Open ESB Tip : Configuring WLM SE to use OpenDS
By The Old Toxophilist on Feb 09, 2009
- Implementing a Vendor Relationship Management Portal (Part 1).
- Implementing a Vendor Relationship Management Portal (Part 2).
WLM SE and OpenDS (LDAP)
OpenDS can be used with the WLM SE to provided User Management, Authentication and Authorization. The User Management features will provide:
- Management / Group Escalation and Assignment.
- Email to User / Group / Manager
- WLM XPath access to these function.
For the sack of this blog entry I will assume specific naming and configuration information for the LDAP structure. Therefore before we start we will need to do the following:
- Download OpenDS
- Install OpenDS
- Create a new Base DN
- Import attached WLM LDIF
As an alternative you can replace all occurrences of dc=wlm,dc=openesb,dc=com with your LDAP structure and modify the configuration as appropriate.
The LDAP Structure created from the imported wlm.ldif file will create two Organizational Units, Groups and People, below the Domain dc=wlm,dc=openesb,dc=com. I will briefly described the sub-elements for each of these Organizational Unit is used for and where appropriate how each of their Attributes are used.
This OU contains all the all the People (Users) that can use the WLM SE application. The key attributes that are required by the WLM SE are :
- uid : Unique Id that will be used to identify the User
- mail : The email address used by the WLM email functionality
- manager : If this optional attribute exists it is used to
identify escalation information. The value within this attribute must
be a fully qualified DN.
This OU defines groupings of users and the imported LDIF contains two nominal groups. As you can see below the FAST Group is essentially a full list of all the entries within the People OU. The attributes contained within each of the Groups are used as follows:
- cn : Used to unequally identify the group and allow WLM SE to search for Groups based on this name. When processing a group the WLM SE will process all unique members.
- uniqueMember : List of fully qualified DNs that point to the
appropriate People within this group.
Authentication / Authorization
Configuration GlassFish LDAP Realm
I will create the realm information using the using the standard GlassFish admin console but you can do this using the command-line if you feel this is easier. To create the Realm you will need to follow the steps below.
- Start the admin console (http://localhost:4848) and login
- Open Common Tasks->Configuration->Security->Realms
- Select New Realm
- Name : OpenDSRealm
- Class Name : com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
- Properties : Within
GlassFish the LDAP Realms have a number of mandatory properties and a
number of optional properties.
- directory : The URL to your OpenDS Server (ldap://localhost:2389)
- base-dn : The Dase Distinguished Name (DN) identifying where the user data is located. As usual this can be at any level above the actual usr information but small the search the better (dc=wlm,dc=openesb,dc=com)
- jaas-context : This
is the type of login modual to be used and for GlassFish it MUST
- search-filter : Search filter to use to find the user. The default value is uid=%s where %s expands to the subject name.
- search-bind-dn : Optional DN to be used for authorisation if your Open DS is not configured for anonymouse search.
- search-bind-password : Password associated with the DN in search-bind-dn
- group-base-dn : Base DN identifying the location of the Group data. This can be the same as base-dn or tune (ou=Group,dc=wlm,dc=openesb,dc=com).
- group-target : This is the LDAP attribute name that contains the group neame entries, the default is cn.
- group-search-filter : Search
filter used to find group memberships for a given user. The default =
uniquemember=%d where %d would expand to the full user dn
WLM SE Configuration
During the installation of the WLM SE, into the GlassFish Application Server, we can configure the connection parameters for the JBI component. To install the WLM SE you will need t do the following:
- Start you GlassFish instance
- From within NetBeans Right Click GlassFish->JBI->Service Engine->Install
- Navigate to the worklistmanagerse.jar and Select. This will open
the installation dialog below.
Configure as above to connect to OpenDS.
I have changed the default LDAP Port and LDAPS Port because I have a number of Directories installed.
- Once configured you can start the sun-wlm-engine.
If you have not created / deployed a WLM SE application then you will see an Error message specifying that the JDBC connection can not be found. Follow the instructions in the database section below.
Having started the wlm-engine check that the properties are still correct. In some of the earlier versions they are initially reset to the default values.
Configure Worklist Client Application to
use GlashFish LDAP Realm
The WLM SE provides a generic web console that can be used to display / edit the WLM SE Task (if the user chooses not to created their own console). If you decided to use the generic web console then the security access will need to be modified to use the OpenDS server for Authentication. To configure the Authentication you will need to edit the web.xml file and modify the Sercurity setting so that the login configuration point to your previously created LDAP Realm. In our case we will modify the web.xml file as indicated bolow and set the Realm name to "OpenDSRealm".
In the example above you can see that their are two Sercurity Roles :
- Manager Role = Manager Group
- CustomerServiceRep Role =
Configuring the WLM Database
For this blog entry I will assume that we are using MySQL as a database and hence this section gives the specific instruction for MySQL. Therefore if you choose to use an alternative database please check the WLM SE Wiki.
We first need to create a database named WORKFLOW within MySQL and this can be done throw the MySQL Administrator.
Once this has been done you can either create the JDBC Resources through the GlassFish Admin GUI or execute the command below.
asadmin create-jdbc-connection-pool --host localhost --port 4848 --datasourceclassname com.mysql.jdbc.jdbc2.optional.MysqlDataSource --restype javax.sql.DataSource --allownoncomponentcallers=true --property portNumber=3306:user=root:password=adminadmin:serverName=localhost:databaseName=WORKFLOW WorkflowMySQLPool
asadmin create-jdbc-resource --host localhost --port 4848 --connectionpoolid WorkflowMySQLPool jdbc/__workflowMySQL
Connection Pools / JDBC Resource