You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2018/07/06 17:03:58 UTC
directory-fortress-core git commit: General readme improvements.
Repository: directory-fortress-core
Updated Branches:
refs/heads/master cd5e8f9c7 -> 53673c634
General readme improvements.
Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/53673c63
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/53673c63
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/53673c63
Branch: refs/heads/master
Commit: 53673c6345a395a519c616189e6b9bba52b1db5b
Parents: cd5e8f9
Author: Shawn McKinney <sm...@apache.org>
Authored: Thu Jul 5 18:57:17 2018 -0500
Committer: Shawn McKinney <sm...@apache.org>
Committed: Thu Jul 5 18:57:17 2018 -0500
----------------------------------------------------------------------
README-PROPERTIES.md | 59 ++++++++++++++++++++++++++++++++---------
README-QUICKSTART-SLAPD.md | 4 ++-
README.md | 17 ++++++++----
build.properties.example | 10 ++++---
slapd.properties.example | 12 +++++----
5 files changed, 75 insertions(+), 27 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/53673c63/README-PROPERTIES.md
----------------------------------------------------------------------
diff --git a/README-PROPERTIES.md b/README-PROPERTIES.md
index fe0f525..93eb587 100644
--- a/README-PROPERTIES.md
+++ b/README-PROPERTIES.md
@@ -51,7 +51,7 @@ This section describes the properties needed to control fortress core.
```
# Else if OpenLDAP server:
- ldap.server.type=slapd
+ ldap.server.type=openldap
```
```
@@ -94,11 +94,27 @@ This section describes the properties needed to control fortress core.
# Used for SSL Connection to LDAP Server:
enable.ldap.ssl=true
enable.ldap.ssl.debug=true
- trust.store=/fully/qualified/path/and/file/name/to/java/truststore
trust.store.password=changeit
- trust.store.set.prop=true
```
+ a. Trust store can found on the classpath
+
+ ```
+ trust.store.onclasspath=true
+ trust.store=mytruststorename
+ ```
+
+ b. Trust store can found as fully qualified filename:
+
+ ```
+ trust.store.onclasspath=false
+ trust.store=/fully/qualified/path/and/file/name/to/java/mytruststorename
+ ```
+
+ * Question: Should I access my truststore from classpath or as fully qualified?
+ * Answer: It's usually best find on classpath, that way it can be bundled inside the impl's jar or war files.
+ * Except, when using SSL in processes where JDBC also is using SSL. Due to limitations in how JDBC works, must specify as fully-qualified name.
+
7. To use REST instead of LDAP. Points to fortress-rest instance.
```
@@ -123,12 +139,23 @@ This section describes the properties needed to control fortress core.
apacheds.pwpolicy.root=ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
```
-10. LDAP Directory Information Tree Directives
+10. LDAP Directory Information Tree (DIT) Samples
```
- # Define the high-level structure of LDAP DIT:
+ # Define the high-level structure of LDAP DIT
+ # For a two-part domain context, e.g. dc=example,dc=com:
+ suffix.name=example
+ suffix.dc=com
suffix=dc=example,dc=com
+ suffix=dc=${suffix.name},dc=${suffix.dc}
+ # Else, for a three-part domain context, e.g. dc=foo, dc=example,dc=com:
+ suffix.name=foo
+ suffix.dc=example
+ suffix.dc2=com
+ suffix=dc=${suffix.name},dc=${suffix.dc},dc=${suffix.dc2}
+ # The Config container must be specified in the properties file.
config.root=ou=Config,dc=example,dc=com
+ # The other fortress containers may either be in the build.properties file, or loaded into the config node.
user.root=ou=People,dc=example,dc=com
pwpolicy.root=ou=Policies,dc=example,dc=com
role.root=ou=Roles,ou=RBAC,dc=example,dc=com
@@ -138,11 +165,11 @@ This section describes the properties needed to control fortress core.
permou.root=ou=OS-P,ou=ARBAC,dc=example,dc=com
adminrole.root=ou=AdminRoles,ou=ARBAC,dc=example,dc=com
adminperm.root=ou=AdminPerms,ou=ARBAC,dc=example,dc=com
- audit.root=cn=log
group.root=ou=Groups,dc=example,dc=com
- example.root=ou=Examples,dc=example,dc=com
```
+ Note: See the [README-CONFIG](./README-CONFIG.md)) guide for more info how fortress finds its properties.
+
11. Define the delegated administration super admin role. Any user who is assigned this role will bypass all ARBAC02 security checks, when they are enabled.
```
@@ -263,29 +290,35 @@ This section describes the properties needed to control fortress core.
group.properties=ftProps
```
-20. Disable OpenLDAP audit operations. If server type is OpenLDAP *ldap.server.type-slapd*, setting this value to true will disable all auditing operations. Default is false.
+20. Enable RFC2307bis support for Users and Roles (groups)
+ Setting this prop to true requires the RFC2307bis schema to be present in ldap server. This defines the posixAccount and posixGroup object classes as auxiliary not structural.
+ This will add uidNumber, gidNumber, uidNumber and homeDirectory to Users and gidNumber to Roles. Those attributes are required and will be automatically generated if not otherwise passed in.
+
+ ```
+ # Boolean value. If true, requires rfc2307bis schema because posixUser and posixGroup must be auxiliary object classes to work with ftRls which is structural..
+ rfc2307=true
+ ```
+
+21. Disable OpenLDAP audit operations. If server type is OpenLDAP *ldap.server.type-slapd*, setting this value to true will disable all auditing operations. Default is false.
```
disable.audit=true
```
-21. Define delimiter to use for storage of fortress temporal constraints in LDAP. It is used to delimit fields that are combined into a single attribute, i.e. ftConstraint.
+22. Define delimiter to use for storage of fortress temporal constraints in LDAP. It is used to delimit fields that are combined into a single attribute, i.e. ftConstraint.
```
# Use '$' as delimiter
attr.delimiter=$
```
-22. These properties still have some wiring inside fortress but aren't typically used or needed.
+23. These properties still have some wiring inside fortress but aren't typically used or needed.
```
dao.connector=apache
-
#keep alphanumerics and dashes
regXSafetext=^A-Za-z0-9- .
-
crypto.prop=${crypto.prop}
-
clientside.sorting=true
```
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/53673c63/README-QUICKSTART-SLAPD.md
----------------------------------------------------------------------
diff --git a/README-QUICKSTART-SLAPD.md b/README-QUICKSTART-SLAPD.md
index 7028521..a4ab562 100644
--- a/README-QUICKSTART-SLAPD.md
+++ b/README-QUICKSTART-SLAPD.md
@@ -75,7 +75,9 @@ ________________________________________________________________________________
cp slapd.properties.example slapd.properties
```
- *[slapd.properties.example](slapd.properties.example) contains the slapd default config. Learn more about how the config works: [README-CONFIG](README-CONFIG.md)*
+ *[slapd.properties.example](slapd.properties.example) contains the slapd default config.
+ * Learn more about how the config works: [README-CONFIG](README-CONFIG.md).
+ * Learn more about what properties there are: [README-PROPERTIES](README-PROPERTIES.md).
3. Download the latest OpenLDAP binaries for your platform:
[Symas OpenLDAP Silver Edition](https://downloads.symas.com/products/symas-openldap-directory-silver-edition/)
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/53673c63/README.md
----------------------------------------------------------------------
diff --git a/README.md b/README.md
index f577ec3..aea9cc2 100644
--- a/README.md
+++ b/README.md
@@ -325,14 +325,20 @@ ________________________________________________________________________________
vi slapd.properties
```
-3. Set the LDAP Host and port properties. Either a valid host name or IP address can be used. If you are running on the same platform as your LDAP server, localhost will do.
+3. Tell the runtime using OpenLDAP:
+
+ ```
+ ldap.server.type=openldap
+ ```
+
+4. Set the LDAP Host and port properties. Either a valid host name or IP address can be used. If you are running on the same platform as your LDAP server, localhost will do.
```
host=localhost
port=389
```
-4. Set the suffix name and domain component. These may be set according to your requirements. For example **suffix.name=example** and **suffix.dc=com** turns into **dc=example,dc=com**.
+5. Set the suffix name and domain component. These may be set according to your requirements. For example **suffix.name=example** and **suffix.dc=com** turns into **dc=example,dc=com**.
```
suffix.name=example
@@ -348,7 +354,7 @@ ________________________________________________________________________________
suffix=dc=${suffix.name},dc=${suffix.dc},dc=${suffix.dc2}
```
-5. Add to the file to enable LDAP connection pool parameters.
+6. Add to the file to enable LDAP connection pool parameters.
