#25 LDAP Authentication

[machitis]

Copyright 2007 Joshua Benner

Let me preface everything by saying that I'm a programmer, but that I've never worked with Java before this project. Please excuse anything stupid or obviously wrong that I've done. :) I think the below directions should get you going -- but it's possible I've left something out. Feel free to give it a shot and ask for further assistance.

Basically, the way the module works is to implement UserProvider and use an LDAP backend for passing back user information. The module also interacts with Hibernate to add/update user information in the OpenReports backend.

When a user attempts to log in, the module will try to login to the Ldap server (NOTE: it does not do a search and compare, it tries to actually authenticate to the LDAP server, known as a BIND). Upon success, it imports some user information, then looks up the user's group memberships. If an OpenReports group exists with the same name as one of the LDAP groups they are a member of, they will be given access to that OpenReports group. In addition, it will assign the user roles based on the content of the rolesFromNames function (see below).

Every time a user logs in, their group memberships and roles are updated. So group membership or role changes you make from within OpenReports are meaningless. Also, users created from within OpenReports are useless. So be sure that you have an LDAP login that OpenReports will grant ROOT_ADMIN_ROLE to.

To enable LDAP login for OpenReports, place the included .java files in the proper folders. I've included a folder 'org' that you should be able to drop into OpenReports/src and it will put things in the proper places (and it shouldn't have to overwrite any actual files -- though it may warn about overwriting folders).

LdapProvider.java -> src/org/efs/openreports/providers
LdapUserPersistenceProvider.java -> src/org/efs/openreports/providers/persistence
LdapUserProviderImpl.java -> src/org/efs/openreports/providers/impl
LdapLoginAction.java -> src/org/efs/openreports/actions
components.xml -> src/
ldap.properties -> tomcat/bin (or whatever the working directory of your App server is)

I've also included a sample ldap.properties -- this is where the ldap module loads (most) of the settings for connecting to the LDAP directory. At this point, the LDAP module expects this file to be found in the /bin directory of your tomcat installation (or whatever the working directory is for the application server environment in which you run OpenReports).

After putting the files in place, there is some configuration that will be necessary. First, configure your ldap.properties with the following directives:

ldapUrl - The connection URL to your LDAP directory
userContext - The LDAP context in which your users are found
usernameAttribute - The attribute that has the username
userEmailAttribute - The attribute that has the user's email address
userExternalIdAttribute - The attribute that stores some external identifier (?)
groupContext - The LDAP context in which your groups are found
groupnameAttribute - The attribute that has the group name for a group object
groupMemberAttribute - The attribute of a group object that has a list of members
adminGroup - Name of LDAP group whose members will have ROOT_ADMIN_ROLE
userGroup - Name of LDAP group whose members will be normal OpenReports users

At this point the way it finds group membership is based on one of the ways Novell eDirectory stores group membership information. As such, after it finds the user, it will search the group context for an object that has the the groupMemberAttribute attribute containing the authenticated user's DN. This shouldn't be difficult to change by modifying LdapProvider.getLdapUserGroups().

In addition to configuring the ldap.properties, there are some spots in the source of the files you'll want to modify for your LDAP environment:

You will have to tell OpenReports to use the Ldap user provider implementation instead of the standard one. To do this, edit components.xml and change UserProviderImpl to LdapUserProviderImpl. I've included a pre-configured components.xml.

You will also have to change your login action in xwork.xml from LoginAction to LdapLoginAction.

[machitis]

LDAP Patch Files