Liferay + Alfresco + OpenSSO + LDAP Integration
By Uchit Vyas
[email protected] www.attuneuniversity.com
About Author
Uchit Vyas a B.Tech. Graduate in Computer Science with a research interest in ESB & Cloud and is a certified by Cisco (CCNA), VMware (VSP) and Red Hat Linux (RHCE) professional. He has an energetic strength to work on multiple platforms at a time and ability to integrate open source technologies. He works as a Sr. Consultant and looking afterAWS – Cloud, Mule ESB, Alfresco, Liferay and deploying Portal, ECM system. He was previously working with TCS as Assistant System Engineer.
Over 3+ years of hands on experience on Open Source technologies, he manages to guide the team and deliver the projects and trainings. He has provided 13+ trainings on Cloud Computing, Continuous Delivery, Alfresco and Liferay in couple of months. During past years he moved over 80% of Attune Infocom business processes to the Cloud with implementing agile SDLC methodology on Amazon, Rackspace and private clouds like Eucalyptus, Openstack. His skills are not limited as his designing and managing Cloud environment/infrastructure, server architecture. He is also active in shell scripting, auto deployment, supporting hundreds of Linux and Windows physical & virtual servers hosting databases, and applications with Continuous delivery using Jenkins / Cruise Control with Puppet / Chef scripting.
Liferay + Alfresco + OpenSSO + LDAP Integration 1
Table of Content
I. LDAP Integration with Liferay II. Integration OpenSSO/OpenAM with Liferay Portal on Tomcat III. Alfresco Opensso Integration IV. Enable LDAP Authentication and LDAP users import in Alfresco
2 Liferay + Alfresco + OpenSSO + LDAP Integration
LDAP Integration with Liferay ApacheDS http://directory.apache.org/apacheds/1.5/download/download- windows.html Download the ApacheDS from above link and install exe in windows Now you just simply run the ApacheDS and follow the instructuin and finish installation. Check for the java version e.g. java –version To install and use ApacheDS require JRE 5 or later and windows xp or vista By default the LDAP server listens on port 10389 (unencrypted or StartTLS) and 10636 (SSL).
Installing LDAP browser Go to www.jxplorer.org. Click Downloads>precompiled java package>Windows platform. Save file. Click on the LDAP browser icon and follow the installation instruction Open LDAP browser jxplorer and click file and than connect Change the port to 10389
Liferay + Alfresco + OpenSSO + LDAP Integration 3
In the Level drop-down menu, choose User+Password Insert uid=admin,ou=system in the User DN input field. The password is secret. Click Save and enter a name for the template.
Right click on Example and click New Add inetorgperson to the Selected Class or select Suggest Classes (eg. For creating user) Enter cn=uchit in the Enter RDN field and click OK.
4 Liferay + Alfresco + OpenSSO + LDAP Integration
In the Table Editor enter Uchit in the SN line. Enter Uchit in the givenName line. For the mail enter [email protected]. For the user password enter test. Click Submit.
Liferay + Alfresco + OpenSSO + LDAP Integration 5
Integration with liferay Now you are suppose to integrate the ldap with liferay login in a liferay as a administrator for e.g. [email protected] and password test. Once, you generated your profile in ldap than cofigure your liferay to import/export users from ldap In liferay go to – Control Panel – Setting – than Authentication Now you will find ldap there are list of directories select your one. Than configure your own connection url base dn, principle Credential and test this connection is working ok.(By clicking on Add button)
6 Liferay + Alfresco + OpenSSO + LDAP Integration
In above example, If you check the box to enable ldap Required mean login will require ldap to authenticate Then set other properties search filter you change it to just name only instead of email can change group name You can also change group search filter You can also enable import/export of user from ldap with liferay And all of this properties you can also set portal-ext.properties file which you can find in root/web-inf/classes/portal-ext.properties. Portal-ext.properties File will override your setting from defaults one Now just start Directory server and use ldap user in liferay For Integrating liferay with ldap install directory server and start Enable ldap in liferay select your DS from list for other use portal- ext. properties Use ―secret‖ as password
Liferay + Alfresco + OpenSSO + LDAP Integration 7
change search filter from email to (cn=@screen_name@) If you want to import/export check the boxe You can also check your connection and list of users If you connection is replying than everything is working properly When you use ldap user first liferay will ask for terms and condition Portal.properties and override use portal-ext.properties
ldap.import.enabled=false
ldap.import.on.startup=false.
