2.9. LDAP Configuration

2.9.1. Configuration
2.9.2. Advanced topics

You may decide to make eXo users be mapped to an existing directory. eXo provides a flexible implementation of its OrganizationService on top of LDAP. It can be used on any LDAP compliant directory and even Active Directory. This page will guide you how to configure eXo Platform to work with your directory.

Typical setup

If you want to know how eXo Platform works with LDAP, simply look at the predefined LDAP configuration. You just need to activate it and eXo will create everything it needs to work at startup.

You need to have a working LDAP server and a user with write permissions.

  • Open idm-configuration.xml located at $PLATFORM_TOMCAT_HOME/webapps/platform-extension/WEB-INF/conf/organization, then comment this tag:

    
    <value>war:/conf/organization/picketlink-idm/picketlink-idm-config.xml</value>

    Next, add this tag:

    
    <value>war:/conf/organization/picketlink-idm/picketlink-idm-ldap-config.xml</value>
  • Under $PLATFORM_TOMCAT_HOME/webapps/platform-extension/WEB-INF/conf/organization/picketlink-idm, add the picketlink-idm-ldap-config.xml file.

    The content of this file is as follows:

    
    <?xml version="1.0" encoding="UTF-8"?>
    <jboss-identity xmlns="urn:picketlink:idm:config:v1_0_0_ga"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xsi:schemaLocation="urn:picketlink:idm:config:v1_0_0_ga identity-config.xsd">
      <realms>
        <realm>
          <id>idm_realm_sample-portal</id>
          <repository-id-ref>DefaultPortalRepository</repository-id-ref>
          <identity-type-mappings>
            <user-mapping>USER</user-mapping>
          </identity-type-mappings>
          <options>
            <option>
              <name>cache.providerRegistryName</name>
              <value>apiCacheProvider</value>
            </option>
          </options>
        </realm>
        <realm>
          <id>idm_realm</id>
          <repository-id-ref>PortalRepository</repository-id-ref>
          <identity-type-mappings>
            <user-mapping>USER</user-mapping>
          </identity-type-mappings>
          <options>
            <option>
              <name>template</name>
              <value>true</value>
            </option>
            <option>
              <name>cache.providerRegistryName</name>
              <value>apiCacheProvider</value>
            </option>
          </options>
        </realm>
      </realms>
      <repositories>
        <repository>
          <id>PortalRepository</id>
          <class>org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository</class>
          <external-config/>
          <default-identity-store-id>HibernateStore</default-identity-store-id>
          <default-attribute-store-id>HibernateStore</default-attribute-store-id>
          <identity-store-mappings>
            <identity-store-mapping>
              <identity-store-id>PortalLDAPStore</identity-store-id>
              <identity-object-types>
                <identity-object-type>USER</identity-object-type>
                <identity-object-type>platform_type</identity-object-type>
                <identity-object-type>organization_type</identity-object-type>
              </identity-object-types>
              <options/>
            </identity-store-mapping>
          </identity-store-mappings>
          <options>
            <option>
              <name>allowNotDefinedAttributes</name>
              <value>true</value>
            </option>
          </options>
        </repository>
        <repository>
          <id>DefaultPortalRepository</id>
          <class>org.picketlink.idm.impl.repository.WrapperIdentityStoreRepository</class>
          <external-config/>
          <default-identity-store-id>HibernateStore</default-identity-store-id>
          <default-attribute-store-id>HibernateStore</default-attribute-store-id>
        </repository>
      </repositories>
      <stores>
        <attribute-stores/>
        <identity-stores>
          <identity-store>
            <id>HibernateStore</id>
            <class>org.picketlink.idm.impl.store.hibernate.HibernateIdentityStoreImpl</class>
            <external-config/>
            <supported-relationship-types>
              <relationship-type>JBOSS_IDENTITY_MEMBERSHIP</relationship-type>
              <relationship-type>JBOSS_IDENTITY_ROLE</relationship-type>
            </supported-relationship-types>
            <supported-identity-object-types>
              <identity-object-type>
                <name>USER</name>
                <relationships/>
                <credentials>
                  <credential-type>PASSWORD</credential-type>
                </credentials>
                <attributes/>
                <options/>
              </identity-object-type>
            </supported-identity-object-types>
            <options>
              <option>
                <name>hibernateSessionFactoryRegistryName</name>
                <value>hibernateSessionFactory</value>
              </option>
              <option>
