Versions Compared

Old Version 3

changes.mady.by.user Matt Raible

Saved on

compared with

New Version 4

changes.mady.by.user Matt Raible

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Finished LDAP instructions

...

Note

These instructions should work on any application server, providing you're able to install Roller.

...

  1. Stop Tomcat.
  2. Install Apache Directory Server and start it as root by running "sudo /usr/local/apacheds" (on OS X).
  3. Install Apache Directory Studio and launch the application.
  4. Create a new LDAP Connection with the following settings:
    • Connection Name: Local ApacheDS
    • Hostname: localhost
    • Port: 10389
    • Encryption: No Encryption
    • (Click Next)
    • Bind DN or user: uid=admin,ou=system
    • Bind password: secret
    • (Click Finish)
  5. Download roller.ldif to your Desktop. This file contains an admin account as well as Groups and People organizational units.
  6. In Apache Directory Studio, right click on dc=example,dc=com and select Import > LDIF Import...
  7. Select roller.ldif for the LDIF file and click Finish. You may get an error during the import, but it should add entries successfully.
  8. Modify $CATALINA_HOME/lib/roller-custom.properties so it has a single entry:
    Code Block
    users.sso.enabled=true
  9. Open $CATALINA_HOME/webapps/roller/WEB-INF/security.xml in your favorite XML editor. Look for "LDAP/SSO" and uncomment the bean definitions to enable LDAP. In the "authenticationManager" bean, comment out "daoAuthenticationProvider" and enable "ldapAuthProvider". Commenting out "daoAuthenticationProvider" is not necessary, but it allows you to verify you're only authenticating against LDAP. Use the following values for the values in the "initialDirContextFactory" bean.
    • LDAP_URL = ldap://localhost:10389/dc=example,dc=com
    • LDAP_USERNAME = uid=admin,ou=system
    • LDAP_PASSWORD = secret
  10. While you're editing security.xml, change the "rollerlovesacegi" value to something unique to your server. Any XML-friendly characters will work. The more cryptic the better.
  11. Create a $CATALINA_HOME/webapps/roller/META-INF/context.xml file and add the following to it:
    Code Block
    
<Context path="/roller" debug="99">
    <Resource name="jdbc/rollerdb" auth="Container" type="javax.sql.DataSource"
              driverClassName="com.mysql.jdbc.Driver"
              url="jdbc:mysql://localhost:3306/rollerdb?useUnicode=true&amp;characterEncoding=utf-8&amp;mysqlEncoding=utf8"
              username="root" password=""
              maxActive="20" maxIdle="3" removeAbandoned="true" maxWait="3000"/>

    <Resource name="mail/Session" auth="Container" type="javax.mail.Session"
              mail.smtp.host="localhost"/>
</Context>
    Note

    This step shouldn't be necessary because of the database settings in roller-custom.properties. This is likely a bug in Roller's configuration.

  12. Start Tomcat and login to your blog with admin/adminldap.

These instructions have been tested and verified against OpenDS as well. The main differences are the LDAP settings. The default settings for OpenDS are:

  • LDAP_URL = ldap://localhost:1389/dc=example,dc=com
  • LDAP_USERNAME = cn=Directory Manager
  • LDAP_PASSWORD = password

Install CAS and Test

  1. Install

...

  1. CAS by copying modules/cas.war to $CATALINA_HOME/webapps.
  2. Navigate to http://localhost:8080/casImage Added and login with admin/admin.
  3. Configure Roller to talk to CAS by making the following modifications to security.xml:
    • In the filterChainProxy bean definition, replace "authenticationProcessingFilter,rememberMeProcessingFilter" with "casProcessingFilter".
    • In the authenticationManager bean, comment out the "ldapAuthProvider" and add <ref local="casAuthenticationProvider"/>.
    • Add the following bean definitions for Acegi-CAS integration:
      Code Block
      
<!-- ======================== CENTRAL AUTHENTICATION SERVICE (CAS) ======================= -->
<bean id="casProcessingFilter" class="org.acegisecurity.ui.cas.CasProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="authenticationFailureUrl" value="/roller-ui/login.rol?error=true"/>
    <property name="defaultTargetUrl" value="/"/>
    <property name="filterProcessesUrl" value="/roller_j_security_check"/>
</bean>

<bean id="casProcessingFilterEntryPoint" class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint">
    <property name="loginUrl" value="https://localhost:8443/cas/login"/>
    <property name="serviceProperties" ref="serviceProperties"/>
</bean>

<bean id="casAuthenticationProvider" class="org.acegisecurity.providers.cas.CasAuthenticationProvider">
    <property name="casAuthoritiesPopulator">
        <bean class="org.roller.ui.security.cas.RollerCasPopulator">
            <property name="userDetailsService" ref="jdbcAuthenticationDao"/>
        </bean> 
    </property>
    <property name="casProxyDecider" ref="casProxyDecider"/>
    <property name="ticketValidator" ref="casProxyTicketValidator"/>
    <property name="statelessTicketCache" ref="statelessTicketCache"/>
    <property name="key" value="my_password_for_this_auth_provider_only"/>
</bean>

<bean id="casProxyTicketValidator" class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator">
    <property name="casValidate" value="https://localhost:8443/cas/proxyValidate"/>
    <property name="proxyCallbackUrl" value="http://localhost:8080/roller/casProxy/receptor"/>
    <property name="serviceProperties" ref="serviceProperties"/>
    <property name="trustStore" value="/Library/Java/Home/lib/security/cacerts"/>
</bean>

<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>

<bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
   <property name="cacheManager" ref="cacheManager"/>
   <property name="cacheName" value="ticketCache"/>
</bean>

<bean id="statelessTicketCache" class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache">
    <property name="cache" ref="ticketCacheBackend"/>
</bean>

<bean id="casProxyDecider" class="org.acegisecurity.providers.cas.proxy.RejectProxyTickets"/>

<bean id="serviceProperties" class="org.acegisecurity.ui.cas.ServiceProperties">
    <property name="service" value="http://localhost:8080/roller/roller_j_security_check"/>
    <property name="sendRenew" value="false"/>
</bean>
    • Download roller-cas.jar and copy it to $CATALINA_HOME/webapps/roller/WEB-INF/lib.
    • Copy casclient.jar from the cas-client-java-2.1.1/dist directory to $CATALINA_HOME/webapps/roller/WEB-INF/lib.