8.1.2. Configuration review

This section is a comprehensive analysis of configurations you use in Quick start. By reading these thorough explanations, you will further understand the structure and easily find out the configuration you want to edit. This will be a good preparation for writing your own identity object types in next tutorials.

idm-configuration.xml

In idm-configuration.xml, the whole configuration is of eXo service. The eXo service configuration is started by either:

You mostly need to re-configure the two services below without changing the default configuration of others:

PicketLinkIDMServiceImpl service

The only one parameter you need to re-configure for this service:


<component>
    <key>org.exoplatform.services.organization.idm.PicketLinkIDMService</key>
    <type>org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl</type>
    <init-params>
        <value-param>
            <name>config</name>
            <value>war:/conf/organization/picketlink-idm-openldap-acme-config.xml</value>
    ...

It points to the PicketLink IDM configuration file (picketlink-idm-ldap-config.xml in the Quick start section).

PicketLinkIDMOrganizationServiceImpl service

In Quick start, you re-configure this service to enable the group mapping. The configuration matches a Platform group (like /platform) with a PicketLink IDM identity object type. The object type then must be configured in the PicketLink IDM configuration file. In Quick start, you do not care about such configuration because you use the pre-configured types (platform_type and organization_type):


<field name="groupTypeMappings">
    <map type="java.util.HashMap">
        ...
        <entry>
            <key><string>/platform/*</string></key>
            <value><string>platform_type</string></key>
        </entry>
        <entry>
            <key><string>/organization/*</string></key>
            <value><string>organization_type</string></key>
        </entry>
        ...
    </map>
</field>

PicketLink IDM configuration file

Let's see the picketlink-idm-ldap-config.xml structure:


<realms>...</realms>
<repositories>
    <repository><id>PortalRepository</id></repository>
    <repository><id>DefaultPortalRepository</id></repository>
</repositories>
<stores>
    <identity-stores>
        <identity-store><id>HibernateStore</id></identity-store>
        <identity-store><id>PortalLDAPStore</id></identity-store>
    </identity-stores>
</stores>

With the aim of making this guideline easy to understand, DefaultPortalRepository and HibernateStore that should not be re-configured will be excluded, and the id references will be added. Also, organization_type is eliminated because of its similarity to platform_type. The structure is re-drawn as follows:


<repositories>
    <repository>
        <id>PortalRepository</id>
        <identity-store-mappings>
            <identity-store-mapping>
                <identity-store-id>PortalLDAPStore</identity-store-id>
                <identity-object-types>
                    <identity-object-type>USER</identity-object-type>
                    <identity-object-type>platform_type</identity-object-type>
                </identity-object-types>
            </identity-store-mapping>
        </identity-store-mappings>
    </repository>
</repositories>
<stores>
    <identity-stores>
        <identity-store>
            <id>PortalLDAPStore</id>
            <supported-identity-object-types>
                <identity-object-type>
                    <name>USER</name>
                    <!-- attributes & options -->
                </identity-object-type>
                <identity-object-type>
                    <name>platform_type</name>
                    <!-- attributes & options -->
                </identity-object-type>
            </supported-identity-object-types>
        </identity-store>
    </identity-stores>
</stores>

LDAP connection

The LDAP connection (URL and credentials) is Store configuration. It is provided in the PortalLDAPStore:


<identity-store>
    <id>PortalLDAPStore</id>
    ...
    <options>
        <option>
            <name>providerURL</name>
            <value>ldap://localhost:389</value>
        </option>
        <option>
            <name>adminDN</name>
            <value>cn=admin,dc=example,dc=com</value>
        </option>
        <option>
            <name>adminPassword</name>
            <value>gtn</value>
        </option>
        ...
    </options>

Read-only mode

The Read-only mode is Repository configuration. It is an option of the repository that prevents eXo Platform from writing to the LDAP directory. In the Quick start, this option is omitted so the mode is read-write. To enable the read-only mode, set the option to true:


<repository>
    <id>PortalRepository</id>
    <identity-store-mappings>
        <identity-store-mapping>
            <identity-store-id>PortalLDAPStore</identity-store-id>
            <options>
                <option>
                    <name>readOnly</name>
                    <value>true</value>
                </option>
            </options>
        </identity-store-mapping>

Placeholder - A note for OpenLDAP

Ruled by OpenLDAP default core schema, the member attribute is a MUST attribute of groupOfNames objectClass:

objectclass ( 2.5.6.9 NAME 'groupOfNames'
	DESC 'RFC2256: a group of names (DNs)'
	SUP top STRUCTURAL
	MUST ( member $ cn )
	MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )

Therefore, PicketLink IDM uses a placeholder entry as a fake member in the creation of a groupOfNames. The placeholder DN should be configured as an option of any group type:


<identity-object-type>
    <name>platform_type</name>
    <options>
        <option>
            <name>parentMembershipAttributePlaceholder</name>
            <value>ou=placeholder,o=portal,o=gatein,dc=example,dc=com</value>
        </option>
Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus