Index Changes
This is version 24. It is not the current version, and thus it cannot be edited.
[Back to current version]   [Restore this version]
LDAP can be used for authentication, authorization and user management in WLM. The authentication and authorization for work list client application through LDAP is based on LDAP realm supported in Glassfish and Java EE security model,
in addition to that, WLM integrates LDAP in providing the following feature:
  • Assignment and Escalation to a user/group managed by LDAP
  • Provide LDAP xpath functions to allow assign/escalate the task to a user's manager, sends emails to a specific user or his/her manager using the email address on LDAP.

LDAP server configuration


OpenLdap is used for demonstrate the configuration. Please also refer to Ldap realm configuration in glassfish for examples of setting up LDAP server used in glassfish.

In slapd.conf, core.schema, cosine.schema, inetorgperson.schema are needed.

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		/opt/csw/etc/openldap/schema/core.schema
include		/opt/csw/etc/openldap/schema/cosine.schema
include		/opt/csw/etc/openldap/schema/inetorgperson.schema

One sample organization looks like this:

Figure 1: CustomerServiceRep group

Figure 2: Manager group

2 groups are created: CustomerServiceRep and Manager under ou=CustomerService,dc=example,dc=com. CustomerServiceRep group contains member: dave, john, mary. Manager group contains: dave. Also, dave is the manager of john and mary.

Figure 3a

Figure 3b

Figure 3c

Note:On person entry, manager attribute is used to point to the manger of the person, on group entry, each uniqueMember attribute contains a members of the group.
Note:On person entry, the mail attribute is used in WLM to send emails, you will need to change the fictitious email address to a configured email to try this sample.

You can download the ldap database used in this sample in LDIF format here and use slapadd to import into your LDAP database.

LDAP Realm configuration on Glassfish


Ldap realm configuration in glassfish describes the configuration in details, in our example the settings are below:

Figure 4: Ldap Realm Settings
Property Description Value
search-bind-dn Used together with search-bind-password, the dn with permission to do search The dn with permission to do search
search-bind-password Used together with search-bind-dn, the password needed for search The password needed for search
search-filter "%s" will be substituted with actual userId that user types into a login page, the entire value will be used as query to get the LDAP DN for the user in uid_attribute=%s
group-base-dn The base DN to do group search, groups returned will have the same base DN The base DN of group, e.g. Search all groups within "Sales" department
group-search-filter "%d" will be substituted with actual user DN, the query to search groups which contain the specific user DN group_member_attribute=%d
group-target The attribute on the group, of which the value will be used as group name The attribute identifies the group name on group

Configure worklist client application to use LDAP Realm

In the worklist client application, it uses Java EE security model to point to LDAP Realm, in the default WorklistWebApplication. In the web.xml of the WorklistWebApplication, point the realm to LDAP Realm and define roles allowed to access the application, then map the roles to group name in sun-web.xml

Figure 5a: web.xml

Note:The roles on web.xml are abstract roles and are not used to match with groups in ldap, the groups mapped from roles in sun-web.xml are used to match with groups from LDAP

Figure 5b: sun-web.xml

LDAP configuration on WLMSE


WLMSE has a list LDAP related configuration parameters as install and runtime configuration parameters:

Figure 6: WLMSE installation and runtime LDAP configuration

Property Description Value Default
LDAP used Check it to use LDAP configured on wlmse true or false false
LDAP host The ldap server host address ip addresslocalhost
LDAP port The ldap server port port389
Is SSL enabled for LDAP If SSL is enabled if true LDAPS port is used, otherwise LDAP port is used false
LDAPS port The ldaps port If SSL is enabled, this port will be used instead of LDAP port 636
Login Type The login type for Ldap search if none, no login needed; if simple, login uses LoginDN and Password for login none
LDAP Search Login DN The login DN for ldap search used only when Login Type is simple
LDAP Search Login password The password for ldap search used along with Login DN for simple type of login
uid attribute name The unique id attribute on each person entry, it is related to the search filter defined in LDAP realm used to get the name of the person from DN uid
manager attribute name The manager attribute name on each person entry used to retrieve the manager's DN from the person entry manager
email attribute name The attribute containing email address of the entry used to retrieve the email address of the user or group mail
Base DN in search The base DN under which the search is executed Query runs more efficiently within a smaller targeted DN, for example, under a specific department dc=example,dc=com, must change
Scope Type The search scope type base (just this object), one (one level down), sub (subtree) sub
User Filter The parametrized filter to obtain a person entry on ldap given the uid (name), %s is expanded to the uid It is used to find the person entry by uid (uid=%s)
Group Filter The parametrized filter to obtain a group entry on ldap given the name of the group, %s is expanded to the name It is used to find the group entry by the name cn=%s)

Note:Any properties changed will need a shutdown and restart of wlmse engine.

LDAP XPath functions


The following LDAP XPath functions are supported: namespace: "http://jbi.com.sun/wfse/xpath-functions"

  • wlmfn:get-email() as xs:string -- get email for the current task owner (who claimed the task)
  • wlmfn:get-email($arg as xs:string) as xs:string -- get email for user: $arg
  • wlmfn:get-manager-email() as xs:string -- get manager's email for the current task owner (who claimed the task)
  • wlmfn:get-manager-email($arg as xs:string) as xs:string -- get manager's email for user: $arg
  • wlmfn:get-manager-uid() as xs:string -- get manager uid for the current task owner (who claimed the task)
  • wlmfn:get-manager-uid($arg as xs:string) as xs:string -- get manager uid for user: $arg

The sample snippets using the LDAP XPath:

        <escalation>
            <duration expressionLanguage="xpath">'P0Y0M0DT0H3M0S'</duration>
            <assignment>
                <user>wlmfn:get-manager-uid($TaskInput/po:users)</user>
            </assignment>
        </escalation>
The wlmfn:get-manager-uid gets the users from the task input msg, and gets the manager uid. e.g. in our configuration sample, if $TaskInput/po:users returns 'john', wlmfn:get-manager-uid($TaskInput/po:users) returns 'dave'
        <notification name="notifyManager"
                partnerLink="notifyManagerPartner"
                partnerLinkType="nh:NotificationHandlerPLT"
                role="NotificationHandlerPortTypeRole"
                operation="nh:NotificationHandlerOperation">
        <recipient part="to">
            <address>wlmfn:get-manager-email()</address>
        </recipient>

The wlmfn:get-manager-email() gets the current task owner's manager's email, e.g. if john checks out the task, dave's email address will be returned in this call

The full wf file can be found here

JSPWiki v2.4.100
[RSS]
« Home Index Changes Prefs
This particular version was published on 19-Feb-09 10:44 AM, -0800 by MeiWu