3.9.3.2. Active Directory sample configuration

Here is an alternative configuration for active directory that you can find in activedirectory-configuration.xml

Note

There is a microsoft limitation: password can't be set in AD via unsecured connection you have to use the ldaps protocol

here is how to use LDAPS protocol with Active Directory :

1 setup AD to use SSL:

    * add Active Directory Certificate Services role
    * install right certificate for DC machine

2 enable Java VM to use certificate from AD:

    * import root CA used in AD, to keystore, something like

      keytool -importcert -file 2008.cer -keypass changeit -keystore /home/user/java/jdk1.6/jre/lib/security/cacerts

    * set java options

      JAVA_OPTS="${JAVA_OPTS} -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStore=/home/user/java/jdk1.6/jre/lib/security/cacerts"

[...]

  <component>

  <key>org.exoplatform.services.ldap.LDAPService</key>

[..]

        <object type="org.exoplatform.services.ldap.impl.LDAPConnectionConfig">         

         <!-- for multiple ldap servers, use comma seperated list of host:port (Ex. ldap://127.0.0.1:389,10.0.0.1:389) -->

    <!-- whether or not to enable ssl, if ssl is used ensure that the javax.net.ssl.keyStore & java.net.ssl.keyStorePassword properties are set -->

    <!-- exo portal default installed javax.net.ssl.trustStore with file is java.home/lib/security/cacerts-->

    <!-- ldap service will check protocol, if protocol is ldaps, ssl is enable (Ex. for enable ssl: ldaps://10.0.0.3:636 ;for disable ssl: ldap://10.0.0.3:389 ) -->

    <!-- when enable ssl, ensure server name is *.directory and port (Ex. active.directory) -->        

    <field  name="providerURL"><string>ldaps://10.0.0.3:636</string></field>

    <field  name="rootdn"><string>CN=Administrator,CN=Users, DC=exoplatform,DC=org</string></field>

    <field  name="password"><string>site</string></field>      

    <field  name="version"><string>3</string></field>             

       <field  name="referralMode"><string>ignore</string></field>                      

       <field  name="serverName"><string>active.directory</string></field>                  

         </object>

[..]

  <component>

    <key>org.exoplatform.services.organization.OrganizationService</key>

    [...]

        <object type="org.exoplatform.services.organization.ldap.LDAPAttributeMapping">                

          [...]

          <field  name="userAuthenticationAttr"><string>mail</string></field>

          <field  name="userUsernameAttr"><string>sAMAccountName</string></field>

          <field  name="userPassword"><string>unicodePwd</string></field> 

          <field  name="userLastNameAttr"><string>sn</string></field>

          <field  name="userDisplayNameAttr"><string>displayName</string></field>

          <field  name="userMailAttr"><string>mail</string></field>

          [..]

          <field  name="membershipTypeLDAPClasses"><string>top,group</string></field>

          <field  name="membershipTypeObjectClassFilter"><string>objectClass=group</string></field>

          [..]

          <field  name="membershipLDAPClasses"><string>top,group</string></field>

          <field  name="membershipObjectClassFilter"><string>objectClass=group</string></field>

        </object>

        [...]  

</component>  
Copyright ©2012. All rights reserved. eXo Platform SAS