Active Directory
- Laura McCord
Documentation provided by Sarah Sloan, Senior Developer, from the University of the West of England, Bristol
The following are steps to configure uPortal to authenticate against Active Directory (AD), pull user attributes from AD and other sources, and place users into groups based on those attributes.
Step 1: Authenticate against Active Directory
You need to tell uPortal to authenticate against AD instead of the bundled CAS server by amending the security.properties and ldapContext.xml files.
<bean id="defaultLdapServer" class="org.jasig.portal.ldap.ContextSourceLdapServerImpl">
<property name="ldapContextSource" ref="legacyLdapContext"/>
<property name="uidAttribute" value="uid"/>
<property name="baseDN" value="ou=People, dc=myuniv, dc=edu"/>
</bean>
<bean id="legacyLdapContext" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldap://ldap.myuniv.edu:389"/>
<property name="userName" value=""/>
<property name="password" value=""/>
</bean>
## This is the factory that supplies the concrete authentication class root=org.jasig.portal.security.provider.UnionSecurityContextFactory root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory root.ldap=org.jasig.portal.security.provider.SimpleLdapSecurityContextFactory
- If you need uPortal to cache user passwords, you may add the cache security context factory:
## This is the factory that supplies the concrete authentication class root=org.jasig.portal.security.provider.UnionSecurityContextFactory root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory root.simple.cache=org.jasig.portal.security.provider.CacheSecurityContextFactory root.ldap=org.jasig.portal.security.provider.SimpleLdapSecurityContextFactory root.ldap.cache=org.jasig.portal.security.provider.CacheSecurityContextFactory
In the uPortal-parent pom.xml, add a version property
<spring-modules-cache.version>0.8a</spring-modules-cache.version>
- Add a dependency declaration
<dependency>
<groupId>org.springmodules</groupId>
<artifactId>spring-modules-cache</artifactId>
<version>${spring-modules-cache.version}</version>
</dependency>
- You also need to add an exclusion for each of its transitive dependencies
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring</artifactId>
</exclusion>
<exclusion>
<groupId>gigaspaces</groupId>
<artifactId>gigaspaces-ce</artifactId>
</exclusion>
<exclusion>
<groupId>jini</groupId>
<artifactId>jsk-lib</artifactId>
</exclusion>
<exclusion>
<groupId>jini</groupId>
<artifactId>jsk-platform</artifactId>
</exclusion>
<exclusion>
<groupId>jini</groupId>
<artifactId>mahalo</artifactId>
</exclusion>
<exclusion>
<groupId>jini</groupId>
<artifactId>reggie</artifactId>
</exclusion>
<exclusion>
<groupId>jini</groupId>
<artifactId>start</artifactId>
</exclusion>
<exclusion>
<groupId>jini</groupId>
<artifactId>boot</artifactId>
</exclusion>
<exclusion>
<groupId>jini</groupId>
<artifactId>webster</artifactId>
</exclusion>
<exclusion>
<groupId>commons-attributes</groupId>
<artifactId>commons-attributes-api</artifactId>
</exclusion>
<exclusion>
<groupId>commons-attributes</groupId>
<artifactId>commons-attributes-compiler</artifactId>
</exclusion>
<exclusion>
<groupId>cglib</groupId>
<artifactId>cglib-nodep</artifactId>
</exclusion>
<exclusion>
<groupId>jboss</groupId>
<artifactId>javassist</artifactId>
</exclusion>
<exclusion>
<groupId>jboss</groupId>
<artifactId>jboss-cache</artifactId>
</exclusion>
<exclusion>
<groupId>jboss</groupId>
<artifactId>jboss-common</artifactId>
</exclusion>
<exclusion>
<groupId>jboss</groupId>
<artifactId>jboss-jmx</artifactId>
</exclusion>
<exclusion>
<groupId>jboss</groupId>
<artifactId>jboss-minimal</artifactId>
</exclusion>
<exclusion>
<groupId>jboss</groupId>
<artifactId>jboss-system</artifactId>
</exclusion>
<exclusion>
<groupId>jcs</groupId>
<artifactId>jcs</artifactId>
</exclusion>
<exclusion>
<groupId>jgroups</groupId>
<artifactId>jgroups-all</artifactId>
</exclusion>
<exclusion>
<groupId>geronimo-spec</groupId>
<artifactId>geronimo-spec-jta</artifactId>
</exclusion>
<exclusion>
<groupId>xpp3</groupId>
<artifactId>xpp3_min</artifactId>
</exclusion>
<exclusion>
<groupId>xjavadoc</groupId>
<artifactId>xjavadoc</artifactId>
</exclusion>
<exclusion>
<groupId>opensymphony</groupId>
<artifactId>oscache</artifactId>
</exclusion>
<exclusion>
<groupId>ehcache</groupId>
<artifactId>ehcache</artifactId>
</exclusion>
</exclusions>
- In the uportal-war/pom.xml file add a reference to this dependency
<dependency> <groupId>org.springmodules</groupId> <artifactId>spring-modules-cache</artifactId> </dependency>
Step 2: Configure User Attributes
Having changed the authentication source, you now need to configure uPortal to pickup person attributes from wherever they are stored – presumably at least some will come from AD, but others may come from other sources such as different databases.
