For your convenience (and my personal documentation), I will show all the steps I took to get things working. First, I downloaded the above mentioned resources from packt publishing.
Setting up OpenLDAP
Bevor installing open ldap, think about the suffix you want your install to have and take apropriate action.Then install openldap:
apt-get install slapd ldap-utils
Then add a suffix and a manager account to the directory:
slapadd -l /tmp/init_suffix.ldif
with the following as content of /tmp/init_suffix.ldif:dn: ou=people,dc=opensso,dc=java,dc=net
objectClass: top
ou:people
objectClass: organizationalUnit
dn: ou=groups,dc=opensso,dc=java,dc=net
ou:groups
objectClass: top
objectClass: organizationalUnit
dn: cn=amadmin,ou=people,dc=opensso,dc=java,dc=net
objectclass: inetuser
objectclass: organizationalperson
objectclass: person
objectclass: top
cn: amadmin
sn: amadmin
uid: amadmin
userPassword: secret124
dn:cn=defaultGroup,ou=groups,dc=opensso,dc=java,dc=net
objectclass: top
objectclass: groupofnames
member:cn=amadmin,ou=people,dc=opensso,dc=java,dc=net
cn:default1
objectClass: top
ou:people
objectClass: organizationalUnit
dn: ou=groups,dc=opensso,dc=java,dc=net
ou:groups
objectClass: top
objectClass: organizationalUnit
dn: cn=amadmin,ou=people,dc=opensso,dc=java,dc=net
objectclass: inetuser
objectclass: organizationalperson
objectclass: person
objectclass: top
cn: amadmin
sn: amadmin
uid: amadmin
userPassword: secret124
dn:cn=defaultGroup,ou=groups,dc=opensso,dc=java,dc=net
objectclass: top
objectclass: groupofnames
member:cn=amadmin,ou=people,dc=opensso,dc=java,dc=net
cn:default1
dn: dc=opensso,dc=java,dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
o: opensso
dc: opensso
structuralObjectClass: organization
objectClass: top
objectClass: dcObject
objectClass: organization
o: opensso
dc: opensso
structuralObjectClass: organization
Make sure you have the dc=java,dc=net set to the values of your directory.
Add the OpenSSO4OpenLDAP.schema as provided by packt (under "Downloads"). You will need to convert it to an ldif file, as has been explained here(read untill the end, it was usefull for me).
Then add some more data:
ldapadd -Y EXTERNAL -H ldapi:/// -f template.ldif
with
dn: ou=people,dc=opensso,dc=java,dc=net
objectClass: top
ou:people
objectClass: organizationalUnit
objectClass: top
ou:people
objectClass: organizationalUnit
dn: ou=groups,dc=opensso,dc=java,dc=net
ou:groups
objectClass: top
objectClass: organizationalUnit
dn: cn=amadmin,ou=people,dc=opensso,dc=java,dc=net
objectclass: inetuser
objectclass: organizationalperson
objectclass: person
objectclass: top
cn: amadmin
sn: amadmin
uid: amadmin
userPassword: secret124
dn:cn=defaultGroup,ou=groups,dc=opensso,dc=java,dc=net
objectclass: top
objectclass: groupofnames
member:cn=amadmin,ou=people,dc=opensso,dc=java,dc=net
cn:default1
in your template.ldif file. Again, make sure your distinguished names (dn) are matching your setup.
Setting up tomcat7
After installing tomcat7 via
apt-get install tomcat7-docs tomcat7-examples tomcat7-admin\ tomcat7
you need to provide more memory to OpenAM then the default tomcat install on ubuntu does. This is done by creating a script called setenv.sh in /usr/share/tomcat7/bin:
root@tih1:/usr/share/tomcat7/bin# cat setenv.sh
#!/bin/bash
export CATALINA_OPTS="-Xmx1024m -XX:MaxPermSize=256m"
#!/bin/bash
export CATALINA_OPTS="-Xmx1024m -XX:MaxPermSize=256m"
Then the apropriate rights should be set
chmod 755 setenv.sh
chown tomcat7:tomcat7 setenv.sh
Then start (or restart, depending on the previous state) tomcat:
service tomcat7 start
Also, in my fresh installation both apache and tomcat were listening on port 8080, and when connection to http://<myserver> , I only saw the default apache page. So I had to configure on of tomcat and apache to listen on a different port. I changed the tomcat port to 8081, which can be configured in
/etc/tomcat7/server.xml
There is a line which reads <Connector port="8080" protocol="HTTP/1.1"Which port you choose depends on what you want, there is no specific reason for my choice of 8081 other then making it different from apaches 8080.
Also, check the access rights for tomcat.
Deploying OpenAM
Read the instructions of the official installation guide. Read it carefully, it will save you time and trouble (Skip the section "To Configure OpenAM With Defaults (For Testing)", it won't help with OpenLDAP). Then read on, then execute the deployment.A few things I found to be different then described: The ports for the configuration store are set to -1, which should be fine according to the offical docs. It did not work on my box, so I assigned random ports above 1023:
Now comes the whole point of this post: Integrating OpenLDAP. For the user store, choose OpenDJ, and enter the data and credentials for your ldap server:
Finish the configuration Dialog, and you should be set up with OpenLDAP as a user store in your OpenAM. In Theory. In Practise, there is a bit more of configuration to be done in OpenAM bevore your ldap users will be ready for use.
Configuring OpenAM
Under "Access Control", "/ (Top Level Realm)","Authentication":- Under "Authentication Chaining", choose "ldapService", change "DataStore" to "LDAP". Save, and back
"Access Control", "Top level realm","DataStore", there should be a listing of configured data stores. If you followed the steps above, there should be only one called "OpenDJ". This is your OpenLDAP DataStore. Klick it, and scroll down to "User Configuration". At the very end of that section, there are two fields, called
"LDAP People Container Naming Attribute" and "LDAP People Container Value". These probably contain values such as "ou" and "people". Void both.
Thanks for the blog post. I was curious which user store to use.
AntwortenLöschenYou are welcome. Please note that I am not saying openldap is the best (I have not tried the others). It was just that I had the requirement to use openldap. Other factors to consider are allready used directory servers, your personal knowledge, maybe performance if thats of concern, money, etc.
AntwortenLöschen