OpenSpaces Security Manager for Active Directory integration. Once built, you'll have two jars:
Spring security bridge for Active Directory. Should be configured via a spring-security.properties file
com.gs.security.security-manager.class=org.openspaces.security.ldap.ActiveDirectorySpringSecurityManager
spring-security-config-location = ../config/security/ldap-security-config.xml
Integration test command line utility to verify correct configuration without having to start and XAP grid. java -jar openspaces-ldap-test.jar /$GS_HOME/config/security/ldap-security-config.xml < username > < password >
- Place the openspaces-ldap-manager.jar into $GS_HOME/lib/optional/security.
- Place also spring-ldap-{version}.jar, spring-ldap-core-{version}.jar and spring-security-ldap-{version}.jar into $GS_HOME/lib/optional/security.
- Verify the rights on openspaces-ldap-manager.jar
- Update the appropriate $GS_HOME/config/security/security.properites file (see manager section above).
- Ensure $GS_HOME/config/security/ldap-security-config.xml has the appropriate group mappings, and ldap connection information.
This instruction describes steps needed to create a VM, install and configure Active Directory. Steps not strictly related to Active Directory installation/configuration (e.g. creating new VM) are described shortly for the sake of simplicity. The following steps were performed on a virtual machine launched in AWS cloud.
- Launch Windows Server 2012 R2 Base (or similar) t2.micro type should be sufficient.
- Configure security group so that ports TCP 3389 (RDP), TCP 389 (LDAP), TCP 53 and UDP 53 (DNS) are open for inbound connections.
- Log into the machine.
- Open command line and run command: 'ipconfig /all'.
- Go to Network and Sharing Center, edit IPv4 properties of Ethernet connection, set checkbox to manually set values and copy IP address, subnet mask, default gateway and preferred DNS server from 'Ethernet Adapter' section from output of ipconfig command.
- Open Server Manager, click on Add roles and features.
- Set Role-based or feature-based installation type in 'Installation type' and set this server in 'Server selection'.
- In server roles choose 'Active Directory Domain Services', click next in following steps and 'Install' in the last step.
- When this feature is installed, in the Server Manager window, a notification will appear (a flag icon in the top part of the window), click on it and then click on 'Promote this server to a domain controller' link.
- In deployment configuration choose 'Add a new forest' and type a name of your domain. In this tutorial name of the domain will be 'ldap-xap.gs.com'.
- Set DSRM password (it will not be needed throughout this tutorial).
- Click next until you reach Prerequisites Check window - there could be 2 warnings (cryptography algorithms and missing authoritative parent zone), but they are not important. Click on install button and wait until installation is finished. After installation the server will reboot automatically.
- After the installation has finished, assign an elastic IP to the machine (otherwise you won't be able to log into the machine again).
- Open Server Manager.
- Click on Tools in the upper right corner and choose 'Active Directory Users and Computers' from the list.
- Open ldap-xap.gs.com (the same as domain) node, click on Users container.
- Choose 'Create a new user in the current container' from the taskbar.
- Choose user logon name ('testuser' will be used for the purpose of this tutorial) and type the same value in the first name field.
- Click next and choose password for this user ('1234Pass' would be used for this user in tutorial), uncheck all checkboxes below, click next and then finish. You can verify that the user has been created by clicking on Users container. You should be able to find this user in the list (name 'testuser' in case of this tutorial).
- Go to Control Panel/User accounts and add a new user.
- Choose the same name and domain used before for Active Directory user (testuser and ldap-xap.gs.com, respectively, in case of this tutorial).
- Choose this user to be administrator user.
- You can verify the user was created correctly and will have access to Active Directory by running cmd.exe
and typing command:
ldifde -f all.txt -b testuser ldap-xap.gs.com *
and then type password (1234Pass for this tutorial). You should see message similar to 'The command has completed successfully'. The command will export Active Directory data to all.txt file (content is not important, only the fact that the command was successful).
- This step is not strictly related with the project, but is needed to access the correct machine using hostname. Add a hostname mapping for the machine (for Unix-family systems you need to edit / etc/hosts, for Windows-family C:\Windows\system32\drivers\etc\hosts). Hostname should be name of domain that was chosen for Active Directory, IP should be the elastic IP of the machine.
- Modify ldap-security-config.xml: in ldapAuthenticationProviderBean change both constructor-arg values: the first one should contain domain name ('ldap-xap.gs.com') and the second one should be URL in the following form: ldap://ldap-xap.gs.com (use different names if your domain is not the same as in tutorial).
- Rebuild project by running mvn clean package.
- Go to test/target directory.
- Run command
java -jar openspaces-ldap-test.jar ../../ldap-security-config.xml testuser 1234Pass
(replace username and password with values that you used earlier). The command should return list of Authorities for the current user.