8.1.1. Quick start

You should set up an "empty" directory for this practice. The directory should contain only the top DN, like:

dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
  1. Create your custom extension project (as described in Creating your extension project), then include the following files and folders into custom-extension.war!/WEB-INF/conf:

    conf/
    |__ configuration.xml
    |__ organization
        |__ idm-configuration.xml
        |__ picketlink-idm-ldap-config.xml

    You do not need to conform the structure strictly. This only aims at making your extension project easy to control. You are free to name the files, except configuration.xml.

  2. Import the idm-configuration.xml into custom-extension.war!/WEB-INF/conf/configuration.xml.

    
    <?xml version="1.0" encoding="ISO-8859-1"?>
    <configuration
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.exoplatform.org/xml/ns/kernel_1_2.xsd http://www.exoplatform.org/xml/ns/kernel_1_2.xsd"
       xmlns="http://www.exoplatform.org/xml/ns/kernel_1_2.xsd">

        <import>war:/conf/organization/idm-configuration.xml</import>
    </configuration>
  3. Copy content of the portal.war!/WEB-INF/conf/organization/idm-configuration.xml file of eXo Platform to the idm-configuration.xml of your extension project, then also in idm-configuration.xml, replace

    
    <value>war:/conf/organization/picketlink-idm/picketlink-idm-config.xml</value>

    with the path to the picketlink-idm-ldap-config.xml file of your extension project:

    
    <value>war:/conf/organization/picketlink-idm-ldap-config.xml</value>
  4. Copy content from one of picketlink sample files to the picketlink-idm-ldap-config.xml of your extension project.

    The sample files are in portal.war!/WEB-INF/conf/organization/picketlink-idm/examples. Choose either of the following files:

    • picketlink-idm-msad-config.xml if you use MS Active Directory.

    • picketlink-idm-openldap-config.xml for OpenLDAP.

    • Otherwise, picketlink-idm-ldap-config.xml.

  5. Modify the picketlink-idm-ldap-config.xml file according to your LDAP setup. You often need to change the following parameters:

    • The suffix (dc=test,dc=domain, dc=my-domain,dc=com or dc=example,dc=com) should be replaced with your real suffix in the whole file.

    • providerURL

    • adminDN

    • adminPassword

  6. Do the following sub-steps which are specified for Microsoft Active Directory (MSAD) only:

    i. Prepare a truststore file containing the valid certificate for MSAD. It can be generated by the Linux command:

    keytool -import -file  certificate -keystore truststore

    ii. Edit the following parameters in the picketlink-idm-ldap-config.xml file:

    • providerURL: Should use SSL (ldaps://).

    • customSystemProperties: Give your truststore file path and password.

      
      <name>customSystemProperties</name>
      <value>javax.net.ssl.trustStore=/path/to/msad.truststore</value>
      <value>javax.net.ssl.trustStorePassword=password</value>
  7. Uncomment the following entries in the idm-configuration.xml file:

    • groupTypeMappings

      
      <entry>
          <key><string>/platform/*</string></key>
          <value><string>platform_type</string></value>
      </entry>
      <entry>
          <key><string>/organization/*</string></key>
          <value><string>organization_type</string></value>
      </entry>
    • ignoreMappedMembershipTypeGroupList

      
      <value>
          <string>/platform/*</string>
      </value>
      <value>
          <string>/organization/*</string>
      </value> 

    This step enables mapping Platform groups (platform and organization - that are predefined groups) to LDAP. If you bypass this step, only user mapping is performed.

  8. Deploy your extension (See Creating your extension project for how-to). Make sure the LDAP server is running, and start eXo Platform.

Testing

Platform users (like the predefined root) and groups (sub-groups of /platform and /organization) should be added to the LDAP tree. For example, if the suffix is dc=example,dc=com and the directory is OpenLDAP, the root user entry will look like:

# root, People, portal, gatein, example.com
dn: uid=root,ou=People,o=portal,o=gatein,dc=example,dc=com
uid: root
objectClass: top
objectClass: inetOrgPerson
userPassword:: Z3Ru
mail: root@localhost
cn: Root
sn: Root

The /organization/executive-board group entry will look like:

# executive-board, Organization, portal, gatein, example.com
dn: cn=executive-board,ou=Organization,o=portal,o=gatein,dc=example,dc=com
objectClass: top
objectClass: groupOfNames
cn: executive-board
member: uid=root,ou=People,o=portal,o=gatein,dc=example,dc=com

The whole directory is:

# example.com
dn: dc=example,dc=com

# gatein, example.com
dn: o=gatein,dc=example,dc=com

# portal, gatein, example.com
dn: o=portal,o=gatein,dc=example,dc=com

# Platform, portal, gatein, example.com
dn: ou=Platform,o=portal,o=gatein,dc=example,dc=com

# Organization, portal, gatein, example.com
dn: ou=Organization,o=portal,o=gatein,dc=example,dc=com

# People, portal, gatein, example.com
dn: ou=People,o=portal,o=gatein,dc=example,dc=com

# administrators, Platform, portal, gatein, example.com
dn: cn=administrators,ou=Platform,o=portal,o=gatein,dc=example,dc=com

# users, Platform, portal, gatein, example.com
dn: cn=users,ou=Platform,o=portal,o=gatein,dc=example,dc=com

# guests, Platform, portal, gatein, example.com
dn: cn=guests,ou=Platform,o=portal,o=gatein,dc=example,dc=com

# web-contributors, Platform, portal, gatein, example.com
dn: cn=web-contributors,ou=Platform,o=portal,o=gatein,dc=example,dc=com

# management, Organization, portal, gatein, example.com
dn: cn=management,ou=Organization,o=portal,o=gatein,dc=example,dc=com

# executive-board, Organization, portal, gatein, example.com
dn: cn=executive-board,ou=Organization,o=portal,o=gatein,dc=example,dc=com

# employees, Organization, portal, gatein, example.com
dn: cn=employees,ou=Organization,o=portal,o=gatein,dc=example,dc=com

# root, People, portal, gatein, example.com
dn: uid=root,ou=People,o=portal,o=gatein,dc=example,dc=com
Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus