Google Git
Sign in
apache / directory-fortress-core / refs/tags/v1.0-RC39 / . / README.txt
blob: cfb02c8c518e56001d8e365c2e07e714ffd5d119 [file] [log] [blame]
#
# This work is part of OpenLDAP Software <http://www.openldap.org/>.
#
# Copyright 1998-2014 The OpenLDAP Foundation.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted only as authorized by the OpenLDAP
# Public License.
#
# A copy of this license is available in the file LICENSE in the
# top-level directory of the distribution or, alternatively, at
# <http://www.OpenLDAP.org/license.html>.
___________________________________________________________________________________
###################################################################################
# README for Fortress Identity and Access Management SDK
# Version 1.0-RC38
# last updated: July 19, 2014
###################################################################################
# Table of Contents
###################################################################################
# Document Overview
# Tips for first-time users of Fortress
# SECTION 0. Prerequisites for Fortress SDK installation and usage
# SECTION 1. Options for installing OpenLDAP to target server environment
# SECTION 2. Instructions for Fortress Quickstart builder installation of OpenLDAP
# SECTION 3. Instructions to pull Fortress source code from OpenLDAP GIT
# SECTION 4. Instructions to build software distribution packages using 'dist' target.
# SECTION 5. Instructions to configure SDK for target system using build.properties file.
# SECTION 6. Instructions for pre-existing or native OpenLDAP installation using 'load-slapd' target.
# SECTION 7. Instructions for Symas installation of OpenLDAP - using 'init-slapd' target
# SECTION 8. Instructions to integration test using 'test-full' target
# SECTION 9. Instructions to run the command line interpreter (CLI) utility using 'cli' target
# SECTION 10. Instructions to use Fortress A/P/R/BAC APIs with 'test-samples' target
# SECTION 11. Instructions to run the command console using 'console' target
# SECTION 12. Instructions to encrypt LDAP passwords used in config files.
# SECTION 13. Instructions to load data into the default database using 'admin' target.
# SECTION 14. Instructions to enable Apache Ivy dependency management
# SECTION 15. Troubleshooting
___________________________________________________________________________________
###################################################################################
# Document Overview
###################################################################################
This document contains instructions to download, compile, load and test Fortress SDK with LDAP system.
If you don't already have an LDAP server installed, options follow in subsequent sections.
APIs within this software package adhere to the following security standards:
1 - IETF Password Policy Draft
2 - An Effective Role Administration Model Using Organization Structure
- a.k.a. Administrative Role-Based Access Control (ARBAC02)
- OH/SANDHU/ZHANG
3 - ANSI INCITS 359 Role-Based Access Control (RBAC)
The combination of 1 2 & 3 above will be designated as 'A/P/R/BAC' in document as follows.
___________________________________________________________________________________
###################################################################################
# Tips for first-time users of Fortress
###################################################################################
- Follow the instructions in SECTION 2 (INSTALL Option 1).
- Definitions: When you read:
+ FORTRESS_HOME, refer to the package root of the openldap-fortress-core project download.
+ OPENLDAP_HOME, refer to the root of OpenLDAP binary installation folder, e.g. /opt/etc/openldap
+ ANT_HOME, refer to the package root of the target machine's ant distribution package.
- This software package uses an Apache Ant script (FORTRESS_HOME/build.xml) to compile, install, and configure Fortress into an LDAP server using
operational steps called 'targets'.
- The targets may be used to manage A/P/R/BAC policy data contained within an existing LDAP server.
- This document describes the most important targets to start using fortress. For a complete list, enter (from FORTRESS_HOME):
$ANT_HOME/bin/ant -p
- Or view the ant script itself (FORTRESS_HOME/build.xml).
- Questions pertaining to usage of this software may be submitted to:
http://www.openldap.org/lists/mm/listinfo/openldap-fortress
___________________________________________________________________________________
###################################################################################
# SECTION 0. Prerequisites for Fortress SDK installation and usage
###################################################################################
1. Internet access to retrieve source code from OpenLDAP GIT and binary dependencies from online Maven repo.
Fortress installation procedures use Apache Ant & Ivy. Ivy pulls external dependencies from Maven repositories over the Internet.
These ant targets need external access to the Internet to pull down dependencies but may run without IFF:
a. The necessary binary jars are already present and loaded into FORTRESS_HOME/lib folder. For list of dependency jars check out the ivy.xml file.
b. Local mode has been enabled in target runtime env. This can be done by adding the following to build.properties file:
local.mode=true
More prereqs:
2. Java SDK Version 7 or beyond installed to target environment
3. Apache Ant 1.8 or beyond installed to target environment
4. LDAP server installed. (options follow in section 1).
Prereq notes:
- Fortress is LDAPv3 compliant and works with any directory server.
- Tested with ApacheDS: FORTRESS_HOME/README-QUICKSTART-APACHEDS.html.
___________________________________________________________________________________
###################################################################################
# SECTION 1. Options for installing OpenLDAP to target server environment
###################################################################################
This document includes three options for use of Fortress and LDAP server:
-------------------------------------------------------------------------------
- INSTALL OPTION 1 - Fortress QUICKSTART installation packages (that include Symas OpenLDAP server) - recommended for first-time users
-------------------------------------------------------------------------------
- Required Sections to follow:
2, 8
-------------------------------------------------------------------------------
- INSTALL OPTION 2 - TARGET operating system's OpenLDAP server
-------------------------------------------------------------------------------
- Required Sections to follow:
3, 4, 5, 6, 8
-------------------------------------------------------------------------------
- INSTALL OPTION 3 - SYMAS Gold and Silver installation packages for OpenLDAP server
-------------------------------------------------------------------------------
- Required Sections to follow:
3, 4, 5, 7, 8
___________________________________________________________________________________
###################################################################################
# SECTION 2. Instructions for Fortress Quickstart builder installation of OpenLDAP
###################################################################################
a. Go to http://iamfortress.org/download
b. Pull down the Fortress Builder package to match target platform.
c. Follow the steps I, II & III contained within README-QUICKSTART.html, or README-QUICKSTART-WINDOWS.html documents.
___________________________________________________________________________________
###################################################################################
# SECTION 3. Instructions to pull Fortress source code from OpenLDAP GIT
###################################################################################
# If Fortress User
RELEASES from Maven website:
http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.openldap%22
SNAPSHOTs from OpenLDAP's GIT Software Repo:
http://www.openldap.org/devel/gitweb.cgi?p=openldap-fortress-core.git;a=summary
read-only:
>git clone git://git.openldap.org/openldap-fortress-core.git
# If Fortress Developer and have access to GIT repo:
Committers: Open a terminal session within preferred folder name/location and enter the following command:
>git clone ssh://git-master.openldap.org/~git/git/openldap-fortress-core.git
Pulls source code from GIT and loads into the current directory, hereafter called 'FORTRESS_HOME'.
___________________________________________________________________________________
###################################################################################
# SECTION 4. Instructions to build software distribution packages using 'dist' target.
###################################################################################
NOTE: The Fortress build.xml may run without connection to Internet iff:
- The binary dependencies are already present in $FORTRESS_HOME/lib folder
- Local mode has been enabled on target machine. Local mode can be enabled by adding this property to build.properties:
local.mode=true
a. set JAVA_HOME per target machine
for example:
>export JAVA_HOME=/opt/jdk1.7.0_10
b. set ANT_HOME per target machine:
for example:
>export ANT_HOME=/home/user/apache-ant-1.8.2
c. from the FORTRESS_HOME root folder, enter the following command:
>$ANT_HOME/bin/ant dist
dist notes:
- Apache Ivy jar will download automatically to the configured $ANT_HOME/lib folder.
- Dependencies will be downloaded from maven global Internet repository using Apache Ivy into $FORTRESS_HOME/lib.
- Xml file (FORTRESS_HOME/ivy.xml) contains the list of dependencies.
- Fortress source modules will be compiled along with production of java archive (jar)
files, javadoc and sample distributions.
- Project artifacts are loaded into $FORTRESS_HOME/dist location.
___________________________________________________________________________________
###################################################################################
# SECTION 5. Instructions to configure SDK for target system using build.properties file.
###################################################################################
- This must be done when OpenLDAP is not installed with the Fortress QUICKSTART package.
- The 'init-config' ant target on this project will substitute parameters found in 'build.properties' into their proper location.
- For newcomers just trying to learn the ropes the defaults usually work.
- unless you know what you are doing, never change ant substitution parameters within the properties. These are are anything inside and including '${}'. i.e. ${param1}.
a. Edit the $FORTRESS_HOME/build.properties file.
b. Set the LDAP Host and port properties. Either a valid host name or IP address can be used. If you are running the build.xml script from same platform as your
are running OpenLDAP, localhost will do:
host=localhost
port=389
c. Set the suffix name and domain component. For example suffix.name=example + suffix.dc=com will = 'dc=example,dc=com'.
suffix.name=example
suffix.dc=com
d. Set the administrative LDAP connection pool parameters:
# Set the encryption key value used as key for encryption/decryption commands for fortress-core ldap service account passwords.
crypto.prop=abcd12345
OR leave the value blank if passwords are entered in the clear into property files:
crypto.prop=
Note: This value must be the same as used when password was encrypted (See Section 12)
# This value contains dn of user that has read/write access to LDAP DIT:
root.dn=cn=Manager,${suffix}
# This password is for above admin dn, will be stored in OpenLDAP 'slapd.conf'. It may be hashed using OpenLDAP 'slappasswd' command before placing here:
root.pw={SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU
# This is password is for same user but will be stored as property in fortress.properties file. It may be encrypted using Fortress' 'encrypt' ant target (see section 12):
cfg.root.pw=W7T0G9hylKZQ4K+DF8gfgA==
# These properties specify the min/max settings for connection pool containing read/write connections to LDAP DIT:
admin.min.conn=1
# You may need to experiment to determine optimal setting for max. It should be much less than concurrent number of user's.
admin.max.conn=10
e. Set the audit connection pool parameters:
# This value contains dn of user that has read/write access to OpenLDAP slapd access log entries:
log.root.dn=cn=Manager,${log.suffix}
# This password is for above log user dn, will be stored in OpenLDAP 'slapd.conf'. It may be hashed using OpenLDAP 'slappasswd' command before placing here:
log.root.pw={SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU
# This password is for same log user but will be stored as property in fortress.properties file. It may be encrypted using Fortress' 'encrypt' ant target (see section 12):
cfg.log.root.pw=W7T0G9hylKZQ4K+DF8gfgA==
log.min.conn=1
# You may need to experiment to determine optimal setting for max. It should be much less than concurrent number of user's.
log.max.conn=3
f. Set more audit logger parameters:
log.suffix=cn=log
# To enable slapd persistence on the following OpenLDAP operations:
log.ops=logops search bind writes
# Or, to disable Fortress audit altogether, use this:
#log.ops=###AuditDisabled
g. Set user authentication connection pool parameters:
user.min.conn=1
# You may need to experiment to determine optimal setting for max. It should be much less than concurrent number of user's.
user.max.conn=10
___________________________________________________________________________________
###################################################################################
# SECTION 6. Instructions for pre-existing or native OpenLDAP installation using 'load-slapd' target.
###################################################################################
a. Install OpenLDAP using preferred method.
For example (existing package management system):
+ On Debian systems: http://wiki.debian.org/LDAP/OpenLDAPSetup
+ Ubuntu: https://help.ubuntu.com/community/OpenLDAPServer
+ etc.
b. Copy fortress schema to openldap schema folder:
>cp FORTRESS_HOME/ldap/schema/fortress.schema OPENLDAP_HOME/etc/openldap/schema
c. Enable Fortress schema in slapd.conf:
include OPENLDAP_HOME/etc/openldap/schema/fortress.schema
note: for steps b above substitute FORTRESS_HOME for root of your Fortress installation.
note: for steps b & c above substitute OPENLDAP_HOME for root of your OPENLDAP installation.
d. For password policy support, enable pwpolicy overlay in slapd.conf:
moduleload ppolicy.la
e. For Fortress audit support, enable slapoaccesslog in slapd.conf:
moduleload accesslog.la
f. Add Fortress audit log settings to slapd.conf:
# History DB Settings (optional, use only if fortress audit is needed)
# note: the following settings may be tailored to your requirements:
database mdb
maxreaders 64
maxsize 1000000000
suffix "cn=log"
rootdn "cn=Manager,cn=log"
rootpw "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU"
index objectClass,reqDN,reqAuthzID,reqStart,reqAttr eq
directory "/var/openldap/hist"
access to *
by dn.base="cn=Manager,cn=log" write
dbnosync
checkpoint 64 5
g. Add Fortress default DB settings to slapd.conf:
# Default DB Settings
# note: the following settings may be tailored to your requirements:
database mdb
maxreaders 64
maxsize 1000000000
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU"
index uidNumber,gidNumber,objectclass eq
index cn,sn,ftObjNm,ftOpNm,ftRoleName,uid,ou eq,sub
index ftId,ftPermName,ftRoles,ftUsers,ftRA,ftARA eq
directory "/var/openldap/dflt"
overlay accesslog
logdb "cn=log"
dbnosync
checkpoint 64 5
h. More Fortress audit log settings in slapd.conf:
# Audit Log Settings (optional, use only if fortress audit is needed)
# note: the following settings may be tailored to your requirements:
logops bind writes compare
logoldattr ftModifier ftModCode ftModId ftRC ftRA ftARC ftARA ftCstr ftId ftPermName ftObjNm ftOpNm ftObjId ftGroups ftRoles ftUsers ftType
logpurge 5+00:00 1+00:00
# Instructions to configure Fortress to work with your customized OpenLDAP instance
i. Gather the following information about your OpenLDAP instance:
i. suffix
ii. host
iii. port
iv. ldap user account that has read/write priv for default DIT (root works)
v. pw for above
vi. ldap user account that has read/write priv for access log DIT (log root works)
vii. pw for above
j. Example OpenLDAP instance:
i. dc=example, dc=com
ii. myhostname
iii. 389
iv. "cn=Manager,dc=example,dc=com"
v. secret
vi. "cn=Manager,cn=log"
vii. secret
h. Modify the build.properties file with settings
k.
