Versions Compared

Old Version 12

changes.mady.by.user Glen Mazza

Saved on

compared with

New Version Current

changes.mady.by.user Glen Mazza

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

This page is designed to show how to integrate Roller 45.0 1 with either LDAP (Apache DS) or JA-SIG Central Authentication Service. To begin, you will need to download the following. The below instructions have been tested on Ubuntu, Tomcat 7.x and JDK 7 with the following Apache DS releases:

...

Install Roller and Test

If

...

you're

...

new to

...

Install Roller and Test

The first step is to install Roller and ensure it works on your application server.

  1. Install Tomcat 6 and create a CATALINA_HOME environment variable that points to the installation location.

  2. Create a roller-custom.properties file and put it in your server's classpath ($CATALINA_HOME/lib for Tomcat 6).

    Code Block
    installation.type=auto 
database.configurationType=jdbc 
database.jdbc.driverClass=com.mysql.jdbc.Driver 
database.jdbc.connectionURL=jdbc:mysql://localhost:3306/rollerdb?createDatabaseIfNotExist=true 
database.jdbc.username=root 
database.jdbc.password= 
mail.configurationType=properties 
mail.hostName=localhost
  3. Download the following JARs and copy them to apache-roller-4.0/webapps/roller/WEB-INF/lib:
  4. Copy apache-roller-4.0/webapps/roller to $CATALINA_HOME/webapps/roller and start Tomcat.
  5. Go to http://localhost:8080/roller and complete the steps to add a new user and create a blog. When creating a new user, use admin for the username and admin for the password.
  6. Test that Roller works by creating a blog entry using the web interface, or using a client like MarsEdit (Moveable Type, RPC URL: http://localhost:8080/roller/roller-services/xmlrpc, Blog ID: admin).

Install LDAP and Test

Now that you have Roller installed and working, configure it to authenticate against LDAP instead of the "rollerdb" database.

installing Roller, it's best to first install with regular database username/password security following the Roller Install Guide.  This will make sure that your JDK, database, mail server, etc., are all properly configured and running, providing a good foundation prior to bringing in LDAP authentication.  For Roller, the first user created automatically has admin rights, so perhaps advisable to use the same username here as the uid of the future Admin user in the LDAP configuration below (using "rolleradmin" in the next section, but that can be changed as desired), although with a different password from the one in LDAP.  Using a different password will allow you to confirm that you're authenticating via Roller database now, and later (using the LDAP password) via LDAP.

After confirming you can create a user, a blog for that user, and a blog entry, proceed onward for configuring LDAP. 

Activating Apache Directory Server

The instructions below do not provide a full tutorial on how to configure ApacheDS, refer to its documentation for comprehensive information.  This provides minimal information just to demonstrate LDAP authentication. 

There are several ways to install and start Apache DS, depending on the operating system you're using.  Ubuntu proved unusually clumsy, the Debian packages would not work for me so I used the standard .tar.gz download instead.  Then I needed to do the following to activate ApacheDS on Ubuntu (Steps #1-#3 are Ubuntu-specific, Steps #4 onward should be the same for all environments):

  1. Define a system environment variable $ADS_HOME pointing to my ADS install directory (used by $ADS_HOME/bin/apacheds.sh).
  2. Edit the apacheds.sh script, replacing the $RUN_JAVA and associated quotes around it with the path to your java.exe:  eval /path/to/jdk/bin/java $JAVA_OPTS $ADS_CONTROLS...
  3. From the ApacheDS home folder, run "sudo bash bin/apacheds.sh default start" (note necessary use of "bash" for Ubuntu) from the command prompt.  Then run the command again, if you get a complaint that it's already running you're in good shape, further confirmation can be had by checking the instances/default/log/apacheds.out file, you should see the ApacheDS ASCII art message indicating a successful activation.   
  4. Next, install and activate Apache Directory Studio
  5. Stop Tomcat.
  6. Install Apache Directory Server and start it as root by running "sudo /usr/local/apacheds" (on OS X).
  7. Install Apache Directory Studio and launch the application.
  8. Create a new LDAP Connection with the following settings:
    • Connection Name: Local ApacheDS
    • Hostname: localhost
    • Port: 10389
    • Encryption: No Encryption
    • (Click Next)
    • Bind DN or user: uid=admin,ou=system
    • Bind password: secret
    • (Click Finish)
  9. Download roller.ldif to your Desktop. This file contains an admin account "rolleradmin" account with password "adminldap" (both of course should be changed for an actual installation) as well as Groups and People organizational units.
  10. In Apache Directory Studio, right click on dc=example,dc=com and select Import > LDIF Import...
  11. Select roller.ldif for the LDIF file and click Finish. You may get an error during the import, but it should add entries successfully.

  12. Modify $CATALINA_HOME/lib/roller-custom.properties so it has a single entry:

    Code Block
    users.sso.enabled=true
  13. Open $CATALINA_HOME/webapps/roller/WEB-INF/security.xml in your favorite XML editor. Look for "LDAP/SSO" and uncomment the bean definitions to enable LDAP. In the "authenticationManager" bean, comment out "daoAuthenticationProvider" and enable "ldapAuthProvider". Commenting out "daoAuthenticationProvider" is not necessary, but it allows you to verify you're only authenticating against LDAP. Use the following values for the values in the "initialDirContextFactory" bean.LDAP_URL = ldap://localhost:10389/Under the dc=example,dc=com
  14. LDAP_USERNAME = uid=admin,ou=system
  15. LDAP_PASSWORD = secret
  16. While you're editing security.xml, change the "rollerlovesacegi" value to something unique to your server. Any XML-friendly characters will work. The more cryptic the better.
  17. Start Tomcat and login to your blog with admin/adminldap.

