Follow this guide in case you want to connect to more than one LDAP directories, for example, you have two OpenLDAP
databases with suffixes dc=example,dc=com
and dc=example,dc=net
.
Basically you will configure two identity stores and map them in the PortalRepository
repository.
In this way, you can create different connections using different hosts/ports, credentials, protocols (ldap/ldaps) and even different LDAP implementations, for example, one is MSAD and the other is OpenLDAP.
<repositories>
<repository>
<id>PortalRepository</id>
<identity-store-mappings>
<identity-store-mapping>
<identity-store-id>PortalLDAPStore</identity-store-id>
...
</identity-store-mapping>
<identity-store-mapping>
<identity-store-id>PortalLDAPStore2</identity-store-id> <!-- the second store -->
...
</identity-store-mapping>
</identity-store-mappings>
</repository>
</repositories>
<stores>
<identity-stores>
<identity-store>
<id>HibernateStore</id>
...
</identity-store>
<identity-store>
<id>PortalLDAPStore</id>
...
</identity-store>
<identity-store>
<id>PortalLDAPStore2</id> <!-- the second store -->
...
</identity-store>
</identity-stores>
</stores>
It is quite simple if all the LDAP stores are Read-only. But, in Read-Write mode it is important to be aware that all users and groups will be saved to only one store, and it should be the first store.
In other words, it is no use to set the second repository to the Read-Write mode. When a user is created in eXo Platform, the identity object will be saved in the first LDAP store if it is a Read-Write one. And if not, it will be saved in IDM (SQL) database, not in second LDAP store at all.
So for Read-Write mode, and assume you want to store platform groups in LDAP, here is the suggested configuration:
In idm-configuration.xml
:
<field name="groupTypeMappings">
<map type="java.util.HashMap">
<entry>
<key><string>/</string></key>
<value><string>root_type</string></value>
</entry>
<entry>
<key><string>/platform/*</string></key>
<value><string>platform_type</string></value>
</entry>
<entry>
<key><string>/com/example/*</string></key>
<value><string>example_com_group_type</string></value>
</entry>
<entry>
<key><string>/net/example/*</string></key>
<value><string>example_net_group_type</string></value>
</entry>
</map>
</field>
<field name="ignoreMappedMembershipTypeGroupList">
<collection type="java.util.ArrayList" item-type="java.lang.String">
<value><string>/platform/*</string></value>
<value><string>/com/example/*</string></value>
<value><string>/net/example/*</string></value>
</collection>
</field>
In picketlink-idm-*.xml
:
<identity-store-mapping>
<identity-store-id>PortalLDAPStore</identity-store-id>
<identity-object-types>
<identity-object-type>USER</identity-object-type>
<identity-object-type>platform_type</identity-object-type>
<identity-object-type>example_com_group_type</identity-object-type>
</identity-object-types>
<options>
<option>
<name>readOnly</name>
<value>false</value>
</option>
</options>
</identity-store-mapping>
<identity-store-mapping>
<identity-store-id>PortalLDAPStore2</identity-store-id>
<identity-object-types>
<identity-object-type>USER</identity-object-type>
<identity-object-type>example_net_group_type</identity-object-type>
</identity-object-types>
<options>
<option>
<name>readOnly</name>
<value>true</value>
</option>
</options>
</identity-store-mapping>
Some other considerations:
If in LDAP directories there are two users with the same username, for example:
uid=john,ou=Employees,dc=example,dc=com
and uid=john,ou=People,dc=example,dc=net
,
only one of them will be mapped into eXo Platform.
You should keep the groups and memberships separated between the two directories. For example:
DO create /com/example
to map with example_com_group_type,
and /net/example
to map with example_net_group_type.
DON'T assign a user of a store to a group of the other store.