```
# Here we are testing with slapd's root user. Never do this in prod envs.
@@ -371,7 +377,7 @@ ________________________________________________________________________________
user.max.conn=10
```
-6. Enable the fortress audit and its connection pool.
+7. Enable the fortress audit and its connection pool.
*This step is optional.*
@@ -402,7 +408,7 @@ ________________________________________________________________________________
8. Rebuild the configuration artifacts:
```
- mvn install
+ mvn clean install
```
9. Perform an initial load to the target LDAP server:
@@ -418,6 +424,7 @@ More usage notes of fortress build property files:
* The [build.properties.example]([build.properties.example) contains defaults for ApacheDS. This file is required and will activate once renamed to **build.properties**.
* The [slapd.properties.example](slapd.properties.example) is optional. Use *only* when OpenLDAP is the target server. Once renamed to **slapd.properties**, it will override any values found in the **build.properties** file.
* Learn more about the configuration subsystem: [README-CONFIG](./README-CONFIG.md)
+ * Learn more about what properties there are: [README-PROPERTIES](README-PROPERTIES.md).
* Don't change the ant substitution parameters within the properties *unless you know what you're doing*. These are are the settings inside of curly brackets, e.g. **${param1}**.
___________________________________________________________________________________
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/53673c63/build.properties.example
----------------------------------------------------------------------
diff --git a/build.properties.example b/build.properties.example
index 4c107d5..4fce889 100644
--- a/build.properties.example
+++ b/build.properties.example
@@ -60,12 +60,16 @@ ldap.port=10389
#ldap.host=fortressdemo2.com
# 10636 is default apacheds LDAPS port:
#ldap.port=10636
+# If you need the ldap api to spit out more info on ssl connections:
#enable.ldap.ssl.debug=true
-# The trust store is found either on the application's classpath or filepath as specified by trust.store.onclasspath:
-#trust.store=mytruststore
#trust.store.password=changeit
-# Will pick up the truststore from the classpath if set to true which is the default. Otherwise, file must be specified a fully qualified filename:
+# Will pick up the truststore from the classpath if set to true which is the default.
#trust.store.onclasspath=true
+#trust.store=mytruststore
+# Otherwise, file must be specified a fully qualified filename:
+#trust.store.onclasspath=false
+#trust.store=/fully/qualified/path/to/mytruststore
+
# These are the connection parameters used for LDAP service account:
root.dn=uid=admin,ou=system
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/53673c63/slapd.properties.example
----------------------------------------------------------------------
diff --git a/slapd.properties.example b/slapd.properties.example
index 3d0284a..78b90f2 100644
--- a/slapd.properties.example
+++ b/slapd.properties.example
@@ -88,14 +88,17 @@ log.ops=logops bind writes compare
#ldap.host=fortressdemo2.com
# 636 is default LDAPS on OpenLDAP:
#ldap.port=636
+# If you need the ldap api to spit out more info on ssl connections:
#enable.ldap.ssl.debug=true
-# The trust store is found either on the application's classpath or filepath as specified by trust.store.onclasspath:
-#trust.store=mytruststore
#trust.store.password=changeit
-# Will pick up the truststore from the classpath if set to true which is the default. Otherwise, file must be specified a fully qualified filename:
+# Will pick up the truststore from the classpath if set to true which is the default.
#trust.store.onclasspath=true
+#trust.store=mytruststore
+# Otherwise, file must be specified a fully qualified filename:
+#trust.store.onclasspath=false
+#trust.store=/fully/qualified/path/to/mytruststore
-# These are needed for slapd startup SSL configuration:
+# These are needed for OpenLDAP startup script to enable SSL configuration:
#ldap.uris=ldap://${ldap.host}:389 ldaps://${ldap.host}:${ldap.port}
# These are needed for slapd server-side SSL configuration:
#tls.ca.cert.file=ca-cert.pem
@@ -155,7 +158,6 @@ slapd.module.dir=${openldap.root}/lib64/openldap
slapd.start=${openldap.root}/etc/solserver start -f ${openldap.root}/etc/openldap/slapd.conf -F ${openldap.root}/etc/openldap
#slapd.start=${openldap.root}/lib64/slapd -h ldap://${ldap.host}:${ldap.port} -f ${openldap.root}/etc/openldap/slapd.conf -F ${openldap.root}/etc/openldap
-
########################################################################
# 4. RBAC ACCELERATOR OVERLAY PROPS
########################################################################