Company dedicated to web development, graphic design, photography and web hosting.

How to configure Liferay with Penrose LDAP and CAS
Published Monday, 17th of January 2011
Overview Steps to configure properly the option for Liferay to bring users from an active directory using Penrose server and make SSO (single sign on) with CAS. Alias table
VariableExampleDescription
${LDAP_SERVER}ldap_srvThe host where the ldap server is running
${LDAP_SERVER_PORT}10390The port where the ldap server is listening
${LDAP_PASSWORD}secretThe password for access to the ldap server
${LFRY_HOME}/liferay-portal-6.0.5Directory instance installation
${LFRY_HOST}lfry_srvThe host where liferay instance is running
${LFRY_PORT}6060The port where liferay instance is listening
${LFRY_PORT_SSL}6443The port where liferay instance is listening via SSL
${MYSQL_HOST_IP}127.0.0.1The host where the mysql server is running
${MYSQL_HOST_PORT}3306The port where the mysql server is running
${DDBB_HOST}ddbb_srvThe host where the database server is running
${DDBB_PORT}3306The port where the database server is listening
${DDBB}usersThe database being used to retrieve the list of users
${DDBB_IFXSRV}usersifxThe database being used to retrieve the list of users with Informix
${DDBB_USERNAME}rootThe username to access to the database with the list of users
${DDBB_PASSWORD}1234ddbbThe password to access to the database with the list of users
${CAS_DIR}cas-server-webapp-3.3.5The folder where CAS was deployed
${CAS_DDBB}lportal_casThe database to be used by CAS
${CAS_DDBB_USER}rootcasThe user to access to the database to be used by CAS
${CAS_DDBB_PWD}1234casThe password to access to the database to be used by CAS
${CERT_PWD}secretThe password for the certificate
${PATH_TO_KEYSTORE_FILE}/home/rootThe path where the certificate was generated
Steps to follow Liferay Installation
  1. Please check the post How to install Liferay because having Liferay properly installed is a precondition.

LDAP Installation
  1. Download and install the LDAP server supporting virtual directory server in ${LDAP_SERVER} from the next url:
    http://builds.safehaus.org/penrose/latest/vd-server-2.0.zip

  2. Run /opt/vd-server-2.0/bin/vd-config.sh after you installed the server.

  3. Add the libraries to manage connections with your database in /opt/vd-server-2.0/lib/ext

  4. Run the server in the port ${LDAP_SERVER_PORT}

  5. Create a tree with the following parameters:
    Base DN dc=ochounos, dc=local
    Principal uid=admin,ou=system
    Credentials${LDAP_PASSWORD}
    User object inetOrgPerson, organizationalPerson, person, top

  6. Create a connection with the following parameters (if you are using MySQL):
    Driver com.mysql.jdbc.Driver
    Url jdbc:mysql://${DDBB_HOST}:${DDBB_PORT}/${DDBB}?useUnicode=true&characterEncoding=UTF-8
    User${DDBB_USERNAME}
    Password${DDBB_PASSWORD}

  7. Create a connection with the following parameters (if you are using Informix):
    Driver com.informix.jdbc.IfxDriver
    Url jdbc:informix-sqli://${DDBB_HOST}:${DDBB_PORT}/ ${DDBB}:informixserver=${DDBB_IFXSRV};DB_LOCALE=en_us.utf8
    User${DDBB_USERNAME}
    Password${DDBB_PASSWORD}

  8. Configure a source with the connection created to the table where you have your users and with the fields needed to retrieve the information from the users.

  9. Create a dynamic entry with the source created and the following fields:
    • uid
    • userPassword
    • mail
    • cn
    • gn
    • sn
    • seeAlso
    • groupMembership
CAS installation
  1. Download CAS
    Download from http://www.jasig.org/cas/download

  2. Deploy war file in Liferay.

Liferay + LDAP configuration
  1. Login as administrator (using the test account) and go to Control Panel - Settings- Authentication.

  2. Go to the tab General and configure "How do users authenticate" as "By screenname".

  3. Go to the tab LDAP and configure the options checking "Enabled" and "Import enabled" and leaves the rest not checked.

  4. Add a new LDAP Server via "Add" button in this page. Configure all the parameters with the next values:
    Server name${LDAP_SERVER}-ldap-server
    - Connection
    Base Provider URL ldap://${LDAP_SERVER}:${LDAP_SERVER_PORT}
    Base DN dc=ochounos, dc=local
    Principal uid=admin,ou=system
    Credentials${LDAP_PASSWORD}
    - Users
    Authentication search filter (uid=@screen_name@)
    Import search filter (&(objectClass=inetOrgPerson)(&(objectClass=organizationalPerson)(&(objectClass=person)(&(objectClass=top)))))
    - User mapping
    Screen name uid
    Password userPassword
    Email address mail
    Full name cn
    First name gn
    Middle name
    Last name sn
    JobTitle seeAlso
    Group groupMembership
    - Groups
    Import search filter (&(objectClass=groupOfUniqueNames)(&(objectClass=top)))
    - Group mapping
    Group name cn
    Description description
    User uniqueMember
    - Export
    Users DN ou=Imported Users and Groups of Liferay,dc=ochounos, dc=local
    User default Object Classes top,person,inetOrgPerson,organizationalPerson
    Groups DN ou=Imported Users and Groups of Liferay,dc=ochounos, dc=local
    Group Default Object Classes

    Adjust all the fields to mismatch your fields in the LDAP server. In this post, to simplify the text, I dind't create any group, it's not necessary but you can need it. In such case, create dinamic entries for groups in the LDAP tree.
Liferay + CAS configuration
  1. Go to Control Panel - Settings- Authentication and select the tab CAS.

  2. Check "Enabled" and "Import from LDAP" checkboxes.

  3. Configure the screen with the next parameters:
    Login URL https://${LFRY_HOST}:${LFRY_PORT_SSL}/${CAS_DIR}/login
    Logout URL https://${LFRY_HOST}:${LFRY_PORT_SSL}/${CAS_DIR}/logout
    Server name${LFRY_HOST}:${LFRY_PORT}
    Server URL https://${LFRY_HOST}:${LFRY_PORT_SSL}/${CAS_DIR}
    Service URL http://${LFRY_HOST}:${LFRY_PORT}/c/portal/login
  4. Add the below lines in the file pom.xml in ${LFRY_HOME}/webapps/${CAS_DIR}/META-INF/maven/org.jasig.cas/cas-server-webapp
    12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879
    <!--bean
        class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" /-->
    <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" >
        <property name="filter" value="uid=%u" />
        <property name="searchBase" value="dc=ochounos,dc=local" />
        <property name="contextSource" ref="contextSource" />
    </bean>
    <!--bean
        id="serviceRegistryDao"
        class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" /-->
    <!-- making cas-service-data persistent in databases -->
    <bean
        id="serviceRegistryDao"
        class="org.jasig.cas.services.JpaServiceRegistryDaoImpl"
        p:entityManagerFactory-ref="entityManagerFactory" />
    <!-- configuration for hibernate -->
    <bean id="entityManagerFactory"
        class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
        <property name="dataSource" ref="dataSource"/>
        <property name="jpaVendorAdapter">
        <bean class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
            <property name="generateDdl" value="true"/>
            <property name="showSql" value="true" />
        </bean>
        </property>
        <property name="jpaProperties">
        <props>
            <prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
            <prop key="hibernate.hbm2ddl.auto">update</prop>
        </props>
        </property>
    </bean>
    <bean id="transactionManager"
        class="org.springframework.orm.jpa.JpaTransactionManager">
        <property name="entityManagerFactory" ref="entityManagerFactory"/>
    </bean>
    <tx:annotation-driven transaction-manager="transactionManager"/>
    <!-- CAS service management persistent, MySQL -->
    <bean
        id="dataSource"
        class="org.apache.tomcat.dbcp.dbcp.BasicDataSource"
        p:driverClassName="com.mysql.jdbc.Driver"
        p:url="jdbc:mysql://${MYSQL_HOST_IP}:${MYSQL_HOST_PORT}/${CAS_DDBB}?autoReconnect=true"
        p:password="${CAS_DDBB_PWD}"
        p:username="${CAS_DDBB_USER}" />
    <!-- virtual directory server -->
    <bean id="contextSource"
        class="org.springframework.ldap.core.support.LdapContextSource">
        <property name="pooled" value="false"/>
        <property name="urls">
            <list>
                <value>ldap://${LDAP_SERVER}:${LDAP_SERVER_PORT}/</value>
            </list>
        </property>
        <property name="userDn" value="uid=admin,ou=system"/>
        <property name="password" value="${LDAP_PASSWORD}"/>
        <property name="baseEnvironmentProperties">
        <!--
        Set the LDAP connect and read timeout(in ms) for the java ldap class
        See http://java.sun.com/products/jndi/tutorial/ldap/connect/create.html
        -->
            <map>
            <entry>
                <key>
                <value>java.naming.security.authentication</value>
                </key>
                <value>simple</value>
            </entry>
            </map>
        </property>
    </bean>
  5. Add the cas-server-support-ldap-3.3.5.jar from the CAS installation ${CAS_DIR}/modules to the web application library ( ${LFRY_HOME}/webapps/${CAS_DIR}/WEB-INF/lib)

