Active Directory

Documentation provided by Sarah Sloan, Senior Developer, from the University of the West of England, Bristol

The following are steps to configure uPortal to authenticate against Active Directory (AD), pull user attributes from AD and other sources, and place users into groups based on those attributes.

Step 1: Authenticate against Active Directory

You need to tell uPortal to authenticate against AD instead of the bundled CAS server by amending the security.properties and ldapContext.xml files. 

Add the AD connection context to uportal-war/src/main/resources/properties/contexts/ldapContext.xml
<bean id="defaultLdapServer" class="org.jasig.portal.ldap.ContextSourceLdapServerImpl">
    <property name="ldapContextSource" ref="legacyLdapContext"/>
    <property name="uidAttribute" value="uid"/>
    <property name="baseDN" value="ou=People, dc=myuniv, dc=edu"/>
</bean>

<bean id="legacyLdapContext" class="org.springframework.ldap.core.support.LdapContextSource">
    <property name="url" value="ldap://ldap.myuniv.edu:389"/>
    <property name="userName" value=""/>
    <property name="password" value=""/>
</bean>
Add the SimpleLdapSecurityContextFactory to uportal-war/src/main/resources/properties/security.properties
## This is the factory that supplies the concrete authentication class
root=org.jasig.portal.security.provider.UnionSecurityContextFactory
root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory
root.ldap=org.jasig.portal.security.provider.SimpleLdapSecurityContextFactory
  • If you need uPortal to cache user passwords, you may add the cache security context factory:
## This is the factory that supplies the concrete authentication class
root=org.jasig.portal.security.provider.UnionSecurityContextFactory
root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory
root.simple.cache=org.jasig.portal.security.provider.CacheSecurityContextFactory
root.ldap=org.jasig.portal.security.provider.SimpleLdapSecurityContextFactory
root.ldap.cache=org.jasig.portal.security.provider.CacheSecurityContextFactory
 
  • In the uPortal-parent pom.xml, add a version property

pom.xml
<spring-modules-cache.version>0.8a</spring-modules-cache.version>
  • Add a dependency declaration
pom.xml
<dependency>
   <groupId>org.springmodules</groupId>
   <artifactId>spring-modules-cache</artifactId>
   <version>${spring-modules-cache.version}</version>
</dependency>   
  • You also need to add an exclusion for each of its transitive dependencies
pom.xml
 <exclusions>
   <exclusion>
    <groupId>org.springframework</groupId>
    <artifactId>spring</artifactId>
   </exclusion>
   <exclusion>
    <groupId>gigaspaces</groupId>
    <artifactId>gigaspaces-ce</artifactId>
   </exclusion>
   <exclusion>
    <groupId>jini</groupId>
    <artifactId>jsk-lib</artifactId>
   </exclusion>
   <exclusion>
    <groupId>jini</groupId>
    <artifactId>jsk-platform</artifactId>
   </exclusion>
   <exclusion>
    <groupId>jini</groupId> 
    <artifactId>mahalo</artifactId>
   </exclusion>
   <exclusion>
    <groupId>jini</groupId>
    <artifactId>reggie</artifactId>
   </exclusion>
   <exclusion>
    <groupId>jini</groupId>
    <artifactId>start</artifactId>
   </exclusion>
   <exclusion>
    <groupId>jini</groupId>
    <artifactId>boot</artifactId>
   </exclusion>
   <exclusion>
    <groupId>jini</groupId>
    <artifactId>webster</artifactId>
   </exclusion>
   <exclusion>
    <groupId>commons-attributes</groupId>
    <artifactId>commons-attributes-api</artifactId>
   </exclusion>
   <exclusion>
    <groupId>commons-attributes</groupId>
    <artifactId>commons-attributes-compiler</artifactId>
   </exclusion>
   <exclusion>
    <groupId>cglib</groupId>
    <artifactId>cglib-nodep</artifactId>
   </exclusion>
   <exclusion>
    <groupId>jboss</groupId>
    <artifactId>javassist</artifactId>
   </exclusion>
   <exclusion>
    <groupId>jboss</groupId>
    <artifactId>jboss-cache</artifactId>
   </exclusion>
   <exclusion>
    <groupId>jboss</groupId>
    <artifactId>jboss-common</artifactId>
   </exclusion>
   <exclusion>
    <groupId>jboss</groupId>
    <artifactId>jboss-jmx</artifactId>
   </exclusion>
   <exclusion>
    <groupId>jboss</groupId>
    <artifactId>jboss-minimal</artifactId>
   </exclusion>
   <exclusion>
    <groupId>jboss</groupId>
    <artifactId>jboss-system</artifactId>
   </exclusion>
   <exclusion>
    <groupId>jcs</groupId>
    <artifactId>jcs</artifactId>
   </exclusion>
   <exclusion>
    <groupId>jgroups</groupId>
    <artifactId>jgroups-all</artifactId>
   </exclusion>
   <exclusion>
    <groupId>geronimo-spec</groupId>
    <artifactId>geronimo-spec-jta</artifactId>
   </exclusion>
   <exclusion>
    <groupId>xpp3</groupId>
    <artifactId>xpp3_min</artifactId>
   </exclusion>
   <exclusion>
    <groupId>xjavadoc</groupId>
    <artifactId>xjavadoc</artifactId>
   </exclusion>
   <exclusion>
    <groupId>opensymphony</groupId>
    <artifactId>oscache</artifactId>
   </exclusion>
   <exclusion>
    <groupId>ehcache</groupId>
    <artifactId>ehcache</artifactId>
   </exclusion>
 </exclusions>   
  • In the uportal-war/pom.xml file add a reference to this dependency
uportal-war/pom.xml
 <dependency>
   <groupId>org.springmodules</groupId>
   <artifactId>spring-modules-cache</artifactId>
 </dependency>