These instructions have been tested and verified against OpenDS as well. The main differences are the LDAP settings. The default settings for OpenDS are:

  • LDAP_URL = ldap://localhost:1389/dc=example,dc=com
  • LDAP_USERNAME = cn=Directory Manager
  • LDAP_PASSWORD = password

Install CAS and Test

  1. Install CAS by copying its modules/cas.war to $CATALINA_HOME/webapps.
  2. Navigate to http://localhost:8080/cas and login with admin/admin.
  3. Configure Roller to talk to CAS by making the following modifications to security.xml:
    • In the filterChainProxy bean definition, replace "authenticationProcessingFilter,rememberMeProcessingFilter" with "casProcessingFilter".
    • In the authenticationManager bean, comment out the "ldapAuthProvider" and add <ref local="casAuthenticationProvider"/>.
    • Change the exceptionTranslationFilter to use "casProcessingFilterEntryPoint" for its "authenticationEntryPoint".
    • Look for the "CAS" beans near the bottom of the file) and uncomment the bean definitions to enable CAS integration.
    • Copy casclient.jar from the cas-client-java-2.1.1/dist directory to $CATALINA_HOME/webapps/roller/WEB-INF/lib.

    • Modify $CATALINA_HOME/conf/server.xml to enable https support. Below is an example.

      Code Block
          <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
               keystoreFile="/Users/mraible/.keystore" keystorePass="changeit"
               truststoreFile="/System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts"/>
    • Use the CAS SSL Guide to generate, export and import a certificate.
    • At this point, you should be able to start Tomcat and login to your blog. The login page should be from CAS rather than Roller and admin/admin should log you in successfully.

Integrate CAS with Roller's Database

By default CAS ships with a SimpleTestUsernamePasswordAuthenticationHandler that has a hard-coded username and password. To change this to authenticate against Roller's database, complete the following steps:

  1. Edit $CATALINA_HOME/webapps/cas/WEB-INF/deployerConfigContext.xml in your favorite XML editor.

  2. Find the SimpleTestUsernamePasswordAuthenticationHandler bean towards the bottom and comment it out. Replace it with the following:

    Code Block
    <bean class="org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler">
    <property name="tableUsers" value="rolleruser"/>
    <property name="fieldUser" value="username"/>
    <property name="fieldPassword" value="passphrase"/>
    <property name="dataSource" ref="dataSource"/>
</bean>

  3. At the very end of the file (before the ending </beans> element), add a "dataSource" bean definition:

    Code Block
    <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
    <property name="driverClassName" value="com.mysql.jdbc.Driver"/>
    <property name="url" value="jdbc:mysql://localhost:3306/rollerdb"/>
    <property name="username" value="root"/>
    <property name="password" value=""/>
    <property name="maxActive" value="100"/>
    <property name="maxWait" value="1000"/>
    <property name="poolPreparedStatements" value="true"/>
    <property name="defaultAutoCommit" value="true"/>
</bean>
  4. Download the following JARs and put them into $CATALINA_HOME/webapps/cas/WEB-INF/lib.
  5. Copy cas-server-support-jdbc-3.1.jar from $CAS_DOWNLOAD/modules to $CATALINA_HOME/webapps/cas/WEB-INF/lib.
  6. Modify the password in the "rollerdb" database so the "admin" user's password is in plain text.
  7. Start Tomcat. You should be able to login with the password you set in the previous step.

Integrate CAS with Apache Directory Server

By default CAS ships with a SimpleTestUsernamePasswordAuthenticationHandler that has a hard-coded username and password. To change this to authenticate against your previously installed Apache Directory Server, complete the following steps:

...

Find the SimpleTestUsernamePasswordAuthenticationHandler bean towards the bottom and comment it out. Replace it with the following:

Code Block
<bean class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" >
    <property name="filter" value="uid=%u,ou=People,dc=example,dc=com" />
    <property name="contextSource" ref="contextSource" />
</bean>

...

At the very end of the file (before the ending </beans> element), add a "contextSource" bean definition:

Code Block
<bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
    <property name="pooled" value="true"/>
    <property name="urls">
        <list>
            <value>ldap://localhost:10389</value>
        </list>
    </property>
    <property name="userName" value="uid=admin,ou=system"/>
    <property name="password" value="secret"/>
    <property name="baseEnvironmentProperties">
        <map>
            <entry>
                <key>
                    <value>java.naming.security.authentication</value>
                </key>
                <value>simple</value>
            </entry>
        </map>
    </property>
</bean>

...

  1. d=com heading add additional users under rolleradmin with different passwords.

Configuring Roller to use LDAP authentication

Now that we have our users in our LDAP directory, we'll configure Roller to authenticate against them.  Make sure Roller is shut down before proceeding, so the new configuration will be detected on startup:

  1. Alter your roller-custom.properties to activate LDAP:

    Code Block
    authentication.method=ldap

    If you aren't using Apache DS, you may need to alter the attribute values Roller uses to bring in the LDAP data elements.

  2. Alter the security.xml located in the WEB-INF folder of the roller.war file, switching authentication from normal password to LDAP following the instructions given in the comments in that file.  The default Apache DS LDAP password (secret) should of course be changed to that of your LDAP installation.
  3. Start Tomcat and login to your blog with rolleradmin/adminldap (the password here as defined in the roller.ldif file downloaded).  By confirming that your LDAP password is working but your prior database-created one is no longer, you'll know that the LDAP authentication method has being activated.
  4. Go to the Blog Server Administration settings page and click the "Allow New Users?" setting to let other users log in with their LDAP usernames and passwords.  As those other users log in, Roller will present them an opportunity to create their new blogs.

 

Any questions with LDAP configuration, please contact the Roller User's mailing list

...

.