Thursday, July 5, 2007

LDAP support tutorial for JBoss Portal 2.6 (part 2)

LDAP support tutorial for JBoss Portal 2.6 (part 2)

In previous post I showed you how to enable LDAP support in JBoss Portal 2.6. Simple LDAP tree containing single 'ou=People' and 'ou=Roles' containers was used as an example.


In most cases portal deployment needs to cover more complex LDAP tree shapes. Lets consider LDAP tree with few separate containers for user entries:


We want to have an intranet portal that will be accessible for our employees (IT, HR and Sales) and not for our customers. We have few possibilities but the simplest one will be to specify a few separate LDAP search DNs to retrieve users. To do this we need to use the LDAPExtUserModuleImpl as UserModule in JBoss Portal.

In your 'ldap_identity-config.xml' file you will need to update User module configuration to enable LDAPExtUserModuleImpl implementation.

<module>
<type>User</type>
<implementation>LDAP</implementation>
<class>org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl</class>
<config>
</config>
</module>
... and
<option-group>
<group-name>common</group-name>

<option>
<name>userCtxDN</name>
<value>ou=Sales,o=test,dc=portal,dc=example,dc=com</value>
<value>ou=HR,o=test,dc=portal,dc=example,dc=com</value>
<value>ou=IT,o=test,dc=portal,dc=example,dc=com</value>
</option>

<option>
<name>roleCtxDN</name>
<value>ou=Roles,o=test,dc=portal,dc=example,dc=com</value>
</option>

<option>
<name>userSearchFilter</name>
<value><![CDATA[(uid={0})]]></value>
</option>
</option-group>
With such a configuration JBoss Portal will retrieve its users from 'ou=Sales', 'ou=IT' and 'ou=HR' containers and not from 'ou=Customers'. In a very similar way you can configure many search DNs for roles. Just use 'LDAPExtRoleModuleImpl' and specify several values for 'roleCtxDN' option.

By using extended features you loose the possibility to manage user entries - with 'LDAPExtUserModuleImpl' you cannot create users from JBoss Portal administration panel, however you can still manage roles membership.

Notice that with 'LDAPExtUserModuleImpl' you need to specify an additional config option: userSearchFilter. This implementation gives you the possibility to specify powerful LDAP queries to obtain users from the directory. The syntax of the filter is compatible with RFC 2254 - you can find more in this document. Additionally '{0}' string is replaced with user name during the query.

In our example we used '(uid={0})' because in our case the 'uid' parameter is used to specify user name in LDAP entries. Using userSearchFilter you can also specify logical conditions like:

(&(uid={0})(objectClass=inetUser)(memberOf=cn=portalUser,ou=Roles,o=test,dc=portal,dc=example,dc=com))

With such a filter JBoss Portal will retrieve only users that have 'inetUser' objectClass and belong to 'portalUser' LDAP Role.

In conclusion we have seen the the very flexible and powerful support for custom LDAP trees that JBoss Portal offers since the 2.6 version.

4 comments:

GenTeal said...

Does not do subtree search from the user context.

Richard B said...

Hello,

Some LDAP server like fedora directory server use the notion of role with the object nsrole (not à group). How can we define the parameter in that case.

Thanks a lot.

Hendra Burian said...

Can we map the LDAP group to jboss portal role so when the user IT in ldap group automaticly assign to the IT jboss portal role.

Thanx

Manoj Maniraj said...

Got timely help from this article...Thanks.