You should set up an "empty" directory for this practice. The directory should contain only the top DN, like:
dn: dc=example,dc=com objectClass: top objectClass: domain dc: example
Create your custom extension project (as described in Creating your extension project),
then include the following files and folders into custom-extension.war!/WEB-INF/conf:
conf/
|__ configuration.xml
|__ organization
|__ idm-configuration.xml
|__ picketlink-idm-ldap-config.xml
You do not need to conform the structure strictly.
This only aims at making your extension project easy to control.
You are free to name the files, except configuration.xml.
Import the idm-configuration.xml into custom-extension.war!/WEB-INF/conf/configuration.xml.
<?xml version="1.0" encoding="ISO-8859-1"?>
<configuration
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.exoplatform.org/xml/ns/kernel_1_2.xsd http://www.exoplatform.org/xml/ns/kernel_1_2.xsd"
xmlns="http://www.exoplatform.org/xml/ns/kernel_1_2.xsd">
<import>war:/conf/organization/idm-configuration.xml</import>
</configuration>
Copy content of the portal.war!/WEB-INF/conf/organization/idm-configuration.xml file of eXo Platform to the idm-configuration.xml of your extension project,
then also in idm-configuration.xml, replace
<value>war:/conf/organization/picketlink-idm/picketlink-idm-config.xml</value>
with the path to the picketlink-idm-ldap-config.xml file of your extension project:
<value>war:/conf/organization/picketlink-idm-ldap-config.xml</value>
Copy content from one of picketlink sample files to the picketlink-idm-ldap-config.xml of your extension project.
The sample files are in portal.war!/WEB-INF/conf/organization/picketlink-idm/examples. Choose either of the following files:
picketlink-idm-msad-config.xml if you use MS Active Directory.
picketlink-idm-openldap-config.xml for OpenLDAP.
Otherwise, picketlink-idm-ldap-config.xml.
Modify the picketlink-idm-ldap-config.xml file according to your LDAP setup.
You often need to change the following parameters:
The suffix (dc=test,dc=domain, dc=my-domain,dc=com
or dc=example,dc=com) should be replaced with your real suffix in the whole file.
providerURL
adminDN
adminPassword
Do the following sub-steps which are specified for Microsoft Active Directory (MSAD) only:
i. Prepare a truststore file containing the valid certificate for MSAD. It can be generated by the Linux command:
keytool -import -file certificate -keystore truststore
ii. Edit the following parameters in the picketlink-idm-ldap-config.xml file:
providerURL: Should use SSL (ldaps://).
customSystemProperties: Give your truststore file path and password.
<name>customSystemProperties</name>
<value>javax.net.ssl.trustStore=/path/to/msad.truststore</value>
<value>javax.net.ssl.trustStorePassword=password</value>
Uncomment the following entries in the idm-configuration.xml file:
groupTypeMappings
<entry>
<key><string>/platform/*</string></key>
<value><string>platform_type</string></value>
</entry>
<entry>
<key><string>/organization/*</string></key>
<value><string>organization_type</string></value>
</entry>
ignoreMappedMembershipTypeGroupList
<value>
<string>/platform/*</string>
</value>
<value>
<string>/organization/*</string>
</value>
This step enables mapping Platform groups (platform and organization - that are predefined groups) to LDAP. If you bypass this step, only user mapping is performed.
Deploy your extension (See Creating your extension project for how-to). Make sure the LDAP server is running, and start eXo Platform.
Testing
Platform users (like the predefined root) and groups (sub-groups of /platform and /organization)
should be added to the LDAP tree. For example, if the suffix is dc=example,dc=com and the directory is OpenLDAP,
the root user entry will look like:
# root, People, portal, gatein, example.com dn: uid=root,ou=People,o=portal,o=gatein,dc=example,dc=com uid: root objectClass: top objectClass: inetOrgPerson userPassword:: Z3Ru mail: root@localhost cn: Root sn: Root
The /organization/executive-board group entry will look like:
# executive-board, Organization, portal, gatein, example.com dn: cn=executive-board,ou=Organization,o=portal,o=gatein,dc=example,dc=com objectClass: top objectClass: groupOfNames cn: executive-board member: uid=root,ou=People,o=portal,o=gatein,dc=example,dc=com
The whole directory is:
# example.com dn: dc=example,dc=com # gatein, example.com dn: o=gatein,dc=example,dc=com # portal, gatein, example.com dn: o=portal,o=gatein,dc=example,dc=com # Platform, portal, gatein, example.com dn: ou=Platform,o=portal,o=gatein,dc=example,dc=com # Organization, portal, gatein, example.com dn: ou=Organization,o=portal,o=gatein,dc=example,dc=com # People, portal, gatein, example.com dn: ou=People,o=portal,o=gatein,dc=example,dc=com # administrators, Platform, portal, gatein, example.com dn: cn=administrators,ou=Platform,o=portal,o=gatein,dc=example,dc=com # users, Platform, portal, gatein, example.com dn: cn=users,ou=Platform,o=portal,o=gatein,dc=example,dc=com # guests, Platform, portal, gatein, example.com dn: cn=guests,ou=Platform,o=portal,o=gatein,dc=example,dc=com # web-contributors, Platform, portal, gatein, example.com dn: cn=web-contributors,ou=Platform,o=portal,o=gatein,dc=example,dc=com # management, Organization, portal, gatein, example.com dn: cn=management,ou=Organization,o=portal,o=gatein,dc=example,dc=com # executive-board, Organization, portal, gatein, example.com dn: cn=executive-board,ou=Organization,o=portal,o=gatein,dc=example,dc=com # employees, Organization, portal, gatein, example.com dn: cn=employees,ou=Organization,o=portal,o=gatein,dc=example,dc=com # root, People, portal, gatein, example.com dn: uid=root,ou=People,o=portal,o=gatein,dc=example,dc=com