Adding Groups To OpenLdap

Introduction

This article describes how to setup an OpenLdap server and add inetperson user objects. However, the article didn’t describe how to add groups to OpenLdap and add users to the groups.

The most basic functionality that an LDAP database provides is describing users (described here), describing groups, and mappings between the two. LDAP databases can do many other things, but for our purposes, this is what is needed.

J2EE Security

The next series of articles posted on Thinkthinkmiddleware.com will build up to demonstrating a working example of J2EE Security on a JBoss container. The details will come later, but J2EE Security is defined in chapter two of the J2EE Security specification.

For J2EE Security to function, a user repository (a repository that describes users) is needed that can define users, groups, and a mapping between the two. Thus, the reasoning behind introducing LDAP Groups now.

Admittedly, J2EE Security doesn’t strictly require an LDAP database as the user repository, but it is a common (and clean) implementation.
So, for Thinkmiddleware.com purposes, an LDAP database will serve as the JBoss user repository and OpenLdap will be the LDAP database(because it is OpenSource and free).

Define A Group in LDAP

Before following the procedure below, OpenLdap should be compiled, installed, and setup as described here .
The instructions below assume that LDAP is currently running. Note, check for a slapd process and something listening on port 389.

  1. Make a copy of the addObject.sh script (given below) on the machine where the LDAP database is running.
  2. Make a copy of the group_out.ldif file(given below) on the machine where the LDAP database is running.
  3. Run addObject.sh to create the ou=Groups,dc=thinkmiddleware,dc=com branch of the LDAP tree.

    addObject.sh group_ou secret

    Note, this assumes that you named the LDIF file in step #2 group_ou.ldif and the “cn=Manager,dc=thinkmiddleware,dc=com” user’s password is secret.

  4. Run addObject.sh to create a Group called “cn=Group1,ou=Groups,dc=thinkmiddleware,dc=com”, which is located in the “ou=Groups,dc=thinkmiddleware,dc=com” branch created in the last step.

    addObject.sh group1 secret

    Note, users 1,2,3,…,13 will be a member of Group1.

  5. You can view the new group with the ldapquery command:

    ldapsearch -b “ou=Groups,dc=thinkmiddleware,dc=com” -h localhost -p 389 -D “cn=Manager,dc=thinkmiddleware,dc=com” -w secret -x “object class=*”

    The output will look similar to the following

    # extended LDIF
    #
    # LDAPv3
    # base with scope subtree
    # filter: objectclass=*
    # requesting: ALL
    #
    # Groups, thinkmiddleware.com
    dn: ou=Groups,dc=thinkmiddleware,dc=com
    objectClass: organizationalUnit
    ou: Groups
    description: Thinkmiddleware.com Groups
    # Group1, Groups, thinkmiddleware.com
    dn: cn=Group1,ou=Groups,dc=thinkmiddleware,dc=com
    objectClass: groupOfNames
    cn: Group1
    description: Group1 Test Group
    member: cn=1,ou-Users,dc=thinkmiddleware,dc=com
    member: cn=2,ou=Users,dc=thinkmiddleware,dc=com
    member: cn=3,ou=Users,dc=thinkmiddleware,dc=com
    member: cn=4,ou=Users,dc=thinkmiddleware,dc=com
    member: cn=5,ou=Users,dc=thinkmiddleware,dc=com
    member: cn=6,ou=Users,dc=thinkmiddleware,dc=com
    member: cn=7,ou=Users,dc=thinkmiddleware,dc=com
    member: cn=8,ou=Users,dc=thinkmiddleware,dc=com
    member: cn=9,ou=Users,dc=thinkmiddleware,dc=com
    member: cn=10,ou=Users,dc=thinkmiddleware,dc=com
    member: cn=11,ou=Users,dc=thinkmiddleware,dc=com
    member: cn=12,ou=Users,dc=thinkmiddleware,dc=com
    member: cn=13,ou=Users,dc=thinkmiddleware,dc=com
    # search result
    search: 2
    result: 0 Success
    # numResponses: 3
    # numEntries: 2

At this point, the OpenLdap database is ready to be used by JBoss.

addObject.sh

#!/bin/bash
PASSWORD=$2
ldapadd -x -D “cn=Manager,dc=thinkmiddleware,dc=com” -w ${PASSWORD} -f $1.ldif

group_ou.ldif

dn: ou=Groups,dc=thinkmiddleware,dc=com
objectclass:organizationalunit
ou: Groups
description: Thinkmiddleware.com Groups

group1.ldif
dn: cn=Group1,ou=Groups,dc=thinkmiddleware,dc=com
objectclass: groupofnames
cn: Group1
description: Thinkmiddleware.com Group1 Test Group
member: cn=1,ou=Users,dc=thinkmiddleware,dc=com
member: cn=2,ou=Users,dc=thinkmiddleware,dc=com
member: cn=3,ou=Users,dc=thinkmiddleware,dc=com
member: cn=4,ou=Users,dc=thinkmiddleware,dc=com
member: cn=5,ou=Users,dc=thinkmiddleware,dc=com
member: cn=6,ou=Users,dc=thinkmiddleware,dc=com
member: cn=7,ou=Users,dc=thinkmiddleware,dc=com
member: cn=8,ou=Users,dc=thinkmiddleware,dc=com
member: cn=9,ou=Users,dc=thinkmiddleware,dc=com
member: cn=10,ou=Users,dc=thinkmiddleware,dc=com
member: cn=11,ou=Users,dc=thinkmiddleware,dc=com
member: cn=12,ou=Users,dc=thinkmiddleware,dc=com
member: cn=13,ou=Users,dc=thinkmiddleware,dc=com

Thoughts

The last OpenLdap tutorial and the instructions above create a simple LDAP server that contains 5000 users in the “ou=Users,dc=thinkmiddleware,dc=com” branch of the LDAP tree and one group in the “ou=Groups,cn=thinkmiddleware,cn=com” branch. Users 1,2,3,…,13 are members of the Group1 group. The LDAP super user is “cn=Manager,dc=thinkmiddleware,dc=com”.

This isn’t terribly sophisticated, but it is enough to demonstrate the use of J2EE Security in JBoss with OpenLdap serving as the user repository. A J2EE User Repository needs contain user and group definitions and mappings between the two. The User Repository must also be able to authenticate users (i.e., contain user passwords). This article demonstrates how this can be done with JNDI. In fact, JBoss uses JNDI to interact with LDAP User Repositories; later, we will see how tuning the LDAP connection cache in JBoss is a matter of tuning the JNDI connection pooling parameters.