This post serves as documentation on how to setup Magnolia CMS with the LDAP Connector module connected to ApacheDS. Especially for testing, ApacheDS is very handy to setup and it provides a user interface to get started fast. In addition to that, it’s also much easier to remove from your machine than software libraries spread all over your system.

Testing environment

At the time of writing, ApacheDS seemed to have a problem with Java 9 so be careful with that.

Enterprise edition only: To make use of this article you need the enterprise edition of Magnolia CMS!

ApacheDS configuration

First, Download and install ApacheDS.

Create a server and a connection

(Screenshots are in German but you should get along…)

Start the server after creating it.

Open the conncetion after creating it.

ApacheDS default admin account

The default administrator account is called admin and the default password is secret. You can find the account here:

We will need those credentials later when configuring access to ApacheDS for the LDAP Connector module. Check the official ApacheDS documentation on how to change the default administrator password.

Create LDAP sample data structure for users and groups

Select the already existing node for the example domain under the Root DSE.

For groups:

For users:

The resulting structure should look similar to this:

Create sample users and groups

Users

Now select the newly created user in the LDAP browser and add more attributes by right clicking the attribute window and selecting New attribute:

The uid is the key the LDAP Connector module will use to find this user account in the ApacheDS directory.

If you want, you can also add more (allowed) attributes like givenName or mail but that’s not necessary for our use case. The account for urquhart now looks like this:

We now have a user object but we also want to have information about group memberships for this account so Magnolia can assign permissions when performing an actual login.

Groups

For adding more users to a group later, add the attrbute member and select the user account.

The group now looks like this:

Now we have created a basic structure in LDAP and also some sample data for a user and a group.

Magnolia configuration

You can find detailed information in the official documentation for the LDAP Connector module. It’s recommended that you read this document carefully.

Install the LDAP module or include it in your Maven project

For more information on how to install a module in Magnolia, check here.

JAAS configuration

Modify your JAAS configuration to include the LDAP autentication module. You can find teh configuration file in your Magnolia WAR project under ..webapp/WEB-INF/config/jaas.config:

magnolia {
    info.magnolia.jaas.sp.jcr.JCRAuthenticationModule optional;
    info.magnolia.jaas.sp.ldap.LDAPAuthenticationModule requisite skip_on_previous_success=true;
    info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};

Configure the user manager

You should already have defined your external user manager according to the LDAP module documentation:

LDAP properties configuration

Copy the blueprint file from the Magnolia Git repository to your web project to *..webapp/WEB-INF/config/ldap.properties.

Open ldap.properties in the text editor of your choice and modify it according to our little LDAP setup (the rest of the file remains unchanged)

# LDAP url => address of our ApacheDS server
java.naming.provider.url=ldap://localhost:10389

## user distinguished name who has access to search on the tree defined under "initialSearchAttributes"
# => the admin user account in ApacheDS
java.naming.security.principal=uid=admin,ou=system

# change this only if you don't use the default password
java.naming.security.credentials=secret

##########################################################################
# Name mapping between magnolia defined attributes and how attributes are named
# in custom directory
##########################################################################
# => change the path where to look for the user accounts
initialSearchAttributes=OU=Users,dc=example,dc=com
# => the search attribute for user names
uid=uid

##########################################################################
# EXAMPLE : Setup if groups are not maintained in LDAP
##########################################################################
# => comment out because we manage groups in ApacheDS
#groupResolverClass=info.magnolia.jaas.sp.ldap.resolver.MagnoliaGroupResolver

# => remove comments
groupResolverClass=info.magnolia.jaas.sp.ldap.resolver.OpenLDAPGroupResolver
groupSearchContext=ou=groups,dc=example,dc=com
groupSearchFilter=(&(objectClass=groupOfNames)(member=MEMBERSHIP_VALUE))
groupMembershipAttributeValue=dn
groupIdAttribute=cn
groupMembershipAttribute=member

Reference the LDAP configuration from your context

In the magnolia.properties file that is used for your webapp project put a reference to the LDAP configuration:

jndi.ldap.config=WEB-INF/config/ldap.properties

Test your LDAP setup

Now build your Magnolia project, start it and wait until the login screen is available.

The user has the group travel-demo-editors we defined in ApacheDS. This group is matched in Magnolia with roles/permisisons assigned to it.

If everything was OK, login with your LDAP user should have succeeded: