Dashboard > Penrose 1.0 > ... > Penrose Server User Guide > Active Directory
Penrose 1.0
Active Directory
Added by Endi S. Dewata, last edited by Jim Yang on Jun 05, 2007  (view change)
Labels: 
(None)


Installing Active Directory

Install Active Directory as usual. If you plan to perform password update from Penrose to Active Directory, you will need to enable SSL.

Changing Search Limit

Penrose needs to retrieve Active Directory's schema. The default schema contains 1262 entries, but by default Active Directory limits the search results to 1000 (per page). Currently you need to change the MaxPageSize to something greater than the schema size (e.g. 2000). See: http://support.microsoft.com/default.aspx?scid=kb;en-us;315071&sd=tech

Enabling SSL (Optional)

First you need to install Enterprise Certificate Authority. Then export the certificate by executing this command on Active Directory machine:

certutil -ca.cert <filename>

Transfer the certificate file to Penrose machine and import it into a keystore:

keytool -import -trustcacerts -alias <alias> -file <filename> -keystore penrose.keystore

Put penrose.keystore in PENROSE_SERVER_HOME directory, then edit PENROSE_SERVER_HOME/conf/server.xml:

<server>

  <system-property>
    <property-name>javax.net.ssl.trustStore</property-name>
    <property-value>penrose.keystore</property-value>
  </system-property>

  <system-property>
    <property-name>javax.net.ssl.trustStorePassword</property-name>
    <property-value>...</property-value>
  </system-property>

</server>

Use the same password that you specify when importing certificate.

Configuring AD Connection

Connecting to Active Directory is the same as connecting to other directory server, which is done via JNDI. Note that if you are using SSL then you need to use "ldaps" instead of "ldap". The configuration can be found in PENROSE_SERVER_HOME/conf/connections.xml:

<connections>

  <connection name="AD">
    <adapter-name>JNDI</adapter-name>
    <parameter>
      <param-name>java.naming.provider.url</param-name>
      <param-value>ldap://server/dc=Penrose,dc=Safehaus,dc=org</param-value>
    </parameter>
    <parameter>
      <param-name>java.naming.factory.initial</param-name>
      <param-value>com.sun.jndi.ldap.LdapCtxFactory</param-value>
    </parameter>
    <parameter>
      <param-name>java.naming.security.principal</param-name>
      <param-value>cn=Administrator,cn=Users,dc=Penrose,dc=Safehaus,dc=org</param-value>
    </parameter>
    <parameter>
      <param-name>java.naming.security.credentials</param-name>
      <param-value>password</param-value>
    </parameter>
    <parameter>
      <param-name>java.naming.ldap.attributes.binary</param-name>
      <param-value>userParameters</param-value>
    </parameter>
  </connection>

</connections>

Note that the userParameters attribute has to be specified as binary. This is necessary to handle it correctly.

References

Children   Hide Children | View in hierarchy
Enterprise Certificate Authority (Penrose 1.0)

Site running on a free Atlassian Confluence Open Source Project License granted to Safehaus. Evaluate Confluence today.
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.5.4 Build:#809 Jun 12, 2007) - Bug/feature request - Contact Administrators