Dashboard > Penrose 2.0 > ... > Penrose Server User Guide > Active Directory
Penrose 2.0
Active Directory
Added by Endi S. Dewata, last edited by Endi S. Dewata on Jun 10, 2008  (view change)
Labels: 
(None)


Installing Active Directory

Install Active Directory as you would normally.

Windows Support Tools (Optional)

To install Windows Support Tools go to \Support\Tools\ directory in the Windows installation CD, then execute setup.exe (Windows 2000) or suptools.msi (Windows 2003).

Enabling SSL (Optional)

If you plan to perform password update from Penrose to Active Directory, you will need to enable SSL. To enable SSL install Enterprise Certificate Authority then restart the machine.

If you are using Windows 2000, you need to install Windows 2000 High Encryption Pack (128-bit).

Importing SSL Certificate (Optional)

To connect using SSL, Penrose needs the SSL certificate from the Active Directory. You can get the SSL certificate from the C:\ directory of the Active Directory machine. You can also export the certificate by executing this command on Active Directory machine:

% certutil -ca.cert example.crt

The certificate exported is in DER format. To convert to PEM format:

% openssl x509 -in example.crt -inform DER -out example.pem -outform PEM

Transfer the certificate file into PENROSE_SERVER_HOME directory on the machine running Penrose Server and import it into a keystore:

% cd PENROSE_SERVER_HOME
% keytool -import -trustcacerts -alias example -file example.crt -keystore penrose.keystore
Enter keystore password:  secret

Edit PENROSE_SERVER_HOME/conf/server.xml:

<server>

  <system-property>
    <property-name>javax.net.ssl.trustStore</property-name>
    <property-value>penrose.keystore</property-value>
  </system-property>

  <system-property>
    <property-name>javax.net.ssl.trustStorePassword</property-name>
    <property-value>secret</property-value>
  </system-property>

</server>

Use the same password that you specify when importing certificate.

Configuring AD Connection

Connecting to Active Directory is the same as connecting to other directory server, which is done via JNDI. Note that if you are using SSL then you need to use "ldaps" instead of "ldap". The configuration can be found in PENROSE_SERVER_HOME/conf/connections.xml:

<connections>

  <connection name="AD">
    <adapter-name>JNDI</adapter-name>
    <parameter>
      <param-name>java.naming.provider.url</param-name>
      <param-value>ldap://server/</param-value>
    </parameter>
    <parameter>
      <param-name>java.naming.factory.initial</param-name>
      <param-value>com.sun.jndi.ldap.LdapCtxFactory</param-value>
    </parameter>
    <parameter>
      <param-name>java.naming.security.principal</param-name>
      <param-value>cn=Administrator,cn=Users,dc=Example,dc=com</param-value>
    </parameter>
    <parameter>
      <param-name>java.naming.security.credentials</param-name>
      <param-value>secret</param-value>
    </parameter>
    <parameter>
      <param-name>java.naming.ldap.attributes.binary</param-name>
      <param-value>userParameters</param-value>
    </parameter>
  </connection>

</connections>

Note that the userParameters attribute has to be specified as binary. This is necessary to handle it correctly.

Enabling userPassword Attribute (Optional)

By default AD password for binding is stored in unicodePwd attribute, the userPassword is just a regular attribute with no special purpose. On Windows 2003, you can enable userPassword to become an alias of unicodePwd by setting the dSHeuristics bit:

% ldapmodify -h localhost -p 389 -D "cn=Administrator,cn=Users,dc=Example,dc=com" -w secret -x
dn: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=example,DC=com
dSHeuristics: 000000001

This way the userPassword can be used to store bind password.

Example

A sample of Active Directory partition can be found in PENROSE_SERVER_HOME/samples/activeDirectory. Note that currently you have to check out the source code from https://svn.safehaus.org/repos/penrose/branches/1.2 and rebuild it.

Copy the partition directory in the above folder into PENROSE_SERVER_HOME/partitions:

cp -r PENROSE_SERVER_HOME/samples/activeDirectory/partition PENROSE_SERVER_HOME/partitions/activeDirectory

Then register the new partition in server.xml:

<partition name="activeDirectory" path="partitions/activeDirectory"/>

In the PENROSE_SERVER_HOME/samples/activeDirectory/ldif you can find several sample ldif files that you can use to test the partition.

References

Children   Hide Children | View in hierarchy
Enterprise Certificate Authority (Penrose 2.0)

Site running on a free Atlassian Confluence Open Source Project License granted to Safehaus. Evaluate Confluence today.
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.5.4 Build:#809 Jun 12, 2007) - Bug/feature request - Contact Administrators