The configuration is done in uportal-war/src/main/resources/properties/contexts/personDirectoryContext.xml. The links below explain how to configure the attribute sources:
- LDAP specific attribute source information
- How to setup more than one source for user attributes (e.g., LDAP and JDBC)
Step 3: Data Source Configuration
If one or more of your attribute sources are other databases, you need to configure the datasource details. This is done in uportal-war/src/main/resources/properties/contexts/datasourceContext.xml, by default as a direct connection to the database. This is great for builds but at runtime you probably want to use a JNDI datasource.
Step 4: Configure Groups
Now you need to change how uPortal puts users into groups to test against the attributes you declared in the uportal-war/src/main/resources/properties/contexts/personDirectoryContext.xml (step 2). The group testing is configured in uportal-war/src/main/resources/properties/groups/PAGSGroupStoreConfig.xml – change this to put users in groups that are relevant to your institution.
- Person Attribute Groups Store (PAGS) explains how to setup group stores, how they work, and the different tests available
- Amend uportal-war/src/main/data/default_entities/group_membership/Everyone.group-membership.xml to remove any groups that were in the quickstart PAGSGroupStoreConfig but aren’t in your institution's list of groups (Leave the PAGS Root group though as this is required).
- If you have changed the name of the group that admin users go into, you also need to add the name of this group as a child uportal-war/src/main/data/default_entities/group_membership/Portal_Administrators.group-membership.xml
Note – Some of the quickstart portlets look for a group called all_authenticated. If you don’t require this for your institution but still have some of the quickstart portlets deployed, leave it in until you have removed any pre-packaged portlets you don't want.
Step 5: Configure Layout Assignment to Use New Groups
Modify uportal-war/src/main/resources/properties/dlm.xml to assign fragments to users based on the groups defined in PAGSGroupStoreConfig.
Step 6: Allow Users to Login
The existing ‘Sign in’ button takes users to the CAS sign in page, so to allow users to login using the uPortal authentication (now configured to authenticate against AD) you need to add the login channel to the guest user layout. To do this add the following line to an appropriate place within guest-lo.fragment-layout.xml (but change the ID to be unique in that layout).
<channel fname="login" unremovable="false" hidden="false" immutable="false" ID="n11"/>
Step 7: Rebuild/Redeploy uPortal
ant clean deploy-war
Then, manually import the individual data files that have been updated. These are any files you changed under uportal-war/src/main/data, and you can do the imports using 'ant data-import'. See Import Export Data Migration Tools for instructions on this ant task.
DISCLAIMER: If you don't mind having your uportal database reinitialize where your database tables are dropped and recreated, the quickest way to deploy the above changes is to run 'ant initportal' command. This deploys the ear and updates the database as required. However, it's always recommended to use the deploy-ear command if you have customizations already configured.
Step 8: Restart Tomcat
$TOMCAT_HOME/bin/shutdown.sh $TOMCAT_HOME/bin/startup.sh