You are looking at documentation for an older release. Not what you want? See the current release documentation.
This section is a comprehensive analysis of configurations you use in Quick start. By reading these thorough explanations, you will further understand the structure and easily find out the configuration you want to edit. This will be a good preparation for writing your own identity object types in next tutorials.
idm-configuration.xml
In idm-configuration.xml, the whole configuration is of eXo service.
The eXo service configuration is started by either:
A pair of key and type tags that looks like the following:
<component>
<key>the_FQN_of_the_service_interface</key>
<type>the_FQN_of_the_service_implementation</type>
Or an external-component-plugin tag that looks like the following:
<external-component-plugins>
<target-component>the_FQN_of_the_service_implementation</target-component>
You mostly need to re-configure the two services below without changing the default configuration of others:
org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl
org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl
PicketLinkIDMServiceImpl service
The only one parameter you need to re-configure for this service:
<component>
<key>org.exoplatform.services.organization.idm.PicketLinkIDMService</key>
<type>org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl</type>
<init-params>
<value-param>
<name>config</name>
<value>war:/conf/organization/picketlink-idm-openldap-acme-config.xml</value>
...
It points to the PicketLink IDM configuration file (picketlink-idm-ldap-config.xml in the Quick start section).
PicketLinkIDMOrganizationServiceImpl service
In Quick start, you re-configure this service to enable the group mapping.
The configuration matches a Platform group (like /platform) with a PicketLink IDM identity object type.
The object type then must be configured in the PicketLink IDM configuration file.
In Quick start, you do not care about such configuration because you use the
pre-configured types (platform_type and organization_type):
<field name="groupTypeMappings">
<map type="java.util.HashMap">
...
<entry>
<key><string>/platform/*</string></key>
<value><string>platform_type</string></key>
</entry>
<entry>
<key><string>/organization/*</string></key>
<value><string>organization_type</string></key>
</entry>
...
</map>
</field>
PicketLink IDM configuration file
Let's see the picketlink-idm-ldap-config.xml structure:
<realms>...</realms>
<repositories>
<repository><id>PortalRepository</id></repository>
<repository><id>DefaultPortalRepository</id></repository>
</repositories>
<stores>
<identity-stores>
<identity-store><id>HibernateStore</id></identity-store>
<identity-store><id>PortalLDAPStore</id></identity-store>
</identity-stores>
</stores>
Realm: You will not re-configure this part in this guideline.
Repository: Where your store and identity object type is used, by Id reference.
Store: The center part of this guideline, where you configure the LDAP connection, identity object types and all the attributes mapping.
With the aim of making this guideline easy to understand, DefaultPortalRepository and HibernateStore that should not be re-configured will be excluded,
and the id references will be added.
Also, organization_type is eliminated because of its similarity to platform_type.
The structure is re-drawn as follows:
<repositories>
<repository>
<id>PortalRepository</id>
<identity-store-mappings>
<identity-store-mapping>
<identity-store-id>PortalLDAPStore</identity-store-id>
<identity-object-types>
<identity-object-type>USER</identity-object-type>
<identity-object-type>platform_type</identity-object-type>
</identity-object-types>
</identity-store-mapping>
</identity-store-mappings>
</repository>
</repositories>
<stores>
<identity-stores>
<identity-store>
<id>PortalLDAPStore</id>
<supported-identity-object-types>
<identity-object-type>
<name>USER</name>
<!-- attributes & options -->
</identity-object-type>
<identity-object-type>
<name>platform_type</name>
<!-- attributes & options -->
</identity-object-type>
</supported-identity-object-types>
</identity-store>
</identity-stores>
</stores>
LDAP connection
The LDAP connection (URL and credentials) is Store configuration. It is provided in the PortalLDAPStore:
<identity-store>
<id>PortalLDAPStore</id>
...
<options>
<option>
<name>providerURL</name>
<value>ldap://localhost:389</value>
</option>
<option>
<name>adminDN</name>
<value>cn=admin,dc=example,dc=com</value>
</option>
<option>
<name>adminPassword</name>
<value>gtn</value>
</option>
...
</options>
Read-only mode
The Read-only mode is Repository configuration. It is an option of the repository that prevents eXo Platform from writing to the LDAP directory. In the Quick start, this option is omitted so the mode is read-write. To enable the read-only mode, set the option to true:
<repository>
<id>PortalRepository</id>
<identity-store-mappings>
<identity-store-mapping>
<identity-store-id>PortalLDAPStore</identity-store-id>
<options>
<option>
<name>readOnly</name>
<value>true</value>
</option>
</options>
</identity-store-mapping>
Placeholder - A note for OpenLDAP
Ruled by OpenLDAP default core schema, the member attribute is a MUST attribute of groupOfNames objectClass:
objectclass ( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of names (DNs)' SUP top STRUCTURAL MUST ( member $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
Therefore, PicketLink IDM uses a placeholder entry as a fake member in the creation of a groupOfNames. The placeholder DN should be configured as an option of any group type:
<identity-object-type>
<name>platform_type</name>
<options>
<option>
<name>parentMembershipAttributePlaceholder</name>
<value>ou=placeholder,o=portal,o=gatein,dc=example,dc=com</value>
</option>