  6. If you want to redirect after logout in the Portal, you need to modify in the file cas-server.xml located in ${LFRY_HOME}/webapps/${CAS_DIR}/WEB-INF, adding or modifying the property p:followServiceRedirects="true" as follow:
    123456
    <bean id="logoutController" class="org.jasig.cas.web.LogoutController"
    p:centralAuthenticationService-ref="centralAuthenticationService"
    p:logoutView="casLogoutView"
    p:warnCookieGenerator-ref="warnCookieGenerator"
    p:ticketGrantingTicketCookieGenerator-ref="ticketGrantingTicketCookieGenerator"
    p:followServiceRedirects="true" />

    and also add a parameter in the url logout as follow:
    https://${LFRY_HOST}:${LFRY_PORT_SSL}/${CAS_DIR}/logout?service=http://${LFRY_HOST}:${LFRY_PORT}
Certificates
  1. Create a certificate for 730 days:
    keytool -genkey -alias tomcat -keypass ${CERT_PWD} -keyalg RSA -keystore ./ochounos.keystore -validity 730
    Fill the questions with the next information:
    Password${CERT_PWD}
    Name${LFRY_HOST}
    Org unit OCHOUNOS Dev
    Org OCHOUNOS Dev
    Locality Plasencia
    Province Caceres
    Country ES
  2. Export the certificate
    keytool -export -alias tomcat -keypass ${CERT_PWD} -keystore ./ochounos.keystore -storepass ${CERT_PWD} -file ochounos_730days.crt
  3. Import in the same jre that Liferay is running
    keytool -import -alias tomcat -file ./ochounos_730days.crt -keystore ${LFRY_HOME}/tomcat-6.0.26/jre1.6.0_21/win/lib/security/cacerts
  4. Remove comments from ${LFRY_HOME}/tomcat-6.0.26/conf/server.xml and alloy HTTPS:
    123456789
    <Connector port="443" maxHttpHeaderSize="8192" SSLEnabled="true"
        maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
        enableLookups="false" disableUploadTimeout="true"
        acceptCount="100" scheme="https" secure="true"
        clientAuth="false" sslProtocol="TLS"
        keystoreFile="${PATH_TO_KEYSTORE_FILE}/ochounos.keystore"
        keystorePass="${CERT_PWD}"
        truststoreFile="${LFRY_HOME}/tomcat-6.0.26/jre1.6.0_21/win/lib/security/cacerts"
    />

References How to install Liferay
http://penrose.redhat.com/display/PENROSE20/Penrose+Server+User+Guide



Back to the list of entries