObjectClass">
<string>organizationalUnit</string>
</field>
<field name="groupObjectClassFilter">
<string>objectClass=organizationalUnit</string>
</field>
<field name="membershipObjectClass">
<string>group</string>
</field>
<field name="membershipObjectClassFilter">
<string>objectClass=group</string>
</field>
<field name="ldapCreatedTimeStampAttr">
<string>createdTimeStamp</string>
</field>
<field name="ldapModifiedTimeStampAttr">
<string>modifiedTimeStamp</string>
</field>
<field name="ldapDescriptionAttr">
<string>description</string>
</field>
</object>
</object-param>
</init-params>
</component>
There is a Microsoft limitation: The password cannot be set in AD via unsecured connection, so you have to use the LDAPS protocol.
Using LDAPS protocol with Active Directory
Set up AD to use SSL as follows:
i. Add the Active Directory Certificate Services role.
ii. Install the right certificate for the DC machine.
Enable Java VM to use the certificate from AD as follows:
i. Import the root CA used in AD to keystore, like below:
keytool -importcert -file 2008.cer -keypass changeit -keystore /home/user/java/jdk1.6/jre/lib/security/cacertsii. Set the JAVA options.
JAVA_OPTS="${JAVA_OPTS} -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStore=/home/user/java/jdk1.6/jre/lib/security/cacerts"If you use OpenLDAP, you may want to use the overlays. Here is how you can use the dynlist overlay to have memberships dynamically populated.
The main idea is to have your memberships populated dynamically by an LDAP query. Thus, you no longer have to maintain manually the roles on users.
To configure the dynlist, add the following to your slapd.conf:
dynlist-attrset ExoMembership membershipURL member
This snipet means: On entries that have ExoMembership class, use the URL defined in the value of attribute membershipURL as a query and populate results under the multivalues attribute member.
Now you need to declare the corresponding schema (replacing XXXXX to adapt to your own IANA code):
attributeType ( 1.3.6.1.4.1.XXXXX.1.59 NAME 'membershipURL' SUP memberURL )
membershipURL inherits from memberURL.
objectClass ( 1.3.6.1.4.1.XXXXX.2.12 NAME 'ExoMembership' SUP top MUST ( cn ) MAY (membershipURL $ member $ description ) )
ExoMembership must define cn and can have attributes:
membershipURL: Trigger for the dynlist.
member: Attribute populated by the dynlist.
description: Used by eXo for display.
# the TestGroup group dn: ou=testgroup,ou=groups,ou=portal,o=MyCompany,c=com objectClass: top objectClass: organizationalUnit ou: testgroup l: TestGroup description: the Test Group
On this group, you can bind an eXo membership where the overlay will occur:
# the manager membership on group TestGroup dn: cn=manager, ou=TestGroup,ou=groups,ou=portal,o=MyCompany,c=com objectClass: top objectClass: ExoMembership membershipURL: ldap:///ou=users,ou=portal,o=MyCompany,c=com??sub?(uid=*) cn: manager
This dynlist assigns the manager:/testgroup role to any user.