Documente Academic
Documente Profesional
Documente Cultură
+ OpenSSO +
LDAP Integration
By Uchit Vyas
contact@attuneuniversity.com
www.attuneuniversity.com
About Author
Uchit Vyas a B.Tech. Graduate in Computer Science with a research
interest in ESB & Cloud and is a certified by Cisco (CCNA), VMware
(VSP) and Red Hat Linux (RHCE) professional. He has an energetic
strength to work on multiple platforms at a time and ability to integrate
open source technologies. He works as a Sr. Consultant and looking
afterAWS Cloud, Mule ESB, Alfresco, Liferay and deploying Portal,
ECM system. He was previously working with TCS as Assistant System
Engineer.
Over 3+ years of hands on experience on Open Source technologies, he
manages to guide the team and deliver the projects and trainings. He has
provided 13+ trainings on Cloud Computing, Continuous Delivery,
Alfresco and Liferay in couple of months. During past years he moved
over 80% of Attune Infocom business processes to the Cloud with
implementing agile SDLC methodology on Amazon, Rackspace and
private clouds like Eucalyptus, Openstack. His skills are not limited as his
designing and managing Cloud environment/infrastructure, server
architecture. He is also active in shell scripting, auto deployment,
supporting hundreds of Linux and Windows physical & virtual servers
hosting databases, and applications with Continuous delivery using Jenkins
/ Cruise Control with Puppet / Chef scripting.
Table of Content
I.
II.
In the Table Editor enter Uchit in the SN line. Enter Uchit in the
givenName line.
For the mail enter uchit@uchitinfo.com. For the user password enter
test. Click Submit.
10
On the server settings page, the Server URL and the Configuration
Directory both need some attention. By default the Server URL will
be the address that was typed to reach the server. The problem with
this being that it requires a fully qualified domain name, so if the page
was accessed via localhost or an IP Address it will cause problems.
This is why it was configured to be accessible at uchit.info.com.
12
The User Data Store Settings are what connect OpenAM to the
OpenDS data store. The side effect of this is that most of these
setting require some attention. Fields which require changing are
marked with an Asterisk (*).
*User Data Store Type : OpenDS
SSL/TLS Enabled : Not ticked
*Directory Name : uchit.info.com
*Port : 10389
*Root Suffix : dc=example,dc=com
14
Login ID : uid=admin,ou=system
*Password : secret
The configurator does not give the option to continue until all the
settings have been correctly specified and it has successfully
connected to the OpenDS instance.
16
The Summary Page shows a brief summary of the settings that were
defined in the previous few steps before the configuration is created.
Clicking Create Configuration will begin the configuration process.
This will create the configuration for your OpenAM server under
~/opensso (or c:\Documents and Settings\{username}\opensso).
18
Click test to add the email address. Enter test@liferay.com for the
open.sso.logout.url=http://uchit.info.com:9080/opensso/UI/Logout?goto=h
ttp://uchit.info.com:8080/web/guest/home
open.sso.service.url=http://uchit.info.com:9080/opensso
open.sso.screen.name.attr=uid
open.sso.email.address.attr=mail
open.sso.first.name.attr=givenname
open.sso.last.name.attr=sn
22
Password:-password
DEPLOYMENT
============
1. Build the jar from the sources, or download the latest release of the
filter from:
2. http://repository.sourcesense.com/nexus/content/groups/public/c
om/sourcesense/alfresco/alfresco-opensso/
3. Download OpenSSO SDK from
4. http://repository.sourcesense.com/nexus/content/repositories/thir
dparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk8.0.jar
5. Copy both to <Alfresco_Home>/tomcat/webapps/alfresco/WEBINF/lib
6. Create the file AMConfig.properties to
<Alfresco_Home>/tomcat/webapps/alfresco/WEB-INF/classes
7. An example of this file can be:
com.iplanet.am.naming.url=http://uchit.info.com:9080/opensso/namingserv
ice
com.iplanet.am.cookie.name=iPlanetDirectoryPro
com.sun.identity.agents.app.username=amAdmin
com.iplanet.am.service.password=upassword
24
USAGE
======
Accessing Alfresco's home will redirect the browser to OpenSSO login
page.
After a successful login, openSSO will redirect the browser back to
Alfresco.
If user does not exist in Alfresco, it'll be created. The groups associated
with the user in OpenSSO
will be created in Alfresco, and the user will be associated with this groups.
If the user's groups are changed in OpenSSO, the filter will reflect those
changes in the moment of login.
Liferay + Alfresco + OpenSSO + LDAP Integration 25
No group will bi deleted on Alfresco, just the user association with the
groups.
In order to access alfresco administration, the "admin" user must be
created in OpenSSO as well.
uid=%s,ou=People,dc=company,dc=com
# - digest
# - usually pass through what is entered
#
%s
28
ldap.synchronization.groupSearchBase=ou\=groups,dc\=example,dc\=co
m
# The user search base restricts the LDAP user query to a sub section of
tree on the LDAP server.
###
ldap.synchronization.userSearchBase=ou\=People,dc\=company,dc\=co
m
ldap.synchronization.userSearchBase=ou\=people,dc\=example,dc\=com
# The name of the operational attribute recording the last update time for
a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
# The timestamp format. Unfortunately, this varies between directory
servers.
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
# The attribute name on people objects found in LDAP to use as the uid
in Alfresco
ldap.synchronization.userIdAttributeName=uid
# The attribute on person objects in LDAP to map to the first name
property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName
32
ldap.synchronization.groupType=groupOfNames
# The person type in LDAP
ldap.synchronization.personType=inetOrgPerson
# The attribute in LDAP on group objects that defines the DN for its
members
ldap.synchronization.groupMemberAttributeName=member
# If true progress estimation is enabled. When enabled, the user query has
to be run twice in order to count entries.
ldap.synchronization.enableProgressEstimation=true
34