You should set up an "empty" directory for this practice. The directory should contain only the top DN, like:
dn: dc=example,dc=com objectClass: top objectClass: domain dc: example
Create your custom extension project (as described in Creating your extension project),
then include the following files and folders into custom-extension.war!/WEB-INF/conf
:
conf/ |__ configuration.xml |__ organization |__ idm-configuration.xml |__ picketlink-idm-ldap-config.xml
You do not need to conform the structure strictly.
This only aims at making your extension project easy to control.
You are free to name the files, except configuration.xml
.
Import the idm-configuration.xml
into custom-extension.war!/WEB-INF/conf/configuration.xml
.
<?xml version="1.0" encoding="ISO-8859-1"?>
<configuration
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.exoplatform.org/xml/ns/kernel_1_2.xsd http://www.exoplatform.org/xml/ns/kernel_1_2.xsd"
xmlns="http://www.exoplatform.org/xml/ns/kernel_1_2.xsd">
<import>war:/conf/organization/idm-configuration.xml</import>
</configuration>
Copy content of the portal.war!/WEB-INF/conf/organization/idm-configuration.xml
file of eXo Platform to the idm-configuration.xml
of your extension project,
then also in idm-configuration.xml
, replace
<value>war:/conf/organization/picketlink-idm/picketlink-idm-config.xml</value>
with the path to the picketlink-idm-ldap-config.xml
file of your extension project:
<value>war:/conf/organization/picketlink-idm-ldap-config.xml</value>
Copy content from one of picketlink sample files to the picketlink-idm-ldap-config.xml
of your extension project.
The sample files are in portal.war!/WEB-INF/conf/organization/picketlink-idm/examples
. Choose either of the following files:
picketlink-idm-msad-config.xml
if you use MS Active Directory.
picketlink-idm-openldap-config.xml
for OpenLDAP.
Otherwise, picketlink-idm-ldap-config.xml
.
Modify the picketlink-idm-ldap-config.xml
file according to your LDAP setup.
You often need to change the following parameters:
The suffix (dc=test,dc=domain
, dc=my-domain,dc=com
or dc=example,dc=com
) should be replaced with your real suffix in the whole file.
providerURL
adminDN
adminPassword
Do the following sub-steps which are specified for Microsoft Active Directory (MSAD) only:
i. Prepare a truststore file containing the valid certificate for MSAD. It can be generated by the Linux command:
keytool -import -file certificate -keystore truststore
ii. Edit the following parameters in the picketlink-idm-ldap-config.xml
file:
providerURL: Should use SSL (ldaps://).
customSystemProperties: Give your truststore file path and password.
<name>customSystemProperties</name>
<value>javax.net.ssl.trustStore=/path/to/msad.truststore</value>
<value>javax.net.ssl.trustStorePassword=password</value>
Uncomment the following entries in the idm-configuration.xml
file:
groupTypeMappings
<entry>
<key><string>/platform/*</string></key>
<value><string>platform_type</string></value>
</entry>
<entry>
<key><string>/organization/*</string></key>
<value><string>organization_type</string></value>
</entry>
ignoreMappedMembershipTypeGroupList
<value>
<string>/platform/*</string>
</value>
<value>
<string>/organization/*</string>
</value>
This step enables mapping Platform groups (platform and organization - that are predefined groups) to LDAP. If you bypass this step, only user mapping is performed.
Deploy your extension (See Creating your extension project for how-to). Make sure the LDAP server is running, and start eXo Platform.
Testing
Platform users (like the predefined root) and groups (sub-groups of /platform and /organization)
should be added to the LDAP tree. For example, if the suffix is dc=example,dc=com
and the directory is OpenLDAP,
the root user entry will look like:
# root, People, portal, gatein, example.com dn: uid=root,ou=People,o=portal,o=gatein,dc=example,dc=com uid: root objectClass: top objectClass: inetOrgPerson userPassword:: Z3Ru mail: root@localhost cn: Root sn: Root
The /organization/executive-board group entry will look like:
# executive-board, Organization, portal, gatein, example.com dn: cn=executive-board,ou=Organization,o=portal,o=gatein,dc=example,dc=com objectClass: top objectClass: groupOfNames cn: executive-board member: uid=root,ou=People,o=portal,o=gatein,dc=example,dc=com
The whole directory is:
# example.com dn: dc=example,dc=com # gatein, example.com dn: o=gatein,dc=example,dc=com # portal, gatein, example.com dn: o=portal,o=gatein,dc=example,dc=com # Platform, portal, gatein, example.com dn: ou=Platform,o=portal,o=gatein,dc=example,dc=com # Organization, portal, gatein, example.com dn: ou=Organization,o=portal,o=gatein,dc=example,dc=com # People, portal, gatein, example.com dn: ou=People,o=portal,o=gatein,dc=example,dc=com # administrators, Platform, portal, gatein, example.com dn: cn=administrators,ou=Platform,o=portal,o=gatein,dc=example,dc=com # users, Platform, portal, gatein, example.com dn: cn=users,ou=Platform,o=portal,o=gatein,dc=example,dc=com # guests, Platform, portal, gatein, example.com dn: cn=guests,ou=Platform,o=portal,o=gatein,dc=example,dc=com # web-contributors, Platform, portal, gatein, example.com dn: cn=web-contributors,ou=Platform,o=portal,o=gatein,dc=example,dc=com # management, Organization, portal, gatein, example.com dn: cn=management,ou=Organization,o=portal,o=gatein,dc=example,dc=com # executive-board, Organization, portal, gatein, example.com dn: cn=executive-board,ou=Organization,o=portal,o=gatein,dc=example,dc=com # employees, Organization, portal, gatein, example.com dn: cn=employees,ou=Organization,o=portal,o=gatein,dc=example,dc=com # root, People, portal, gatein, example.com dn: uid=root,ou=People,o=portal,o=gatein,dc=example,dc=com