OpenDS <> Roller integration

A recent experiment had me working out how to LDAP enable Roller authentication. With Dave's (Roller team) help the configuration below has been proven to work. You may find it kludgey in that 1) after registration the user must close and re-open the browser due to a Roller bug and 2) enabling SSO doesn't have anything to do with enabling LDAP authentication, but it works.

Prepare or install a directory server

For starters if you don't have a directory (LDAP) server available get one. You will need modify rights as all Roller users must belong to the group “register” to successfully login. Properly adding LDAP users/groups can be confusing. Review the first section of my previous entry on OpenDS configuration and use this sample LDIF to add a properly defined Roller user.

Configure Roller

Enable single sign on

Open the roller.properties file and change the property “users.sso.enabled” from “false” to “true”; i.e., “users.sso.enabled=true”

Swap out the internal Roller authentication provider and replace with LDAP

Open the security.xml file and edit as follows: Uncomment the elements beginning with “<!-- Sample LDAP/RollerDB hybrid security configuration -->” Secure the user registration page by adding the line " /roller-ui/user.do\*=register" to the filterInvocationInterceptor bean value; i.e.,

   <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
       <property name="authenticationManager" ref="authenticationManager"/>
       <property name="accessDecisionManager" ref="accessDecisionManager"/>
        <property name="objectDefinitionSource">
           <value>
               PATTERN_TYPE_APACHE_ANT
               /roller-ui/login-redirect.jsp=admin,editor
               /roller-ui/yourProfile\*\*=admin,editor
               /roller-ui/createWebsite\*\*=admin,editor
               /roller-ui/yourWebsites\*\*=admin,editor
               /roller-ui/authoring/\*\*=admin,editor
               /roller-ui/admin/\*\*=admin
               /roller-ui/user.do\*=register
               /rewrite-status\*=admin
           </value>
       </property>
   </bean>
Securing the registration page enables Roller to prompt for LDAP credentials and use the authenticated user information to pre-populate the user registration form. Note: the user must belong to a LDAP group named “register”.


Comment out the DAO authentication provider (Roller) and replace with the LDAP provider; i.e.,
   <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
       <property name="providers">
           <list>
               <!-- <ref local="daoAuthenticationProvider"/> -->
               <ref local="ldapAuthProvider"/>
               <ref local="anonymousAuthenticationProvider"/>
               <!-- rememberMeAuthenticationProvider added programmatically -->
           </list>
       </property>
   </bean>

Point the authentication provider to your OpenDS instance. Note that the configuration below is specific to your OpenDS installation. For example:
 
  <bean id="initialDirContextFactory"
class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
     <constructor-arg value="ldap://localhost:1389/dc=example,dc=com"/>
     <property name="managerDn">
       <value>cn=Directory Manager</value>
     </property>
     <property name="managerPassword">
       <value>password</value>
     </property>
   </bean>
  • constructor-arg = the LDAP URL to the OpenDS server and base suffix
  • managerDN = (Optional) If you do not allow anonymous search specify a user capable of searching the user/group tree
  • managerPassword = (Optional) The managerDN password


Specify the user search criteria. The attribute “uid” is a typical unique identifier. Note the token '{0}' is replaced with the username entered on the Roller login form.

   <bean id="ldapUserSearch"
class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
     <constructor-arg index="0">
       <value></value>
     </constructor-arg>
     <constructor-arg index="1">
       <value>uid={0}</value>
     </constructor-arg>
     <constructor-arg index="2">
       <ref local="initialDirContextFactory" />
     </constructor-arg>
     <property name="searchSubtree">
       <value>true</value>
     </property>
   </bean>


You may find my security.xml file and roller.properties file helpful as a guide. Good luck.

Comments:

There is something strange...
You said that the users must belong to a ldap group named "register" if we want the register form to be pre-populated.
But in your sample ldif, I didn't see any creation of a group named "register".
Have I missed something?

Posted by Joël Royer on March 27, 2009 at 03:26 AM CDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

treydrake

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today