suffix.name=example
suffix.dc=com
ii. ldap.host=myhostname
iii. ldap.port=389
iv. root.dn=cn=Manager,${suffix}
v. root.pw=secret
note: the above may be hased using slappasswd
vi. log.root.dn=cn=Manager,${log.suffix}
vii. secret
l. Create the Fortress DIT:
from the FORTRESS_HOME root folder, enter the following:
>$ANT_HOME/bin/ant load-slapd
m. Skip to SECTION 8 to regression test Fortress and OpenLDAP
load-slapd notes:
- Uses 'admin' target (described in SECTION 13) to seed the configured default database with data, i.e. db.root in build.properties file, using the following files:
1 - refreshLDAPData.xml - DIT organizationalUnit structure and client config data - required for Fortress Java SDK to work.
2 - DelegatedAdminManagerLoad.xml - Delegated administration policy - required for EnMasse and Commander web application demonstrations.
3 - FortressDemoUsers.xml - demo/sample data - not required.
- for production usage 2 & 3 above may be cleared out using any ldap client tool.
___________________________________________________________________________________
###################################################################################
# SECTION 7. Instructions for Symas installation of OpenLDAP - using 'init-slapd' target
###################################################################################
a. Go to Symas.com downloads section.
b. Register, pull down Silver or Gold packages to match target platform.
c. copy installation binaries to FORTRESS_HOME/ldap/setup folder.
d. enable the correct installation particulars into FORTRESS_HOME/build.properties.
- If using sudo you are required to enter your sudo pw:
- If not using sudo it is important to leave the value empty. Otherwise the installation will fail.
sudo.pw=
- Make sure you use the correct package name that matches the download from Symas.
# Option 1 - Debian i386 Silver:
platform=Debian-Silver-i386
slapd.install=dpkg -i symas-openldap-silver.32_2.4.26-1_i386.deb
slapd.uninstall=dpkg -r symas-openldap-silver.32
# Option 2 - Debian i386 Gold:
platform=Debian-Gold-i386
slapd.install=dpkg -i symas-openldap-gold.32_2.4.25-110507_i386.deb
slapd.uninstall=dpkg -r symas-openldap-gold.32
# Option 3 - Redhat i386 Silver:
platform=Redhat-Silver-i386
slapd.install=rpm -Uvv symas-openldap-silver.i386-2.4.26.1.rpm
slapd.uninstall=rpm -e symas-openldap-silver
# Option 4 - Redhat i386 Gold:
platform=Redhat-Gold-i386
slapd.install=rpm -Uvv symas-openldap-gold.i386-2.4.25.110424.rpm
slapd.uninstall=rpm -e symas-openldap-gold
e. Run the install target:
From $FORTRESS_HOME root folder, enter the following command from a system prompt:
if Debian sudo:
>sudo $ANT_HOME/bin/ant init-slapd
if not sudo you must run as user that has priv to modify folders in /var and /opt folders:
>su
>$ANT_HOME/bin/ant init-slapd
init-slapd notes:
- Refreshes database contents by moving default and history database folders to location ${db.root}/backup.
- per your db.root setting in build.properties file.
- Seeds LDAP data by calling 'load-slapd' target as described in section above.
_______________________________________________________________________________
###############################################################################
# SECTION 8. Instructions to integration test using 'test-full' target
########################################s#######################################
a. from FORTRESS_HOME enter the following command:
>$ANT_HOME/bin/ant test-full
test-full Notes:
- If tests complete without Junit or ant ERRORS, current Fortress is certified to run on target ldap server.
- Tests load thousands of records into target ldap server.
- The 2nd and subsequent time tests runs, teardown of data from prior run occurs.
- Should be run at least twice to verify Fortress A/P/R/BAC teardown API success.
- After this target runs, the organizationalUnit structure must remain in target LDAP DIT.
- The test data may be cleared.
- One way to clear out the the test data is to run the 'init-slapd' target (described in previous section).