                <name>populateRelationshipTypes</name>
                <value>true</value>
              </option>
              <option>
                <name>populateIdentityObjectTypes</name>
                <value>true</value>
              </option>
              <option>
                <name>allowNotDefinedIdentityObjectTypes</name>
                <value>true</value>
              </option>
              <option>
                <name>allowNotDefinedAttributes</name>
                <value>true</value>
              </option>
              <option>
                <name>isRealmAware</name>
                <value>true</value>
              </option>
              <option>
                <name>lazyStartOfHibernateTransaction</name>
                <value>true</value>
              </option>
            </options>
          </identity-store>
          <identity-store>
            <id>PortalLDAPStore</id>
            <class>org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl</class>
            <external-config/>
            <supported-relationship-types>
              <relationship-type>JBOSS_IDENTITY_MEMBERSHIP</relationship-type>
            </supported-relationship-types>
            <supported-identity-object-types>
              <identity-object-type>
                <name>USER</name>
                <relationships/>
                <credentials>
                  <credential-type>PASSWORD</credential-type>
                </credentials>
                <attributes>
                  <attribute>
                    <name>firstName</name>
                    <mapping>cn</mapping>
                    <type>text</type>
                    <isRequired>false</isRequired>
                    <isMultivalued>false</isMultivalued>
                    <isReadOnly>false</isReadOnly>
                  </attribute>
                  <attribute>
                    <name>lastName</name>
                    <mapping>sn</mapping>
                    <type>text</type>
                    <isRequired>false</isRequired>
                    <isMultivalued>false</isMultivalued>
                    <isReadOnly>false</isReadOnly>
                  </attribute>
                  <attribute>
                    <name>email</name>
                    <mapping>mail</mapping>
                    <type>text</type>
                    <isRequired>false</isRequired>
                    <isMultivalued>false</isMultivalued>
                    <isReadOnly>false</isReadOnly>
                    <isUnique>true</isUnique>
                  </attribute>
                </attributes>
                <options>
                  <option>
                    <name>idAttributeName</name>
                    <value>uid</value>
                  </option>
                  <option>
                    <name>passwordAttributeName</name>
                    <value>userPassword</value>
                  </option>
                  <option>
                    <name>ctxDNs</name>
                    <value>ou=People,o=portal,o=gatein,dc=example,dc=com</value>
                  </option>
                  <option>
                    <name>allowCreateEntry</name>
                    <value>true</value>
                  </option>
                  <option>
                    <name>createEntryAttributeValues</name>
                    <value>objectClass=top</value>
                    <value>objectClass=inetOrgPerson</value>
                    <value>sn= </value>
                    <value>cn= </value>
                  </option>
                </options>
              </identity-object-type>
              <identity-object-type>
                <name>platform_type</name>
                <relationships>
                  <relationship>
                    <relationship-type-ref>JBOSS_IDENTITY_MEMBERSHIP</relationship-type-ref>
                    <identity-object-type-ref>USER</identity-object-type-ref>
                  </relationship>
                  <relationship>
                    <relationship-type-ref>JBOSS_IDENTITY_MEMBERSHIP</relationship-type-ref>
                    <identity-object-type-ref>platform_type</identity-object-type-ref>
                  </relationship>
                </relationships>
                <credentials/>
                <attributes/>
                <options>
                  <option>
                    <name>idAttributeName</name>
                    <value>cn</value>
                  </option>
                  <option>
                    <name>ctxDNs</name>
                    <value>ou=Platform,o=portal,o=gatein,dc=example,dc=com</value>
                  </option>
                  <!--<option>-->
                  <!--<name>entrySearchFilter</name>-->
                  <!--<value></value>-->
                  <!--</option>-->
                  <option>
                    <name>allowCreateEntry</name>
                    <value>true</value>
                  </option>
                  <option>
                    <name>parentMembershipAttributeName</name>
                    <value>member</value>
