Fred's blog

HOWTO: Bonita and LDAP authentication

by Fred on Mar.04, 2010, under Uncategorized

This how-to is written in the hope that it will help souls in achieving basic LDAP login with Bonita User Experience, using EJB3. This how-to is written based on the thread at http://www.bonitasoft.org/forum/viewtopic.php?id=2397.

It is working for me, but it may not for you. Please post your questions on the Bonita forums, many eyes will look at your issue and try to help you.

Here is a dirty PDF for those who wants. However, if you do use this howto, always refer to the online version for updates and up-to-date content.
Bonita LDAP howto

It may not render well in this blog, so I’d advise in pasting the code in your favorite editor to see clearly.

My environment at this time is:

  • Centos 5.4 latest updates
  • Jboss 5.1 GA
  • BOS 5.0.1
  • Java JDK 1.6.0 update 18
  • Active Directory 2003

To give a reference, here is how my base directory look like. I will refer to it when editing some files.

Under /opt:


lrwxrwxrwx  1 root root    9 Feb 23 11:39 BOS -> BOS-5.0.1
drwxr-xr-x  5 root root 4096 Feb 15 19:33 BOS-5.0.1
lrwxrwxrwx  1 root root   11 Feb 23 13:58 java-jdk-6 -> jdk1.6.0_18
lrwxrwxrwx  1 root root   14 Feb 23 16:19 jboss -> jboss-5.1.0.GA
drwxr-xr-x  9 root root 4096 Mar  4 09:57 jboss-5.1.0.GA
drwxr-xr-x 10 root root 4096 Feb 23 13:57 jdk1.6.0_18

We will use the org.jboss.security.auth.spi.LdapExtLoginModule, as it will allow us to bind to the ActiveDirectory server. If you can allow for anonymous LDAP requests, then you may also try the Sun LDAPLoginModule.

jBoss configuration and EAR generation

JAVA_OPTS

In the run.sh file of jboss /opt/jboss/bin/run.sh) , edit it to configure your JAVA_OPTS:

JAVA_OPTS="-Dorg.ow2.bonita.api-type=EJB3 -server -Xms256m -Xmx512m -XX:PermSize=128m -XX:MaxPermSize=256m"

Alongside specifying the EJB3 for Bonita, I am setting reasonable settings for jBoss java memory, and possible avoid Permgen out of memory errors.

Extra: For quick and unsecure monitoring using jconsole, also add the following.

JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=10001 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"

bonita-environment.xml

… under the /opt/BOS/runtime/conf directory directly. It will be used when building the EAR file.

So, we can already specify the implementation of the AuthenticationService interface, which we will call SimpleLdapAuth.
Edit the file /opt/BOS/runtime/bonita-environment.xml. It should look like the following:

      <!-- Description: Implementation of the authentication service. -->

      <!-- <authentication-service name='authentication-service' class='org.ow2.bonita.services.impl.DbAuthentication'> -->

      <authentication-service name='authentication-service' class='com.domain.bonita.auth.SimpleLdapAuth'>

        <arg><string value='bonita-session:core' /></arg>

      </authentication-service>

Of course, your package path will vary.
A sample, simple, implementation of the interface follows later on.

Generating bonita.ear

We now need to go ahead and generate our bonita.ear file, which will then be used by jBoss.

cd/opt/BOS/runtime

Now, build your ejb3.

ant ear.ejb3

You should get something like this:

[root@bonita-test runtime]# ant ear.ejb3

Buildfile: build.xml

ear.genBonitaConfJar:

ear.ejb3:

ear:

    [mkdir] Created dir: /opt/BOS-5.0.1/runtime/ear/tmp

    [unjar] Expanding: /opt/BOS-5.0.1/runtime/lib/server/bonita-server-5.0.1.jar into /opt/BOS-5.0.1/runtime/ear/tmp

     [copy] Copying 1 file to /opt/BOS-5.0.1/runtime/ear/tmp/META-INF

ear.copyJeeDD:

     [copy] Copying 1 file to /opt/BOS-5.0.1/runtime/ear/tmp/META-INF

      [jar] Building jar: /opt/BOS-5.0.1/runtime/ear/ejb3/bonita-ejbjar.jar

   [delete] Deleting directory /opt/BOS-5.0.1/runtime/ear/tmp

      [ear] Building ear: /opt/BOS-5.0.1/runtime/ear/ejb3/bonita.ear

     [echo] EJB3 ear has been generated in ear/ejb3 directory.

     [echo] You can use it in the easybeans container, jonas 5 and jboss 5 application server.

BUILD SUCCESSFUL

Total time: 4 seconds

Now, copy the bonita.ear file into your jboss deploy directory.

cp /opt/BOS-5.0.1/runtime/ear/ejb3/bonita.ear
 /opt/jboss/server/default/deploy/

login-config.xml

Add the 2 stanzas to the end of your login-config.xml, before the end tag. It is valid for an AD server (ie: (sAMAccountName={0}) is typically AD).)


<application-policy name="BonitaAuth">

  <authentication>

        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" 

        flag="required">

        <module-option name="java.naming.provider.url">ldap://your_ldap_server:389</module-option>

        <module-option name="java.naming.security.authentication">simple</module-option>

        <module-option name="baseCtxDN">DC=domain,DC=com</module-option>

        <module-option name="bindDN">DOMAIN\ldapbrowser</module-option>

        <module-option name="bindCredential"><![CDATA[Yourpasswd]]></module-option>

        <module-option name="baseFilter">(sAMAccountName={0})</module-option>

        <module-option name="searchScope">SUBTREE_SCOPE</module-option>

        <module-option name="allowEmptyPasswords">false</module-option>

        <module-option name="debug">true</module-option>

        <module-option name="rolesCtxDN">DC=domain,DC=com</module-option>

        <module-option name="roleFilter">(sAMAccountName={0})</module-option>

        <module-option name="roleAttributeID">memberOf</module-option>

        <module-option name="roleAttributeIsDN">true</module-option>

        <module-option name="roleNameAttributeID">cn</module-option>

        <module-option name="java.naming.referral">follow</module-option>

        </login-module>

    </authentication>

  </application-policy>

  <application-policy name="BonitaStore">

    <authentication>

       <login-module code="org.ow2.bonita.identity.auth.BonitaRemoteLoginModule" flag="required"/>

       <login-module code="org.jboss.security.ClientLoginModule" flag="required">

         <module-option name="password-stacking">useFirstPass</module-option>

      </login-module>

    </authentication>

  </application-policy>

Your jaas-standard.cfg will then not be used anymore. You can comment everything out.

Implementation of AuthentionService interface

Java Code

Here you need to develop a little piece of java. Here is an example that will get you through for starters.

package com.domain.bonita.auth;

/**
 * @author chapeaurouge
 * @date 04/03/2010
 * @version 0.1
 */

import org.ow2.bonita.facade.exception.UserNotFoundException;
import org.ow2.bonita.services.AuthenticationService;

public class SimpleLdapAuth implements AuthenticationService {

	private String persistenceServiceName;

	public SimpleLdapAuth(String persistenceServiceName) {
		super();
		this.persistenceServiceName = persistenceServiceName;
	}

	/**
	 * Determines if the user should have amdin accesses to the bonita interface
	 * Let's say that Domain Admins have that privilege
	 */
	public boolean isUserAdmin(String username) throws UserNotFoundException {
		if (username.equals("MyAdmin")) {
			return true;
		} else {
			return false;
		}
	}

	/**
	 * @return always true. If the LDAP request failed before, it doesn't matter (?)
	 * Necessary to implement interface
	 */
	public boolean checkUserCredentials(String username, String password) {
		return true;
	}
}

Compiling

Compile the java code into a .class. Make sure the bonita jars are in your classpath.

javac -cp ~/BOS-5.0.1/runtime/lib/server/bonita* SimpleLdapAuth.java

You should then have your .class file. If you did it locally, you can then upload it to your server.

Deploying

A manual way would be to do the following.
Go to your /opt/jboss/server/default/lib, create the directory hierarchy for your package name. So with our example, you could type

mkdir -p com/domain/bonita/auth

Then copy, your .class in it. Now, still in your jboss lib directory, create a .jar file, as:

jar -cvf domainLdapAuth.jar com/domain/bonita/auth/SimpleLdapAuth.class

Your jar will now be deployed on the next server startup.

Getting more verbose output

Edit /opt/jboss/server/default/conf/jboss-log4j.xml, and uncomment the following block:


 <category name="org.jboss.security">

 <priority value="TRACE"/>

 <appender-ref ref="CONSOLE.SECURITY"/>

 </category>

Conclusion

This should be it. I may have forgotten some things, or overlooked some steps. Hopefully, this was of some help for some of you.
You can now (re)start your jBoss server for the changes to take effect. Don’t forget to tail -f server.log to see how it looks like.
Your feedback and comments are welcome.
Thanks to rlg and abirembaut for their help in the forums.

:, ,

9 Comments for this entry

  • rlg
    March 4th, 2010 on 7:22 pm

    This HowTo is really well done. The security configuration is one of the most critical things you need to do when you want to put Bonita Open Solution in production.

    Great job Fred, you won the mug ;)


    Rodrigue aka rlg

    Reply
  • Fred
    March 4th, 2010 on 10:24 pm

    Thanks Rodrigue ;)

    Reply
  • Fred
    March 4th, 2010 on 10:34 pm

    Also available on planetsuse.org, which aggregates my feed. You can probably get a cached copy from google I guess, when the feed dissapears from the live page.

    Reply
  • Esteban Vierthaler
    March 5th, 2010 on 10:10 am

    I like the layout of your blog and I’m going to do the same thing for mine. Do you have any tips? Please PM ME on yahoo @ AmandaLovesYou702

    Reply
  • trludewig
    March 5th, 2010 on 9:15 pm

    Thanks so much for this. This is invaluable.

    Reply
  • ffxiv power leveling
    March 7th, 2010 on 2:25 pm

    my God, i thought you were going to chip in with some decisive insght at the end there, not leave it with

    Reply
  • Kandis Swartz
    March 13th, 2010 on 7:01 am

    This is a great blog you got here but i can’t seem to find the RSS button.

    Reply
  • trludewig
    April 16th, 2010 on 9:39 pm

    Hi Fred. I finally got auth working using Tomcat and Sun’s LdapLoginModule! Your blog helped me a lot. I’ve got a question for you. Did you follow on with this development and somehow implement an IdentityService to manage Bonita users/groups with LDAP?

    I’ve got my auth working, but now I’m stuck yet again. Not sure how to assign them to Bonita groups and/or restrict the process access.

    Thanks!

    Reply
  • rlg
    June 29th, 2010 on 6:14 pm

    Hi Fred,

    I’ve just succeed to install my AD2003 and test the new ADGroupConnector on it to define group in Bonita. I will follow your setup guide to test authentication. If I succeed, I will write a complete guide for Bonita Open Solution and Active Directory.

    Thx again for your contribution.

    Reply

1 Trackback or Pingback for this entry

Leave a Reply

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...

Archives

All entries, chronologically...