- If you followed steps from SECTION 6 (existing OpenLDAP server), do NOT run the 'init-slapd' target.
- WARNING log messages are good as these are negative tests in action:
___________________________________________________________________________________
###################################################################################
# SECTION 9. Instructions to run the command line interpreter (CLI) utility using 'cli' target
###################################################################################
a. from FORTRESS_HOME enter the following command:
>$ANT_HOME/bin/ant cli
b. follow instructions in the command line interpreter reference manual contained within the javadoc:
$FORTRESS_HOME/dist/docs/api/com/jts/fortress/cli/package-summary.html
___________________________________________________________________________________
###################################################################################
# SECTION 10. Instructions to use Fortress A/P/R/BAC APIs with 'test-samples' target
###################################################################################
a. from FORTRESS_HOME enter the following command:
>$ANT_HOME/bin/ant test-samples
c. view and change the samples here:
$FORTRESS_HOME/src/test/com/jts/fortress/samples
d. compile and re-run samples to test your changes using:
>$ANT_HOME/bin/ant test-samples
e. view the samples java doc here:
$FORTRESS_HOME/dist/docs/samples/index.html
f. view the fortress-core SDK java doc here:
$FORTRESS_HOME/dist/docs/api/index.html
Testing Notes:
- Test cases are simple and useful for learning how to code using Fortress A/P/R/BAC APIs.
- Tests should complete without Junit or ant ERRORS.
- These tests will load some records into the target ldap server.
- The 'test-samples' target may be run as many times as necessary and should be run at least twice to test the teardown A/P/R/BAC APIs.
- The 2nd and subsequent times 'test-samples' runs, it will tear down the data loaded during the prior run.
___________________________________________________________________________________
###################################################################################
# SECTION 11. Instructions to run the command console using 'console' target
###################################################################################
a. from FORTRESS_HOME enter the following command:
>$ANT_HOME/bin/ant console
___________________________________________________________________________________
###################################################################################
# SECTION 12. Instructions to encrypt LDAP passwords used in config files.
###################################################################################
If you need the passwords for LDAP service accounts to be encrypted before loading into Fortress properties files you can
use the 'encrypt' ant target.
a. From FORTRESS_HOME root folder, enter the following command from a system prompt:
>$ANT_HOME/bin/ant encrypt -Dparam1=secret
encrypt:
[echo] Encrypt a value
[java] Encrypted value=wApnJUnuYZRBTF1zQNxX/Q==
BUILD SUCCESSFUL
Total time: 1 second
b. Copy the hashed value and paste it into the corresponding build.properties setting, e.g.:
# This OpenLDAP admin root pass is bound for fortress.properties and was hashed using 'encrypt' target in build.xml:
cfg.log.root.pw=wApnJUnuYZRBTF1zQNxX/Q==
___________________________________________________________________________________
###################################################################################
# SECTION 13. Instructions to load data into the default database using 'admin' target.
###################################################################################
If you need to load data into the default database you can use the 'admin' ant target.
a. Create a load file using examples from FORTRESS_HOME/ldap/setup folder.
e.g. myLoadFile.xml
b. From FORTRESS_HOME folder, enter the following command from a system prompt:
>$ANT_HOME/bin/ant admin -Dparam1=/ldap/setup/myLoadFile.xml
admin notes:
- Calls ant target to execute FortressAntTask class (described in FORTRESS_HOME/dist/docs/api/org/openldap/fortress/ant/FortressAntTask.html).
- Drives Fortress A/P/R/BAC APIs using supplied text files containing data in xml format.
- Used to automatically load common data into target ldap machines.
___________________________________________________________________________________
###################################################################################
# SECTION 14. Instructions to enable Apache Ivy dependency management
###################################################################################
Note: This is included for informational purposes in case it fails to automatically run during Section #3.
- Apache Ivy is used to retrieve the Java libraries that openldap-fortress-core depends on.
a. from FORTRESS_HOME enter the following command:
>export JAVA_HOME=/path to the root folder of your java SDK
>export ANT_HOME=/path to the root folder of your Apache Ant installation
>$ANT_HOME/bin/ant -buildfile getIvy.xml
- After the above commands are run (also assuming network is good), Apache Ivy library
will downloaded into ANT_HOME/lib folder. Ivy is needed to build Fortress.
___________________________________________________________________________________
###################################################################################
# SECTION 15. Troubleshooting
###################################################################################
- common problems related to environment variables not being properly set per SECTION 3.
- can't pull down binary dependencies per SECTION 0.
- consult the openldap-fortress mailing list:
http://www.openldap.org/lists/mm/listinfo/openldap-fortress