Difference between revisions of "D4Science Portal LDAP Authorization"

From Gcube Wiki
Jump to: navigation, search
(Make the JVM loads the D4Science Portal JAAS configuration)
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
 
 
In order to communicate with the LDAP, to have a centralized authorization point, the D4Science portal requires the following steps to be performed once you have installed Gridsphere Portal on your machine.
 
In order to communicate with the LDAP, to have a centralized authorization point, the D4Science portal requires the following steps to be performed once you have installed Gridsphere Portal on your machine.
  
 
==Applications Needed==
 
==Applications Needed==
S.O: Linux Ubuntu 7.10
 
  
This Guide has been tested with Gridsphere 3.1, deployed on Apache Tomcat 5.5.26, you also need to download a JBoss Application Server 4.0.3 distribution (see http://www.jboss.com/products/jbossas/downloads).
+
This Guide has been tested with Gridsphere 3.1, deployed on Apache Tomcat 5.5.26. You also need to download a JBoss Application Server 4.0.3 distribution (see http://www.jboss.com/downloads/).
  
 
==Authentication Modules - Java Authentication and Authorization Framework==
 
==Authentication Modules - Java Authentication and Authorization Framework==
Line 22: Line 19:
 
         <name>GridSphere JAAS for LDAP</name>
 
         <name>GridSphere JAAS for LDAP</name>
 
         <description lang="en">Use the Java Authentication and Authorization Framework</description>
 
         <description lang="en">Use the Java Authentication and Authorization Framework</description>
        <description lang="ja">Java認証&授権フレームワーク(Java Authentication and Authorization Framework)を使用</description>
 
 
         <implementation>org.gridsphere.services.core.security.auth.modules.impl.JaasAuthModule</implementation>
 
         <implementation>org.gridsphere.services.core.security.auth.modules.impl.JaasAuthModule</implementation>
 
         <active>true</active>
 
         <active>true</active>
Line 48: Line 44:
  
 
==Configure Portal to authenticate with some external source==
 
==Configure Portal to authenticate with some external source==
We are going to use the '''JBoss JAAS LdapExtLoginModule''' to authenticate with an LDAP server. The necessary classes are contained in the jboss-common.jar and jbosssx.jar included with a standard JBoss Application Server.
+
We are going to use the '''JBoss JAAS LdapExtLoginModule''' to authenticate with a LDAP server. The necessary classes are contained in the jboss-common.jar and jbosssx.jar included with a standard JBoss Application Server.
  
  
Line 76: Line 72:
 
</pre>
 
</pre>
  
This file contains everything is needed to communicate with the D4Science LDAP Server, be careful not to change anything in this file, copy and paste as it is in the text above.
+
Name it "jaas.config". (You may want to name it differently, the important thing is that in step 4th you use the same file name)
 +
This file contains everything is needed to communicate with the D4Science LDAP Server, be careful not to change anything in this file, copy and paste as it is in the frame above.
  
==Make the JVM loads the D4Science Portal JAAS configuration==
+
==Make the JVM load the D4Science Portal JAAS configuration==
  
Now have to make the JVM loading our JAAS configuration at the time that Tomcat is started. This is done with the java.security.auth.login.config system property.  
+
Now we have to make the JVM loading our JAAS configuration at the time that Tomcat is started. This is done with the java.security.auth.login.config system property.  
  
 
'''Step 4th: Modify $CATALINA_HOME/bin/catalina.sh to include the following:'''
 
'''Step 4th: Modify $CATALINA_HOME/bin/catalina.sh to include the following:'''
Line 92: Line 89:
  
 
<pre>
 
<pre>
 +
.
 +
.
 +
.
 +
 
# Only set CATALINA_HOME if not already set
 
# Only set CATALINA_HOME if not already set
 
[ -z "$CATALINA_HOME" ] && CATALINA_HOME=`cd "$PRGDIR/.." ; pwd`
 
[ -z "$CATALINA_HOME" ] && CATALINA_HOME=`cd "$PRGDIR/.." ; pwd`
Line 100: Line 101:
 
   . "$CATALINA_HOME"/bin/setenv.sh
 
   . "$CATALINA_HOME"/bin/setenv.sh
 
fi
 
fi
 
+
.
 +
.
 
##Place the two lines here##
 
##Place the two lines here##
 
echo "Using JAAS Authentication $CATALINA_HOME/conf/jaas.config"
 
echo "Using JAAS Authentication $CATALINA_HOME/conf/jaas.config"
 
JAVA_OPTS="$JAVA_OPTS -Djava.security.auth.login.config==$CATALINA_HOME/conf/jaas.config"
 
JAVA_OPTS="$JAVA_OPTS -Djava.security.auth.login.config==$CATALINA_HOME/conf/jaas.config"
 
</pre>
 
</pre>
 
+
.
 +
.
  
 
'''Step 5th: Restart Tomcat'''
 
'''Step 5th: Restart Tomcat'''
  
 
This concludes the installation of the D4Science Portal LDAP Authorization. You have just to startup the tomcat container.
 
This concludes the installation of the D4Science Portal LDAP Authorization. You have just to startup the tomcat container.
 
[[Image:Alert_icon2.gif]] <font size="4" color=red>''There is a well known bug on Gridsphere which needs to have an identical, duplicate account in Gridsphere's local database, the password doesn't matter but the username has to exist, a way to avoid this has been thought already and it will be implemented soon''</font>
 

Latest revision as of 17:36, 14 January 2010

In order to communicate with the LDAP, to have a centralized authorization point, the D4Science portal requires the following steps to be performed once you have installed Gridsphere Portal on your machine.

Applications Needed

This Guide has been tested with Gridsphere 3.1, deployed on Apache Tomcat 5.5.26. You also need to download a JBoss Application Server 4.0.3 distribution (see http://www.jboss.com/downloads/).

Authentication Modules - Java Authentication and Authorization Framework

An authentication module is described by an XML descriptor file called authmodules.xml located in WEB-INF directory of web application.

GridSphere provides a pluggable way to specify "authetication modules" used for authenticating users to the portal. The model is very similar to the PAM (Pluggable Authentication Modules) approach used in Unix in that modules may be "stackable" such that each module that is selected as active also has a priority associated with it. This makes it possible for instance to default to the GridSphere password based authentication module if some other module with a higher priority fails at first.

Step 1st: Edit the authmodules.xml located in $CATALINA_HOME/webapps/$PortalInstallation_DIR/WEB-INF

Replace the second <auth-module> with this one:

   <auth-module>
        <name>GridSphere JAAS for LDAP</name>
        <description lang="en">Use the Java Authentication and Authorization Framework</description>
        <implementation>org.gridsphere.services.core.security.auth.modules.impl.JaasAuthModule</implementation>
        <active>true</active>
	<priority>10</priority>
	    <auth-config>
        	<param-name>contextName</param-name>
	        <param-value>LdapExtLoginModule</param-value>
	    </auth-config>
        <error key="key1" lang="en">Account Expired</error>
        <error key="key2" lang="en">Credentials Expired</error>
        <error key="key3" lang="en">Unexpected Error</error>
        <error key="key1" lang="it">Il tuo Account é scaduto</error>
        <error key="key2" lang="it">Credenziali Scadute</error>
        <error key="key3" lang="it">Errore non previsto, contatta il system administrator</error>
        <error key="key1" lang="es">La cuenta ha expiradi</error>
        <error key="key2" lang="es">Credenciales expiradas</error>
        <error key="key3" lang="es">Error Inesperado</error>
    </auth-module>

This Authentication Module will be Active and with highest priority respect to the first one (The default One)

  • Authentication modules that are ACTIVE will be executed upon attempted login.
  • A module has a priority number associated with it. Starting with the module with the lowest priority number, all active modules are executed until authentication is successful.

Configure Portal to authenticate with some external source

We are going to use the JBoss JAAS LdapExtLoginModule to authenticate with a LDAP server. The necessary classes are contained in the jboss-common.jar and jbosssx.jar included with a standard JBoss Application Server.


Step 2nd: Copy jboss-common.jar and jbosssx.jar in folder $CATALINA_HOME/shared/lib

With these libraries in our class path, we then need to create a standard JAAS configuration file. This file can be arbitrary named and can be placed anywhere. We call it jaas.config and we place it into the configuration directory of our Application Server.

Step 3rd: Create a standard JAAS configuration file with the following content and place it in $CATALINA_HOME/conf/

Gridsphere {
	org.jboss.security.auth.spi.LdapExtLoginModule required
        java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
        java.naming.provider.url="ldap://ldap.research-infrastructures.eu/"
        java.naming.security.authentication=simple
        bindDN="cn=anonymous,ou=System,dc=research-infrastructures,dc=eu"
        bindCredential=freeToSearch
        baseCtxDN="ou=Organizations,dc=research-infrastructures,dc=eu"
        baseFilter="(uid={0})"
        rolesCtxDN="ou=Groups,ou=DevelopmentPortal,ou=D4Science,ou=Applications,dc=research-infrastructures,dc=eu"
        roleFilter="(uniqueMember={1})"
        roleAttributeID="cn"
        roleRecursion="-1"
	;
      };

Name it "jaas.config". (You may want to name it differently, the important thing is that in step 4th you use the same file name) This file contains everything is needed to communicate with the D4Science LDAP Server, be careful not to change anything in this file, copy and paste as it is in the frame above.

Make the JVM load the D4Science Portal JAAS configuration

Now we have to make the JVM loading our JAAS configuration at the time that Tomcat is started. This is done with the java.security.auth.login.config system property.

Step 4th: Modify $CATALINA_HOME/bin/catalina.sh to include the following:

echo "Using JAAS Authentication $CATALINA_HOME/conf/jaas.config"
JAVA_OPTS="$JAVA_OPTS -Djava.security.auth.login.config==$CATALINA_HOME/conf/jaas.config"

You should place that two lines of code anywhere but make sure the $CATALINA_HOME is defined already, a good place would be after this piece of code:

.
.
. 

# Only set CATALINA_HOME if not already set
[ -z "$CATALINA_HOME" ] && CATALINA_HOME=`cd "$PRGDIR/.." ; pwd`

if [ -r "$CATALINA_BASE"/bin/setenv.sh ]; then
  . "$CATALINA_BASE"/bin/setenv.sh
elif [ -r "$CATALINA_HOME"/bin/setenv.sh ]; then
  . "$CATALINA_HOME"/bin/setenv.sh
fi
.
.
##Place the two lines here##
echo "Using JAAS Authentication $CATALINA_HOME/conf/jaas.config"
JAVA_OPTS="$JAVA_OPTS -Djava.security.auth.login.config==$CATALINA_HOME/conf/jaas.config"

. .

Step 5th: Restart Tomcat

This concludes the installation of the D4Science Portal LDAP Authorization. You have just to startup the tomcat container.