Step 2: Configure User Attributes

Having changed the authentication source, you now need to configure uPortal to pickup person attributes from wherever they are stored – presumably at least some will come from AD, but others may come from other sources such as different databases.  

The configuration is done in uportal-war/src/main/resources/properties/contexts/personDirectoryContext.xml. The links below explain how to configure the attribute sources:

Step 3: Data Source Configuration

If one or more of your attribute sources are other databases, you need to configure the datasource details. This is done in uportal-war/src/main/resources/properties/contexts/datasourceContext.xml, by default as a direct connection to the database. This is great for builds but at runtime you probably want to use a JNDI datasource.

Step 4: Configure Groups

Now you need to change how uPortal puts users into groups to test against the attributes you declared in the uportal-war/src/main/resources/properties/contexts/personDirectoryContext.xml (step 2). The group testing is configured in uportal-war/src/main/resources/properties/groups/PAGSGroupStoreConfig.xml – change this to put users in groups that are relevant to your institution. 

  1. Person Attribute Groups Store (PAGS) explains how to setup group stores, how they work, and the different tests available
  2. Amend uportal-war/src/main/data/default_entities/group_membership/Everyone.group-membership.xml to remove any groups that were in the quickstart PAGSGroupStoreConfig but aren’t in your institution's list of groups (Leave the PAGS Root group though as this is required).
  3. If you have changed the name of the group that admin users go into, you also need to add the name of this group as a child uportal-war/src/main/data/default_entities/group_membership/Portal_Administrators.group-membership.xml

Note – Some of the quickstart portlets look for a group called all_authenticated. If you don’t require this for your institution but still have some of the quickstart portlets deployed, leave it in until you have removed any pre-packaged portlets you don't want.

Step 5: Configure Layout Assignment to Use New Groups

  • Modify uportal-war/src/main/resources/properties/dlm.xml to assign fragments to users based on the groups defined in PAGSGroupStoreConfig.

Step 6:  Allow Users to Login

The existing ‘Sign in’ button takes users to the CAS sign in page, so to allow users to login using the uPortal authentication (now configured to authenticate against AD) you need to add the login channel to the guest user layout. To do this add the following line to an appropriate place within guest-lo.fragment-layout.xml (but change the ID to be unique in that layout).

uportal-war/src/main/data/default_entities/fragment-layout
 <channel fname="login" unremovable="false" hidden="false" immutable="false" ID="n11"/>

Step 7: Rebuild/Redeploy uPortal

ant clean deploy-war  

Then, manually import the individual data files that have been updated. These are any files you changed under uportal-war/src/main/data, and you can do the imports using 'ant data-import'. See Import Export Data Migration Tools for instructions on this ant task.

 

DISCLAIMER: If you don't mind having your uportal database reinitialize where your database tables are dropped and recreated, the quickest way to deploy the above changes is to run 'ant initportal' command. This deploys the ear and updates the database as required. However, it's always recommended to use the deploy-ear command if you have customizations already configured.

Step 8: Restart Tomcat

$TOMCAT_HOME/bin/shutdown.sh
$TOMCAT_HOME/bin/startup.sh

Additional References

 

Having problems with these instructions?

Please send us feedback at uportal-user@lists.ja-sig.org