Versions Compared

Old Version 9

changes.mady.by.user Matt Raible

Saved on

compared with

New Version 10

changes.mady.by.user Glen Mazza

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page is designed to show how to integrate Roller 4.0 with LDAP and JA-SIG Central Authentication Service. To begin, you will need to download the following:

...

  1. Install Tomcat 6 and create a CATALINA_HOME environment variable that points to the installation location.

  2. Create a roller-custom.properties file and put it in your server's classpath ($CATALINA_HOME/lib for Tomcat 6).

    Code Block
    
installation.type=auto 
database.configurationType=jdbc 
database.jdbc.driverClass=com.mysql.jdbc.Driver 
database.jdbc.connectionURL=jdbc:mysql://localhost:3306/rollerdb?createDatabaseIfNotExist=true 
database.jdbc.username=root 
database.jdbc.password= 
mail.configurationType=properties 
mail.hostName=localhost
  3. Download the following JARs and copy them to apache-roller-4.0/webapps/roller/WEB-INF/lib:
  4. Copy apache-roller-4.0/webapps/roller to $CATALINA_HOME/webapps/roller and start Tomcat.
  5. Go to http://localhost:8080/roller and complete the steps to add a new user and create a blog. When creating a new user, use admin for the username and admin for the password.
  6. Test that Roller works by creating a blog entry using the web interface, or using a client like MarsEdit (Moveable Type, RPC URL: http://localhost:8080/roller/roller-services/xmlrpc, Blog ID: admin).

...

  1. Stop Tomcat.
  2. Install Apache Directory Server and start it as root by running "sudo /usr/local/apacheds" (on OS X).
  3. Install Apache Directory Studio and launch the application.
  4. Create a new LDAP Connection with the following settings:
    • Connection Name: Local ApacheDS
    • Hostname: localhost
    • Port: 10389
    • Encryption: No Encryption
    • (Click Next)
    • Bind DN or user: uid=admin,ou=system
    • Bind password: secret
    • (Click Finish)
  5. Download roller.ldif to your Desktop. This file contains an admin account as well as Groups and People organizational units.
  6. In Apache Directory Studio, right click on dc=example,dc=com and select Import > LDIF Import...
  7. Select roller.ldif for the LDIF file and click Finish. You may get an error during the import, but it should add entries successfully.

  8. Modify $CATALINA_HOME/lib/roller-custom.properties so it has a single entry:

    Code Block
    
users.sso.enabled=true
  9. Open $CATALINA_HOME/webapps/roller/WEB-INF/security.xml in your favorite XML editor. Look for "LDAP/SSO" and uncomment the bean definitions to enable LDAP. In the "authenticationManager" bean, comment out "daoAuthenticationProvider" and enable "ldapAuthProvider". Commenting out "daoAuthenticationProvider" is not necessary, but it allows you to verify you're only authenticating against LDAP. Use the following values for the values in the "initialDirContextFactory" bean.
    • LDAP_URL = ldap://localhost:10389/dc=example,dc=com
    • LDAP_USERNAME = uid=admin,ou=system
    • LDAP_PASSWORD = secret
  10. While you're editing security.xml, change the "rollerlovesacegi" value to something unique to your server. Any XML-friendly characters will work. The more cryptic the better.
  11. Start Tomcat and login to your blog with admin/adminldap.

...

  1. Install CAS by copying its modules/cas.war to $CATALINA_HOME/webapps.
  2. Navigate to http://localhost:8080/cas and login with admin/admin.
  3. Configure Roller to talk to CAS by making the following modifications to security.xml:
    • In the filterChainProxy bean definition, replace "authenticationProcessingFilter,rememberMeProcessingFilter" with "casProcessingFilter".
    • In the authenticationManager bean, comment out the "ldapAuthProvider" and add <ref local="casAuthenticationProvider"/>.
    • Change the exceptionTranslationFilter to use "casProcessingFilterEntryPoint" for its "authenticationEntryPoint".
    • Look for the "CAS" beans near the bottom of the file) and uncomment the bean definitions to enable CAS integration.
    • Copy casclient.jar from the cas-client-java-2.1.1/dist directory to $CATALINA_HOME/webapps/roller/WEB-INF/lib.

    • Modify $CATALINA_HOME/conf/server.xml to enable https support. Below is an example.

      Code Block
      
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
               keystoreFile="/Users/mraible/.keystore" keystorePass="changeit"
               truststoreFile="/System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts"/>
    • Use the CAS SSL Guide to generate, export and import a certificate.
    • At this point, you should be able to start Tomcat and login to your blog. The login page should be from CAS rather than Roller and admin/admin should log you in successfully.

...

  1. Edit $CATALINA_HOME/webapps/cas/WEB-INF/deployerConfigContext.xml in your favorite XML editor.

  2. Find the SimpleTestUsernamePasswordAuthenticationHandler bean towards the bottom and comment it out. Replace it with the following:

    Code Block
    
<bean class="org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler">
    <property name="tableUsers" value="rolleruser"/>
    <property name="fieldUser" value="username"/>
    <property name="fieldPassword" value="passphrase"/>
    <property name="dataSource" ref="dataSource"/>
</bean>

  3. At the very end of the file (before the ending </beans> element), add a "dataSource" bean definition:

    Code Block
    
<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
    <property name="driverClassName" value="com.mysql.jdbc.Driver"/>
    <property name="url" value="jdbc:mysql://localhost:3306/rollerdb"/>
    <property name="username" value="root"/>
    <property name="password" value=""/>
    <property name="maxActive" value="100"/>
    <property name="maxWait" value="1000"/>
    <property name="poolPreparedStatements" value="true"/>
    <property name="defaultAutoCommit" value="true"/>
</bean>
  4. Download the following JARs and put them into $CATALINA_HOME/webapps/cas/WEB-INF/lib.
  5. Copy cas-server-support-jdbc-3.1.jar from $CAS_DOWNLOAD/modules to $CATALINA_HOME/webapps/cas/WEB-INF/lib.
  6. Modify the password in the "rollerdb" database so the "admin" user's password is in plain text.
  7. Start Tomcat. You should be able to login with the password you set in the previous step.

...

  1. Edit $CATALINA_HOME/webapps/cas/WEB-INF/deployerConfigContext.xml in your favorite XML editor.

  2. Find the SimpleTestUsernamePasswordAuthenticationHandler bean towards the bottom and comment it out. Replace it with the following:

    Code Block
    
<bean class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" >
    <property name="filter" value="uid=%u,ou=People,dc=example,dc=com" />
    <property name="contextSource" ref="contextSource" />
</bean>

  3. At the very end of the file (before the ending </beans> element), add a "contextSource" bean definition:

    Code Block
    
<bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
    <property name="pooled" value="true"/>
    <property name="urls">
        <list>
            <value>ldap://localhost:10389</value>
        </list>
    </property>
    <property name="userName" value="uid=admin,ou=system"/>
    <property name="password" value="secret"/>
    <property name="baseEnvironmentProperties">
        <map>
            <entry>
                <key>
                    <value>java.naming.security.authentication</value>
                </key>
                <value>simple</value>
            </entry>
        </map>
    </property>
</bean>
  4. Copy cas-server-support-ldap-3.1.jar from $CAS_DOWNLOAD/modules to $CATALINA_HOME/webapps/cas/WEB-INF/lib.
  5. Start Tomcat. You should be able to login with admin/adminldap.