                  </option>
                  <option>
                    <name>isParentMembershipAttributeDN</name>
                    <value>true</value>
                  </option>
                  <option>
                    <name>allowEmptyMemberships</name>
                    <value>true</value>
                  </option>
                  <option>
                    <name>createEntryAttributeValues</name>
                    <value>objectClass=top</value>
                    <value>objectClass=groupOfNames</value>
                  </option>
                </options>
              </identity-object-type>
              <identity-object-type>
                <name>organization_type</name>
                <relationships>
                  <relationship>
                    <relationship-type-ref>JBOSS_IDENTITY_MEMBERSHIP</relationship-type-ref>
                    <identity-object-type-ref>USER</identity-object-type-ref>
                  </relationship>
                  <relationship>
                    <relationship-type-ref>JBOSS_IDENTITY_MEMBERSHIP</relationship-type-ref>
                    <identity-object-type-ref>organization_type</identity-object-type-ref>
                  </relationship>
                </relationships>
                <credentials/>
                <attributes/>
                <options>
                  <option>
                    <name>idAttributeName</name>
                    <value>cn</value>
                  </option>
                  <option>
                    <name>ctxDNs</name>
                    <value>ou=Organization,o=portal,o=gatein,dc=example,dc=com</value>
                  </option>
                  <!--<option>-->
                  <!--<name>entrySearchFilter</name>-->
                  <!--<value></value>-->
                  <!--</option>-->
                  <option>
                    <name>allowCreateEntry</name>
                    <value>true</value>
                  </option>
                  <option>
                    <name>parentMembershipAttributeName</name>
                    <value>member</value>
                  </option>
                  <option>
                    <name>isParentMembershipAttributeDN</name>
                    <value>true</value>
                  </option>
                  <option>
                    <name>allowEmptyMemberships</name>
                    <value>true</value>
                  </option>
                  <option>
                    <name>createEntryAttributeValues</name>
                    <value>objectClass=top</value>
                    <value>objectClass=groupOfNames</value>
                  </option>
                </options>
              </identity-object-type>
            </supported-identity-object-types>
            <options>
              <option>
                <name>providerURL</name>
                <value>ldap://localhost:1389</value>
              </option>
              <option>
                <name>adminDN</name>
                <value>cn=admin</value>
              </option>
              <option>
                <name>adminPassword</name>
                <value>admin</value>
              </option>
              <option>
                <name>searchTimeLimit</name>
                <value>10000</value>
              </option>
              <option>
                <name>createMissingContexts</name>
                <value>true</value>
              </option>
              <option>
                <name>customJNDIConnectionParameters</name>
                <value>com.sun.jndi.ldap.connect.pool=true</value>
              </option>
              <option>
                <name>customSystemProperties</name>
                <value>com.sun.jndi.ldap.connect.pool.maxsize=300000</value>
                <value>com.sun.jndi.ldap.connect.pool.protocol=plain ssl</value>
              </option>
              <option>
                <name>cache.providerRegistryName</name>
                <value>storeCacheProvider</value>
              </option>
            </options>
          </identity-store>
        </identity-stores>
      </stores>
      <options>
          <option>
             <name>defaultTemplate</name>
             <value>idm_realm</value>
          </option>
      </options>
    </jboss-identity>
  • Change the configuration corresponding to the configuration you put when configuring your LDAP server. You have to update values of options: providerURL, adminDN, adminPassword and all instances of ctxDNs according to your LDAP server configuration.

  • Start eXo Platform server.

eXo starts and auto-creates its organization model in your directory tree. Finally, the structure of the default LDAP schema looks like:

Now eXo uses your LDAP directory as its org model storage. Users, groups and memberships are now stored and retrieved from there. It is suggested that you complete some guideline functions with eXo user management portlet and see what it changes in your directory tree.

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus