Not logged in | Login
In slapd.conf, core.schema, cosine.schema, inetorgperson.schema are needed.
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /opt/csw/etc/openldap/schema/core.schema include /opt/csw/etc/openldap/schema/cosine.schema include /opt/csw/etc/openldap/schema/inetorgperson.schema
One sample organization looks like this:
2 groups are created: CustomerServiceRep and Manager under ou=CustomerService,dc=example,dc=com. CustomerServiceRep group contains member: dave, john, mary. Manager group contains: dave. Also, dave is the manager of john and mary.
Note:On person entry, manager attribute is used to point to the manger of the person, on group entry, each uniqueMember attribute contains a members of the group.
Note:On person entry, the mail attribute is used in WLM to send emails, you will need to change the fictitious email address to a configured email to try this sample.
Ldap realm configuration in glassfish describes the configuration in details, in our example the settings are below:
|search-bind-dn||Used together with search-bind-password, the dn with permission to do search||The dn with permission to do search|
|search-bind-password||Used together with search-bind-dn, the password needed for search||The password needed for search|
|search-filter||"%s" will be substituted with actual userId that user types into a login page, the entire value will be used as query to get the LDAP DN for the user in||uid_attribute=%s|
|group-base-dn||The base DN to do group search, groups returned will have the same base DN||The base DN of group, e.g. Search all groups within "Sales" department|
|group-search-filter||"%d" will be substituted with actual user DN, the query to search groups which contain the specific user DN||group_member_attribute=%d|
|group-target||The attribute on the group, of which the value will be used as group name||The attribute identifies the group name on group|
In the worklist client application, it uses Java EE security model to point to LDAP Realm, in the default WorklistWebApplication. In the web.xml of the WorklistWebApplication, point the realm to LDAP Realm and define roles allowed to access the application, then map the roles to group name in sun-web.xml
Note:The roles on web.xml are abstract roles and are not used to match with groups in ldap, the groups mapped from roles in sun-web.xml are used to match with groups from LDAP
WLMSE has a list LDAP related configuration parameters as install and runtime configuration parameters:
|LDAP used||Check it to use LDAP configured on wlmse||true or false||false|
|LDAP host||The ldap server host address||ip address||localhost|
|LDAP port||The ldap server port||port||389|
|Is SSL enabled for LDAP||If SSL is enabled||if true LDAPS port is used, otherwise LDAP port is used||false|
|LDAPS port||The ldaps port||If SSL is enabled, this port will be used instead of LDAP port||636|
|Login Type||The login type for Ldap search||if none, no login needed; if simple, login uses LoginDN and Password for login||none|
|LDAP Search Login DN||The login DN for ldap search||used only when Login Type is simple|
|LDAP Search Login password||The password for ldap search||used along with Login DN for simple type of login|
|uid attribute name||The unique id attribute on each person entry, it is related to the search filter defined in LDAP realm||used to get the name of the person from DN||uid|
|manager attribute name||The manager attribute name on each person entry||used to retrieve the manager's DN from the person entry||manager|
|email attribute name||The attribute containing email address of the entry||used to retrieve the email address of the user or group|
|Base DN in search||The base DN under which the search is executed||Query runs more efficiently within a smaller targeted DN, for example, under a specific department||dc=example,dc=com, must change|
|Scope Type||The search scope type||base (just this object), one (one level down), sub (subtree)||sub|
|User Filter||The parametrized filter to obtain a person entry on ldap given the uid (name), %s is expanded to the uid||It is used to find the person entry by uid||(uid=%s)|
|Group Filter||The parametrized filter to obtain a group entry on ldap given the name of the group, %s is expanded to the name||It is used to find the group entry by the name||cn=%s)|
Note:Any properties changed will need a shutdown and restart of wlmse engine.
The following LDAP XPath functions are supported: namespace: "http://jbi.com.sun/wfse/xpath-functions"
The sample snippets using the LDAP XPath:
<escalation> <duration expressionLanguage="xpath">'P0Y0M0DT0H3M0S'</duration> <assignment> <user>wlmfn:get-manager-uid($TaskInput/po:users)</user> </assignment> </escalation>The wlmfn:get-manager-uid gets the users from the task input msg, and gets the manager uid. e.g. in our configuration sample, if $TaskInput/po:users returns 'john', wlmfn:get-manager-uid($TaskInput/po:users) returns 'dave'
<notification name="notifyManager" partnerLink="notifyManagerPartner" partnerLinkType="nh:NotificationHandlerPLT" role="NotificationHandlerPortTypeRole" operation="nh:NotificationHandlerOperation"> <recipient part="to"> <address>wlmfn:get-manager-email()</address> </recipient>The wlmfn:get-manager-email() gets the current task owner's manager's email, e.g. if john checks out the task, dave's email address will be returned in this call
The full wf file can be found here