2.9. LDAP Configuration

2.9.1. Configuration
2.9.2. Advanced topics

Warning

The Core Organization service implementation uses MD5 hashing for password encryption. Thus it is considered unsecure and will be removed in future.

eXo Platform currently uses PicketLink IDM implementation of Organization service. It is more flexible and supports many more use cases of LDAP integration than this so-called "legacy" implementation.

For PicketLink IDM configuration, refer to LDAP Integration chapter, Administrator guide.

Typical setup

Let's assume you have set up an OpenLDAP directoy, with the top DN is dc=example,dc=com. You will configure eXo Platform to store organization data (users, groups, memberships and membership types) in the directory.

Here is a quick instruction. The details, and more advanced configuration will be explained in later sections.

Required libraries

The use of LDAP requires two libraries that are not included in Platform package:

  • exo.core.component.ldap

  • exo.core.component.organization.ldap

You can search and download the libraries from https://repository.exoplatform.org.

Configuration

  • Remove unused PicketLink IDM configuration

PicketLink IDM is pre-configured, use remove-configuration tag to unload it.


<configuration xmlns="http://www.exoplatform.org/xml/ns/kernel_1_2.xsd" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.exoplatform.org/xml/ns/kernel_1_2.xsd http://www.exoplatform.org/xml/ns/kernel_1_2.xsd">
    <remove-configuration>org.exoplatform.services.organization.idm.PicketLinkIDMCacheService</remove-configuration>
    <remove-configuration>org.exoplatform.services.organization.idm.PicketLinkIDMService</remove-configuration>
    <!-- Other components and plugins configuration -->
    <!-- ... -->
</configuration>
  • LDAPService component


<component>
    <key>org.exoplatform.services.ldap.LDAPService</key>
    <type>org.exoplatform.services.ldap.impl.LDAPServiceImpl</type>
    <init-params>
        <object-param>
            <name>ldap.config</name>
            <description>Default ldap config</description>
            <object type="org.exoplatform.services.ldap.impl.LDAPConnectionConfig">         
                <field name="providerURL"><string>ldap://127.0.0.1:389,10.0.0.1:389</string></field>
                <field name="rootdn"><string>CN=Manager,DC=exoplatform,DC=org</string></field>
                <field name="password"><string>secret</string></field>        
                <field name="version"><string>3</string></field>
                <field name="minConnection"><int>5</int></field>
                <field name="maxConnection"><int>10</int></field>     
                <field name="referralMode"><string>follow</string></field>  
                <field name="serverName"><string>default</string></field>
            </object>
        </object-param>
    </init-params>
</component>
  • OrganizationService and its OrganizationLdapInitializer plugin


<component>
    <key>org.exoplatform.services.organization.OrganizationService</key>
    <type>org.exoplatform.services.organization.ldap.OrganizationServiceImpl</type>
    <component-plugins>
        <component-plugin>
            <name>init.service.listener</name>
            <set-method>addListenerPlugin</set-method>
            <type>org.exoplatform.services.organization.ldap.OrganizationLdapInitializer</type>
            <description>this listener populate organization ldap service create default dn</description>      
        </component-plugin>  
    </component-plugins> 
    <init-params>
        <value-param>
            <name>ldap.userDN.key</name>
            <description>The key used to compose user DN</description>
            <value>cn</value>
        </value-param>
        <object-param>
            <name>ldap.attribute.mapping</name>
            <description>ldap attribute mapping</description>
            <object type="org.exoplatform.services.organization.ldap.LDAPAttributeMapping">                
                <field name="userLDAPClasses"><string>top,person,organizationalPerson,inetOrgPerson</string></field>
                <field name="profileLDAPClasses"><string>top,organizationalPerson</string></field>
                <field name="groupLDAPClasses"><string>top,organizationalUnit</string></field>
                <field name="membershipTypeLDAPClasses"><string>top,organizationalRole</string></field>
                <field name="membershipLDAPClasses"><string>top,groupOfNames</string></field>
                <field name="baseURL"><string>dc=exoplatform,dc=org</string></field>
                <field name="groupsURL"><string>ou=groups,ou=portal,dc=exoplatform,dc=org</string></field>
                <field name="membershipTypeURL"><string>ou=memberships,ou=portal,dc=exoplatform,dc=org</string></field>
                <field name="userURL"><string>ou=users,ou=portal,dc=exoplatform,dc=org</string></field>
                <field name="profileURL"><string>ou=profiles,ou=portal,dc=exoplatform,dc=org</string></field>
                <field name="userUsernameAttr"><string>uid</string></field>
                <field name="userPassword"><string>userPassword</string></field>
                <field name="userFirstNameAttr"><string>givenName</string></field>
                <field name="userLastNameAttr"><string>sn</string></field>
                <field name="userDisplayNameAttr"><string>displayName</string></field>
                <field name="userMailAttr"><string>mail</string></field>
                <field name="userObjectClassFilter"><string>objectClass=person</string></field>
                <field name="membershipTypeMemberValue"><string>member</string></field>
                <field name="membershipTypeRoleNameAttr"><string>cn</string></field>
                <field name="membershipTypeNameAttr"><string>cn</string></field>
                <field name="membershipTypeObjectClassFilter"><string>objectClass=organizationalRole</string></field>
                <field name="membershiptypeObjectClass"><string>organizationalRole</string></field>
                <field name="groupObjectClass"><string>organizationalUnit</string></field>
                <field name="groupObjectClassFilter"><string>objectClass=organizationalUnit</string></field>
                <field name="membershipObjectClass"><string>groupOfNames</string></field>
                <field name="membershipObjectClassFilter"><string>objectClass=groupOfNames</string></field>
                <field name="ldapCreatedTimeStampAttr"><string>createdTimeStamp</string></field>
                <field name="ldapModifiedTimeStampAttr"><string>modifiedTimeStamp</string></field>
                <field name="ldapDescriptionAttr"><string>description</string></field>
            </object>
        </object-param>
    </init-params>     
</component>
  • AddHibernateMappingPlugin


<external-component-plugins>
    <target-component>org.exoplatform.services.database.HibernateService</target-component>
    <component-plugin>
        <name>add.hibernate.annotations</name>
        <set-method>addPlugin</set-method>
        <type>org.exoplatform.services.database.impl.AddHibernateMappingPlugin</type>
        <init-params>
            <values-param>
            <name>hibernate.annotations</name>
            <value>org.exoplatform.services.organization.impl.UserProfileData</value>
            </values-param>
        </init-params>
    </component-plugin>
</external-component-plugins>

After the server is started, the directory is populated with users, groups, memberships and membership types as below:

See also

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus