LDAP Server Configuration

Open Cobalt has the ability to use a properly configured LDAP server as both an authentication mechanism and as a directory of published links to user created spaces. The configuration of this server is fairly simple assuming one understands the basics of LDAP administration.

Software

The LDAP server we are doing development against is OpenDS 2.0. For an inexperienced LDAP administrator we recommend its use as we are unable to provide support for anything else at present.

Currently we are using unencrypted LDAP (this is scheduled to change soon) so be sure to configure a port that allows for this as well as an "old-style"/legacy SSL only port.

Permissions

We are currently relying on the default permissions configuration of OpenDS, particularly the section that allows a authenticated binding to change attributes on the entry bound to. If you are using OpenDS, this requires no changes. If you are using some other LDAP server you may need to change the permissions configuration to allow the users to change their own entry.

Schema

The schema we are using is the standard approach where the root is a domainComponent entity and the users are in a people organization unit under the root. The users are inetOrgPerson entries with some extensions. The user entries MUST have a displayName attribute as the browser software relies on it for proper display.

The extensions are available in a schema file in the project directory  and are in the LDIF format OpenDS prefers. They are installed by copying the file to the schema config directory in the OpenDS installation and restarting OpenDS. Refer to the OpenDS documentation for details on installation. If not using OpenDS some translation may be required.

The extensions add a new auxiliary class, openCobaltSpaces and a new attribute: x-openCobaltSpace . The users who are going to be allowed to register their spaces in the directory MUST have openCobaltSpaces as one of their classes in the entry they bind to.

To see a running example that is used by the Open Cobalt development team, you can look in the LDAP server at Hostname: ldap.opencobalt.net, Port: 1389, Bind DN: uid=guest, ou=people, dc=opencobalt, dc=org, Password: teatime

Administration

For Open Cobalt development we are currently just administering the database by hand. To do this we have found the admin tool Apache Directory Studio to be very useful.

Client configuration for space directory

Configuring Open Cobalt to use an alternate directory server is straightforward. Start Open Cobalt and activate the menu item Cobalt/General Preferences... A window should open. Scroll down to the bottom of the window. There should be the
4 items that Open Cobalt currently uses to configure the directory settings: LDAP Hostname, LDAP Port, LDAP BindDN, LDAP Password, and LDAP BaseDN.

LDAP Hostname and LDAP Port designate the server to be connected to. LDAP BindDN is the Distinguished Name of the users entry and LDAP Password is his userPassword. LDAP BaseDN is the DN that is used as the root of the search for spaces. Usually the base DN is just the DN of the users root organization.

As of Open Cobalt 1.0 alpha 1 rc 22, there is a bug in the field entry code in the preferences that requires you to hit enter/return in each field you change for it to accept the change.

Server configuration for LDAP authentication

There is an option in the dispatcher/message router for using an LDAP database for authentication. Nothing special needs to be done in the server as it just verifies that it can create an authenticated binding using the provided credentials.

Comments