ldap.import.interval=10
ldap.import.factory.initial=com.sun.jndi.ldap.LdapCtxFactory ldap.import.base.provider.url=ldap://localhost:10389 ldap.import.base.dn=dc=example,dc=com ldap.import.security.principal=uid=admin,ou=system ldap.import.security.credentials=secret ldap.import.search.filter=(objectClass=inetOrgPerson) ldap.import.user.mappings=userId=cn\npassword=userPassword\nemail Address=mail\nfirstName=givenName\nlastName=sn\njobTitle=title\ng roup=groupMembership ldap.import.group.mappings=groupName=cn\ndescription=description
ldap.auth.enabled=false
ldap.auth.required=false
ldap.auth.method=bind
Integrating OpenSSO / OpenAM with Liferay Portal on Tomcat Liferay Portal and OpenSSO both require a minimum 1.5 JVM, but I would recommend using Java 6 (as Java 1.5 reached its End of
Service Life in October, 2009). Make sure that your JAVA_HOME
8 Liferay + Alfresco + OpenSSO + LDAP Integration
environment variable is correctly set to point to your Java 6 installation. For OpenSSO to work correctly with Liferay Portal, both servers need to be running in the same domain. To solve this issue while
running both servers on a single machine, edit the hosts file (/etc/hosts
or %SystemRoot%\system32\drivers\etc\) and add/update your localhost entry:
127.0.0.1 localhost localhost.example.com where example.com is your actual domain.(uchit.info.com)
Install OpenSSO/OpenAM
Download the latest OpenAM (OpenAM Snapshot 9.5.1 RC1) build from http://www.forgerock.com/downloads.html Downloaded the latest Tomcat (6.0.32) from http://tomcat.apache.org/download-60.cgi Installation of the Tomcat server consisted of: Unzip apache-tomcat-6.0.32 zip file. This will create an apache- tomcat-6.0.32 folder. As both Liferay Portal and OpenAM will be running on the same machine, I needed to update the ports that the OpenAM Tomcat server was using. Edit apache-tomcat-6.0.32/conf/server.xml. I changed all of the ports from 8xxx to 9xxx. For example, 8080 to 9080, 8443 to 9443, etc. Liferay + Alfresco + OpenSSO + LDAP Integration 9
On Linux/MacOS, you will need to add execute permissions to all of the shell scripts in the bin directory: chmod +x *.sh
Installation of OpenAM consisted of:
Unzip openam_snapshot_951RC1.zip to a directory. This will create an opensso folder. Copy the opensso.war from opensso/deployable-war/ to apache- tomcat-6.0.32/webapps/. In apache-tomcat-6.0.32/bin/, execute startup.sh (or startup.bat) to start Tomcat and deploy OpenAM. After Tomcat has deployed OpenAM, you will see the exploded war file as apache-tomcat-6.0.29/webapps/opensso. Open a browser to http://uchit.info.com:9080/opensso, which should redirect you to http://uchit.info.com:9080/opensso/config/options.htm, to complete the OpenAM configuration. You should see the OpenAM configuration options page. Under Custom Configuration click Create New Configuration. Enter the following:
10 Liferay + Alfresco + OpenSSO + LDAP Integration
First step is to choose password for the default administrator account (amAdmin). The password needs to be at least 8 characters long (eg. upassword). Once a valid password has been entered twice, the next button will appear and the configuration can proceed.
Liferay + Alfresco + OpenSSO + LDAP Integration 11
. . On the server settings page, the Server URL and the Configuration Directory both need some attention. By default the Server URL will be the address that was typed to reach the server. The problem with this being that it requires a fully qualified domain name, so if the page was accessed via localhost or an IP Address it will cause problems. This is why it was configured to be accessible at uchit.info.com.
12 Liferay + Alfresco + OpenSSO + LDAP Integration
. The other setting on this page to take note of is the Configuration Directory. It is important that the user that Apache Tomcat is running under has write access to that directory. As a result ~/openam/config is appropriate for this purpose. . Supported Platform Locales are en_US (English), de (German), es (Spanish), fr (French), ja (Japanese), zh_CN (Simplified Chinese), or zh_TW (Traditional Chinese).
Liferay + Alfresco + OpenSSO + LDAP Integration 13
. The Configuration Data Store Settings do not need to be changed when working with a single server configuration.
. The User Data Store Settings are what connect OpenAM to the OpenDS data store. The side effect of this is that most of these setting require some attention. Fields which require changing are marked with an Asterisk (*).
*User Data Store Type : OpenDS SSL/TLS Enabled : Not ticked *Directory Name : uchit.info.com *Port : 10389 *Root Suffix : dc=example,dc=com 14 Liferay + Alfresco + OpenSSO + LDAP Integration
Login ID : uid=admin,ou=system *Password : secret
. The configurator does not give the option to continue until all the settings have been correctly specified and it has successfully connected to the OpenDS instance.
. OpenAM is not installed behind a load balancer in this test deployment, so Site Configuration can be left as default.
Liferay + Alfresco + OpenSSO + LDAP Integration 15
. The policy agent password once again needs to be 8 characters or more and it must also be different from the administrator password. In this case we will use 'apassword', although the policy agent user is not used in this tutorial.
16 Liferay + Alfresco + OpenSSO + LDAP Integration
. The Summary Page shows a brief summary of the settings that were defined in the previous few steps before the configuration is created. Clicking Create Configuration will begin the configuration process. This will create the configuration for your OpenAM server under ~/opensso (or c:\Documents and Settings\{username}\opensso).
Liferay + Alfresco + OpenSSO + LDAP Integration 17
. The Configuration Progress Screen will display the progress of the installation and take a couple of minutes to run through. All of the output on this screen, as well as any errors, are written to the file~/openam/config/install.log. Assuming success a Configuration Complete! view will appear, providing a link to the login page. . In the case that it did not succeed check the troubleshooting guide at https://wikis.forgerock.org/confluence/display/openam/Common Install Issues
18 Liferay + Alfresco + OpenSSO + LDAP Integration
When this completes, in the Configuration Complete dialog, click Proceed to Login, which should now redirect you to
http://uchit.info.com:9080/opensso/UI/Login. Type amAdmin as the username, password as the password, and click Log In. You should now see the OpenAM Console. For detailed information about the OpenAM Console, see this and this.
You can now delete the opensso.war file from apache-tomcat-6.0.29/webapps/ directory.
Liferay + Alfresco + OpenSSO + LDAP Integration 19
Additional OpenAM Configuration To get OpenAM to work correctly with Liferay, you need to set Encode Cookie Value to Yes. This will prevent infinite redirection between Liferay and OpenAM on login.
1. In the OpenAM Console, select the Configuration tab. 2. Select the Servers and Sites tab. 3. Click Default Server Settings. 4. Select the Security tab. 5. In the Cookie section, select the Yes checkbox beside Encode Cookie Value. 6. Click Save.
To resolve the infinite redirection problem:
1. In the OpenAM Console, select the Configuration tab. 2. Select the Servers and Sites tab. 3. Click Default Server Settings. 4. Select the Advanced tab.
5. Find the com.iplanet.am.cookie.c66Encode property, and set the value to true. 6. Click Save.
Before updating Liferay to use OpenAM, I recommend adding the default Liferay user, [email protected], to OpenAM.
1. In the OpenAM Console, select the Access Control tab. 2. Click the / (Top Level Realm) realm.
20 Liferay + Alfresco + OpenSSO + LDAP Integration
3. Select the Subjects tab. 4. Click New… 5. Setup the default Liferay user: 6. ID — test 7. First Name — test 8. Last Name — test 9. Full Name — test
Password — test
Click OK to create the user.
10. Click test to add the email address. Enter [email protected] for the Email Address, and click Save.
[Note: Use uid to create new user in LDAP for OpenAM]
Integrate Liferay Portal with OpenAM Now you are ready to update Liferay Portal to integrate with OpenAM for authentication.
1. If Liferay is running, shut it down (bin/shutdown). 2. Create a new file, called portal-ext.properties, in your Liferay
directory, under liferay-portal-5.2.3/tomcat-6.0.18/webapps/ROOT/WEB-INF/classes/. 3. Edit this file, and add the following properties:
open.sso.auth.enabled=true open.sso.login.url=http://uchit.info.com:9080/opensso/UI/Login?goto=htt p://uchit.info.com:8080/c/portal/login
Liferay + Alfresco + OpenSSO + LDAP Integration 21
open.sso.logout.url=http://uchit.info.com:9080/opensso/UI/Logout?goto=h ttp://uchit.info.com:8080/web/guest/home
open.sso.service.url=http://uchit.info.com:9080/opensso open.sso.screen.name.attr=uid open.sso.email.address.attr=mail open.sso.first.name.attr=givenname open.sso.last.name.attr=sn
. Start Liferay (bin/startup). . Once Liferay has started, open a browser to http://uchit.info.com/8080, and you should be redirected to the OpenAM login page (http://uchit.info.com:9080/opensso/UI/Login). Enter test for the User Name, and test for the Password. Click Log In.
You will be authenticated against OpenAM, and redirected to Liferay.
Now that Liferay is using OpenAM for authentication, if you create a new user in OpenAM, that user will also be created in Liferay on the first log in. That newly created user in Liferay will only have the basic information filled in – First Name, Last Name, Screenname, Email Address – and will have the default Roles, Groups, and Organizations assigned.
[Note: You can also Integrate Liferay and openSSO by going in Liferay Control Panel-> Settings-> Authentication-> open SSO ]
22 Liferay + Alfresco + OpenSSO + LDAP Integration
Alfresco OpenSSO Integration
Download and Install Alfresco(3.4.d) from http://wiki.alfresco.com/wiki/Download_Community_Edition
Now go to this link http://uchit.info.com:8080/alfresco/
User Name:-admin Password:-password
Liferay + Alfresco + OpenSSO + LDAP Integration 23
DEPLOYMENT
======
1. Build the jar from the sources, or download the latest release of the filter from: 2. http://repository.sourcesense.com/nexus/content/groups/public/c om/sourcesense/alfresco/alfresco-opensso/ 3. Download OpenSSO SDK from 4. http://repository.sourcesense.com/nexus/content/repositories/thir dparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk- 8.0.jar 5. Copy both to
com.iplanet.am.naming.url=http://uchit.info.com:9080/opensso/namingserv ice com.iplanet.am.cookie.name=iPlanetDirectoryPro com.sun.identity.agents.app.username=amAdmin com.iplanet.am.service.password=upassword
8. Change the values to reflect your OpenSSO installation. 9. Replace the authentication filter
24 Liferay + Alfresco + OpenSSO + LDAP Integration
with
USAGE
======
Accessing Alfresco's home will redirect the browser to OpenSSO login page.
After a successful login, openSSO will redirect the browser back to Alfresco.
If user does not exist in Alfresco, it'll be created. The groups associated with the user in OpenSSO will be created in Alfresco, and the user will be associated with this groups.
If the user's groups are changed in OpenSSO, the filter will reflect those changes in the moment of login.
Liferay + Alfresco + OpenSSO + LDAP Integration 25
No group will bi deleted on Alfresco, just the user association with the groups.
In order to access alfresco administration, the "admin" user must be created in OpenSSO as well.
Enable LDAP Authentication and LDAP users import in Alfresco
1. To do Web-SSO is not necessary this step, but i recommend to do it because you can do users management from Alfresco Admin Console (Browser/Explorer or Share) (edit, delete, to do groups and give permissions).
2. Add following properties in ${ALF_HOME}\tomcat\shared\classes\alfresco-global.properties file.
# The default authentication chain
authentication.chain=ldap1:ldap,alfrescoNtlm1:alfrescoNtlm
# These options are for test purpose, to make full synchro every minute at 15 seconds, you certainly should tune it for your need
synchronization.import.cron=15 * * * * ?
synchronization.synchronizeChangesOnly=false
synchronization.syncOnStartup=false
1. Create the following folders in ―\subsystems\Authentication\ldap\ldap1″ in ${ALF_HOME}\tomcat\shared\classes\alfresco\extension
26 Liferay + Alfresco + OpenSSO + LDAP Integration
2. Copy the file ${ALF_HOME}\tomcat\webapps\alfresco\WEB- INF\classes\alfresco\subsystems\Authentication\ldap\ldap- authentication.properties in the folder before created. 3. Modify ldap-authentication.properties enabling LDAP authN and sync. For example, you can use my file (This only works for my LDAP tree UID as RDN and authN with CN.):
# this flag enables use of this LDAP subsystem for authentication. It may be
# this subsytem should only be used for synchronization, in which case
# this flag should be set to false. ldap.authentication.active=true
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions ldap.authentication.allowGuestLogin=true
# How to map the user id entered by the user to that passed through to LDAP
# - simple
# - this must be a DN and would be something like
# uid=%s,ou=People,dc=company,dc=com
Liferay + Alfresco + OpenSSO + LDAP Integration 27
# - digest
# - usually pass through what is entered
# %s
# If not set, an LDAP query involving ldap.synchronization.personQuery and ldap.synchronization.userIdAttributeName will
# be performed to resolve the DN dynamically. This allows directories to be structured and doesn't require the user ID to
# appear in the DN. ldap.authentication.userNameFormat=uid\=%s,ou\=people,dc\=example ,dc\=com
# The LDAP context factory to use ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxF actory
# The URL to connect to the LDAP server
# ldap.authentication.java.naming.provider.url=ldap://openldap.domain.com :389 ldap.authentication.java.naming.provider.url=ldap://uchit.info.com:10389
28 Liferay + Alfresco + OpenSSO + LDAP Integration
# The authentication mechanism to use for password validation ldap.authentication.java.naming.security.authentication=simple
# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas ldap.authentication.escapeCommasInBind=false
# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \ ldap.authentication.escapeCommasInUid=false
# Comma separated list of user names who should be considered administrators by default ldap.authentication.defaultAdministratorUserNames=
# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
Liferay + Alfresco + OpenSSO + LDAP Integration 29
# authentication, in which case this flag should be set to false. ldap.synchronization.active=true
# The authentication mechanism to use for synchronization ldap.synchronization.java.naming.security.authentication=simple
# The default principal to use (only used for LDAP sync)
### ldap.synchronization.java.naming.security.principal=cn\=Manager,dc\=co mpany,dc\=com ldap.synchronization.java.naming.security.principal=uid\=admin,ou\=syst em
# The password for the default principal (only used for LDAP sync) ldap.synchronization.java.naming.security.credentials=secret
# If positive, this property indicates that RFC 2696 paged results should be
# used to split query results into batches of the specified size. This
# overcomes any size limits imposed by the LDAP server. ldap.synchronization.queryBatchSize=0
# If positive, this property indicates that range retrieval should be used to fetch
30 Liferay + Alfresco + OpenSSO + LDAP Integration
# multi-valued attributes (such as member) in batches of the specified size.
# Overcomes any size limits imposed by Active Directory. ldap.synchronization.attributeBatchSize=0
# The query to select all objects that represent the groups to import. ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
# The query to select objects that represent the groups to import that have changed since a certain time. ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfN ames)(!(modifyTimestamp<\={0})))
# The query to select all objects that represent the users to import. ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
# The query to select objects that represent the users to import that have changed since a certain time. ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPe rson)(!(modifyTimestamp<\={0})))
# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
##ldap.synchronization.groupSearchBase=ou\=Groups,dc\=company,dc \=com
Liferay + Alfresco + OpenSSO + LDAP Integration 31
ldap.synchronization.groupSearchBase=ou\=groups,dc\=example,dc\=co m
# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
### ldap.synchronization.userSearchBase=ou\=People,dc\=company,dc\=co m ldap.synchronization.userSearchBase=ou\=people,dc\=example,dc\=com
# The name of the operational attribute recording the last update time for a group or user. ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
# The timestamp format. Unfortunately, this varies between directory servers. ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
# The attribute name on people objects found in LDAP to use as the uid in Alfresco ldap.synchronization.userIdAttributeName=uid
# The attribute on person objects in LDAP to map to the first name property in Alfresco ldap.synchronization.userFirstNameAttributeName=givenName
32 Liferay + Alfresco + OpenSSO + LDAP Integration
# The attribute on person objects in LDAP to map to the last name property in Alfresco ldap.synchronization.userLastNameAttributeName=sn
# The attribute on person objects in LDAP to map to the email property in Alfresco ldap.synchronization.userEmailAttributeName=mail
# The attribute on person objects in LDAP to map to the organizational id property in Alfresco ldap.synchronization.userOrganizationalIdAttributeName=o
# The default home folder provider to use for people created via LDAP import ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolde rProvider
# The attribute on LDAP group objects to map to the authority name property in Alfresco ldap.synchronization.groupIdAttributeName=cn
# The attribute on LDAP group objects to map to the authority display name property in Alfresco ldap.synchronization.groupDisplayNameAttributeName=description
# The group type in LDAP Liferay + Alfresco + OpenSSO + LDAP Integration 33
ldap.synchronization.groupType=groupOfNames
# The person type in LDAP ldap.synchronization.personType=inetOrgPerson
# The attribute in LDAP on group objects that defines the DN for its members ldap.synchronization.groupMemberAttributeName=member
# If true progress estimation is enabled. When enabled, the user query has to be run twice in order to count entries. ldap.synchronization.enableProgressEstimation=true
34 Liferay + Alfresco + OpenSSO + LDAP Integration