Changes between Version 6 and Version 7 of ServiceProviderFederation/CLARIN IdP

Timestamp:

03/14/16 19:18:08 (8 years ago)

Author:

Jozef Mišutka

Comment:

--

ServiceProviderFederation/CLARIN IdP

@@ -79 +79 @@
 cn=developer,ou=groups,dc=clarin,dc=eu
 }}}
+
+
+# Implementation #
+
+## Unity IDM LDAP endpoint ##
+
+* web: http://www.unity-idm.eu/
+* VCS (ldapEndpoint branch): https://www.assembla.com/spaces/unity-public/git/source/ldapEndpoint?type=branch
+* documenation: http://www.unity-idm.eu/documentation/unity-1.8.0/manual.html
+
+### What do we want? ###
+
+We want an LDAP endpoint implemented in UNITY so LDAP clients can query UNITY and get user information.
+We will *not* implement a 1:1 mapping between LDAP query language and UNITY backend but implement the minimal requirements in
+order to support LDAP plugin for Drupal and apache integration.
+
+### What do we want in more detail? ###
+
+We want an LDAP server listening on a port (note that LDAP is not based on http). Because Unity is based on Jetty and servlet containers are in general
+unfriendly to non http protocols, an embedded LDAP server is used that listens on a different port than Unity. Moreover, there are only a few 
++- working LDAP servers so the choice was easy - Apache DS (https://directory.apache.org/studio/). Furthermore, fiddling directly with LDAP implementation 
+is to be avoided if possible in favour of sustainability. Therefore, custom interceptors (https://directory.apache.org/apacheds/advanced-ug/1.4-interceptors.html) were used to intercept LDAP API and hook it to Unity.
+
+### How to do it? ###
+
+Unity defines a set of endpoints where we add our LDAPSserver
+
+{{{
+unityServer.core.endpoints.11.endpointType=LDAPServer
+unityServer.core.endpoints.11.endpointConfigurationFile=conf/endpoints/ldap.properties
+unityServer.core.endpoints.11.contextPath=/ldap
+unityServer.core.endpoints.11.endpointName=Ldap info endpoint
+unityServer.core.endpoints.11.endpointRealm=defaultRealm
+unityServer.core.endpoints.11.endpointAuthenticators=pwdRaw
+}}}
+
+The server uses a new authenticator `pwdRaw` defined as
+
+
+{{{
+unityServer.core.authenticators.6.authenticatorName=pwdRaw
+unityServer.core.authenticators.6.authenticatorType=password with raw-password
+unityServer.core.authenticators.6.localCredential=Password credential
+unityServer.core.authenticators.6.retrievalConfigurationFile=conf/authenticators/passwordRetrieval.json
+}}}
+
+The authenticator uses `password with raw-password`. Note that this names two classes responsible for the authenticator. Default `password` and our `raw-password`.
+
+The binding is done dynamically through spring in `components.xml` as follows:
+
+
+{{{
+        <!-- LDAP server -->
+        <bean class="pl.edu.icm.unity.ldap.endpoint.LdapEndpointFactory"/>
+        <bean class="pl.edu.icm.unity.ldap.endpoint.RawPasswordRetrievalFactory"/>
+}}}
+
+RawPassowrdRetrievalFactory is the `raw-password` in our configuration
+
+
+{{{
+@Component
+public class RawPasswordRetrievalFactory implements CredentialRetrievalFactory
+{
+        public static final String NAME = "raw-password";
+
+}}}
+
+
+When Unity is started, the important part is done in
+
+
+{{{
+public class LdapEndpointFactory implements EndpointFactory
+}}}
+
+that defines (well, kind of again) the endpoint and later newInstance of this endpoint is called. This instantiates `LdapEndpoint`
+of which the `getServletContextHandler` method is called in which we start the embedded LDAP server and 
+
+
+{{{
+        //
+        RawPasswordRetrieval rpr = (RawPasswordRetrieval)(authenticators.get(0).getPrimaryAuthenticator());
+        //
+        startLdapEmbeddedServer(rpr);
+}}}
+
+The start of the LDAP server and the functionality is configured from `ldap.properties` file that looks like:
+
+
+{{{
+# leave empty for default server address
+unity.ldapServer.host=192.168.2.4
+# default ldap port is 389
+unity.ldapServer.ldap_port=389
+unity.ldapServer.ldaps_port=636
+# hardcoded - unity.endpoint.ldapServer.bind.DN="uid=admin,ou=system"
+unity.ldapServer.bind_password=XXX
+
+unity.ldapServer.group_query=ougroups
+unity.ldapServer.user_query=cn
+unity.ldapServer.group_member=member
+unity.ldapServer.group_member_user_regexp=cn
+# return these attributes if the operation requests all user attributes
+# e.g., values of SchemaConstants.CN_AT
+unity.ldapServer.returned_user_attributes=cn,entryDN,jpegPhoto
+}}}
+
+
+The real logic is in `LdapApacheDSInterceptor` that implements interceptors for Apache DS LDAP API. Apache DS is threaded so these methods run in the context of Unity.
+
+### Few notes on integration ###
+
+* Apache - 
+
+
+{{{
+        // Require ldap-user - cn should be enough
+        // Require ldap-group - groups
+        // Require ldap-dn - cn should be enough
+        // Require ldap-attribute - not supporting
+        // Require ldap-filter - not supporting
+}}}
+
+* Drupal LDAP modules
+
+  * one module defined and the other did not the attributes that should be returned
+
+
+### Notes in general ###
+
+* windows - IntelliJ Idea had to be configured like this (mvn package, added dependencies to other modules, disabled annotations, apacheds-service library (if used) had to be the last dependency)
+* apacheds-service library is a mess full of old libraries that conflict in runtime with unity (see above)
+* in order to use a new property, you have to define it in `LdapServerProperties`
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+