Friday, June 8, 2007

LDAP support tutorial for JBoss Portal 2.6 (part 1)

LDAP support tutorial for JBoss Portal 2.6 (part 1)

In this tutorial we'll configure JBoss Portal LDAP support. You will learn the basic configuration that needs to be done to leverage a directory server in your portal deployment. Before we start you will need to get:

  • JBoss Portal sources:

    The best way to obtain latest JBoss Portal 2.6 sources is to use Subversion:

    $ svn co http://anonsvn.jboss.org/repos/portal/tags/JBoss_Portal_2_6_0/ jboss-portal-2.6
  • JBoss Application Server 4.0.5GA.

    It can be downloaded from here: http://labs.jboss.com/jbossas/downloads

    You need to download the .zip version and simply unpack it somewhere on your disk. Before you proceed, the 'JBOSS_HOME' environment variable should be set to point to directory containing unpacked archive. Under Linux you can use:

    $ export JBOSS_HOME=/opt/JBoss/jboss-4.0.5GA

Preparing the LDAP directory.

In this tutorial we'll use OpenDS directory server. JBoss Portal leverages it for unit tests so in the source distribution you can find an embedded directory server that can be deployed on JBoss Application Server.
  1. Build JBoss Portal sources by doing:

    [jboss-portal-2.6] $ ./build/build.sh

    This may take a while as all nessesary libraries have to be downloaded from a library repository. During this tutorial we'll assume that you are using Linux. But you will also find proper '.bat' scripts for Windows operating system as well.

  2. Deploy OpenDS directory server

    [jboss-portal-2.6] $ ./identity/build.sh deploy-ldap

    This will copy necessary files into the JBoss AS pointed by 'JBOSS_HOME' environment variable.

  3. Run JBoss AS:

    $ cd
    $JBOSS_HOME/bin

    [bin] $ ./run.sh

At the moment you should have an instance of the OpenDS LDAP server listening on port 10389. To be able to use it with portal we need to provision it with sample data. To do this we'll use simple LDAP tool with GUI written in Java - LDAP Browser/Editor. It's a very lightweight tool that runs on many environment. Follow installation notes specified here: http://www-unix.mcs.anl.gov/~gawor/ldap/installation.html
You will simply need to download the archive, unpack it and run the lbe.sh or lbe.bat script (assuming that you have the java command in your operating system path). If you are using Fedora Linux you can also find 'lbe' rpm package in Dries repository.

Provision LDAP with sample data.

You will find ldif containing sample LDAP tree in portal sources (jboss-portal-2.6/identity/src/resources/example/portal-sample-local.ldif). To add it into OpenDS using LDAP Browser you need to:

  1. Run LDAP Browser/Editor, and choose menu 'File' - 'Connect'


  2. Change to 'Quick Connect' tab and enter following information:
    • host: localhost
    • port: 10389
    • leave 'Base DN' empty
    • uncheck 'Annonymous bind' checkbox
    • user DN: cn=Directory Manager
    • password: password
    • click 'Connect'
  3. mouse click on 'Root DSE'
  4. choose menu 'LDIF' - 'Import'


  5. point to the 'jboss-portal-2.6/identity/src/resources/example/portal-sample-local.ldif' file and click 'Import'
You should be able to see the imported LDAP tree.


Shutdown JBOSS AS:
$ cd $JBOSS_HOME/bin
[bin] $ ./shutdown.sh


Configure JBoss Portal LDAP support

JBoss is preconfigured to work with a locally deployed OpenDS. To enable LDAP support only tiny modification is needed:

  1. Edit file jboss-portal-2.6/core/src/resources/portal-core-sar/META-INF/jboss-service.xml and change following line:

    'conf/identity/identity-config.xml'
    to
    'conf/identity/ldap_identity-config.xml'

    You will find configuration details in jboss-portal-2.6/core/src/resources/portal-core-sar/conf/identity/ldap_identity-config.xml

  2. Install JBoss Portal:
    [jboss-portal-2.6] $ ./build/build.sh deploy-all
    [jboss-portal-2.6] $ ./core/build.sh datasource

    [jboss-portal-2.6] $ cp ./core/output/resources/setup/portal-hsqldb-ds.xml $JBOSS_HOME/server/default/deploy/
  3. Run JBoss Portal
    $ cd
    $JBOSS_HOME/bin

    [bin] $ ./run.sh
It works.

