Warning
You are looking at documentation for an older release. Not what you want? See the current release documentation.
In this guide, you will learn how to configure eXo Platform with a directory server. It provides a step by step tutorial to help you succeed the integration.
eXo Platform can be integrated with a variety of directory servers. For the 4.4 version, this is the list of the supported ones:
OpenLDAP.
Active directory: eXo Platform intregration with an Active directory is only supported in readOnly.
RedHat Directory server.
OpenDJ.
Please refer to supported-environments file for more details.
Step by step tutorial to configure eXo Platform with a directory server
To configure eXo Platform with LDAP, you need to follow these steps:
In your custom extension, create this path if it does not exist $PLF_HOME/webapps/custom-extension/WEB-INF/conf/organization (for Tomcat) and $PLF_HOME/standalone/deployments/platform.ear/custom-extension/WEB-INF/conf/organization (for Jboss).
Under this path, put the file idm-configuration.xml
Uncomment the appropriate instruction from this section defining the path of the picketlink configuration file corresponding to the used LDAP and the desired mode (read/write or readOnly):
If you want to configure with LDAP (OpenDJ) in readOnly mode, you should uncomment this section:
<!--Sample LDAP config-->
<value>war:/conf/organization/picketlink-idm/picketlink-idm-ldap-config.xml</value>
and set the variable
<isReadOnly>false</isReadOnly>
to true in picketlink-idm-ldap-config.xml for each attribute.
If you want to configure with LDAP (OpenDJ) in read/Write mode, you should uncomment this section:
<!--Sample LDAP config-->
<value>war:/conf/organization/picketlink-idm/picketlink-idm-ldap-config.xml</value>
and set the variable
<isReadOnly>false</isReadOnly>
to false in picketlink-idm-ldap-config.xml for each attribute.
If you want to configure with Active Directory in readOnly mode, you should uncomment this section:
<!--MSAD Read Only "ACME" LDAP Example-->
<value>war:/conf/organization/picketlink-idm/picketlink-idm-msad-readonly-config.xml</value>
and set the variable
<isReadOnly>false</isReadOnly>
to true in picketlink-idm-msad-readonly-config.xml for each attribute.
If you want to configure with Active Directory in read/write mode, you should uncomment this section:
<!--MSAD Read Only "ACME" LDAP Example-->
<value>war:/conf/organization/picketlink-idm/picketlink-idm-msad-config.xml</value>s
and set the variable
<isReadOnly>false</isReadOnly>
to false in picketlink-idm-msad-config.xml for each attribute.
Configure the needed settings: access URL to the directory server, login and password.
For LDAP (OpenDJ, Open LDAP): Configure this section in picketlink-idm-ldap-config.xml file.
<option>
<name>providerURL</name>
<value>ldap://localhost:1389</value>
</option>
<option>
<name>adminDN</name>
<value>cn=Directory Manager</value>
</option>
<option>
<name>adminPassword</name>
<value>password</value>
</option>
For Active directory, configure this section in either picketlink-idm-msad-config.xml or picketlink-idm-msad-readonly-config.xml.
<option>
<name>providerURL</name>
<value>[ldap|ldaps]://[msad-host]:[port]</value>
</option>
<option>
<name>adminDN</name>
<value>TEST\Administrator</value>
</option>
<option>
<name>adminPassword</name>
<value>[adminPasswordValue]</value>
</option>
If you want to import users from multiple trees in the same LDAP/AD, you should set multiple values for the
ctxDNsas below:
<option>
<name>ctxDNs</name>
<value>ou=Organization,o=gatein,dc=test,dc=domain</value>
<value>ou=Organization2,o=gatein2,dc=test2,dc=domain2</value>
....
<value>ou=Organizationx,o=gateinx,dc=testx,dc=domainx</value>
</option>
The users of the different trees will be mapped in the platform.
Users and groups synchronization
In case you connected eXo Platform to an already populated LDAP/AD, the users are added to the platfrom but are inactive. Logging in with an inactive user avtivates him. This solution is not efficient in case of a big number of users
To activate a big number of users, you should follow the below procedure.
In your custom extension, create this path if it does not exist $PLF_HOME/webapps/custom-extension/WEB-INF/conf/platform (for Tomcat) and $PLF_HOME/standalone/deployments/platform.ear/custom-extension/WEB-INF/conf/platform (for Jboss).
Add under that path the file organization-integration-configuration.xml.
In the file configuration.xml, add the import instruction:
<import>war:/conf/platform/organization-integration-configuration.xml</import>
After starting the server, use the following REST services url to make the synchronisation of:
A single user:
/portal/rest/management/orgsync/syncUser?username=USERNAME&eventType=EVENT
All users:
/portal/rest/management/orgsync/syncAllUser?eventType=EVENT
A single group:
/portal/rest/management/orgsync/syncGroup?groupId=GROUP_ID&eventType=EVENT
All groups:
/portal/rest/management/orgsync/syncAllGroups?eventType=EVENT
All users and groups:
/portal/rest/management/orgsync/syncAll
Where:
USERNAMEshould be replaced by the username of the user to be activated.GROUP_IDshould be replaced by the name of the group to be activated.EVENTshould be replaced by one of this three events:ADDED: When the user or the group to be activated is newly added.
UPDATED: When the user or the group to be synchronized is modified.
DELETED: When the user or the group is deleted from the organization.
You can use JMX instead of REST services URLs by invoking the appropriate operation and setting the corresponding event (ADDED, UPDATED or DELETED).