At the moment JBoss Portal should store identity related data in LDAP store. Let's check it out.

  1. Open your browser and go to http://localhost:8080/portal


  2. Login as user 'jduke' with password 'theduke'. This is the user account we added into LDAP in previous steps.
  3. On the left side click on the 'Edit your profile' link.
  4. In the 'Real e-mail' field enter 'newemail@email.com' and click 'Save changes'


  5. Refresh the view in LDAP Browser and check that new email address was updated in proper user entry
  6. Logout from portal and login back as user 'admin' with password 'admin'.
  7. Click on the 'Admin' link in the top right corner and go into 'Members' tab.
  8. Click on the 'Create User account' link.


  9. Fill in the form with sample data and click 'New user registration'
  10. Verify in LDAP Browser that new user entry was added to the directory


  11. Try to login with username and password you specified for the new account.
  12. Go back in the 'Members' tab you can also list and manage all the users that are present in LDAP. Its also possible to assign specific roles to them. Try it out!


Please check out JBoss Portal 2.6 Reference Guide to learn more.

10 comments:

swisst said...

Great tutorial, thanks! I just have one small problem... I get the following errors when I try to login: 09:59:08,218 ERROR [LDAPUserProfileModuleImpl] No such attribute ('seeAlso') in entry: uid=jduke,ou=People,o=test,dc=portal,dc=example,dc=com
09:59:08,218 ERROR [LDAPUserProfileModuleImpl] No such attribute ('title') in entry: uid=jduke,ou=People,o=test,dc=portal,dc=example,dc=com

Boleslaw Dawidowicz said...

Hi.

Do you strictly follow the tutorial or use another LDAP server? Maybe its because your schema differs and doesn't support objectClasses with such attributes. You can workaround this issue by editing 'profile-config.xml' file and removing ldap mappings related to those attributes.

Please see
http://docs.jboss.com/jbportal/v2.6/referenceGuide/html/identity.html#d0e6031
for details.

If you have any other problems with LDAP the best will be to ask in JBoss Portal User Forum - http://jboss.org/index.html?module=bb&op=viewforum&f=215

Rhushikesh said...

This is a great tutorial, all the steps work wonderfully well and I could appreciate each step. Many many thanks!

scott.mcneilage said...

portal 2.6.2 src GA does not appear to have a /identity directory.
There is a /core-identity directory but ./build.sh deploy-ldap has no target.
Any chance of some updated indstructions for this version?

TIA
Scott

Boleslaw Dawidowicz said...

http://jbossportal.blogspot.com/2007/09/jboss-portal-modularization.html

Identity is currently a separate module. You can find sources here:

http://anonsvn.jboss.org/repos/portal/modules/identity/tags/1_0_0/

EricSBrennan said...

I can log on and a page loads, but I get the below error.

I am logging into an MS Active Directory. In AD I have create a group called Portal_Admin and added my user (eaeesb) to this group. The re is also a group called Portal_user that a group (Domain Users) belong to. All users on our network are a memberOf (Domain Users)


Error
09:13:54,799 ERROR [LDAPUserProfileModuleImpl] No such attribute ('seeAlso') in entry: CN=Brennan\, Eric,OU=Learning Center Admins,OU=EAE Us
ers,OU=EAE,OU=Field Support Center,OU=United States,OU=Domain Clients,DC=na,DC=ad,DC=rgis,DC=com

I have also tried a few other things. Followed GiveAdminPermissions - See http://wiki.jboss.org/wiki/Wiki.jsp?page=GiveAdminPrivileges

Boleslaw Dawidowicz said...

Look few comments up and you'll see the solution... :)

http://docs.jboss.com/jbportal/v2.6.2/referenceGuide/html/identity.html#user_profile_configuration

You need to alter profile-config.xml according to what attributes you have in your LDAP schema. Comment out "<ldap> <value>seeAlso</value></ldap>" and it'll do the job

Adi said...

I tried to create a user account but no entry was made in the LDAP. Please help me solve this problem, thank you.

Prabhat Jha said...

Adi, Please create a thread in JBoss Portal user forum (http://www.jboss.com/index.html?module=bb&op=viewforum&f=215) where your question will have a larger audience of community members. You should try searching your issues there as well.

WhizDoctor said...

Hello, I'm not sure what is the equivalent of the role-name from the XML configuration files within the Active Directory. In other words, where is role-name mapped to within the Active Directory? Thank you for your time!