Enabling LDAP Authentication
There is an excellent article on the Fedora Wiki describing how to enable LDAP Authentication for Fedora. It is recommended that you read this article before continuing.
This configuration will allow you to use both the fedora-users.xml file for authentication as well as the LDAP directory. The sequence of the <filter-mapping> elements are critical and determine which authentication source overrides. We recommend having the fedora-users.xml file override the LDAP filter as it makes it easier to manage for deployment.
Default Bootstrap Users
The fedora-users.xml file should contain the two key bootstrap users that Muradora needs: "fedoraPublic" user with role "public" and "fedoraAdmin" user with role "administrator". The former is the default role that users assumes when they use Muradora without logging on. The later is the user with complete access to Muradora and therefore Fedora.
Please modify your $FEDORA_HOME/server/config/fedora-users.xml to have the following bootstrap users (Note: you must change the passwords from the default ones below to secure your system):
<?xml version='1.0' ?>
<users>
<user name="fedoraAdmin" password="adminPassword">
<attribute name="fedoraRole">
<value>administrator</value>
</attribute>
</user>
<user name="fedoraPublic" password="publicPassword">
<attribute name="fedoraRole">
<value>public</value>
</attribute>
</user>
<user name="fedoraIntCallUser" password="changeme">
<attribute name="fedoraRole">
<value>fedoraInternalCall-1</value>
<value>fedoraInternalCall-2</value>
</attribute>
</user>
</users>
Enabling LDAP Authentication
To enable LDAP Authentication you need to edit the web.xml file located in $CATALINE_HOME/webapps/fedora/WEB-INF.
YOU NEED TO REPLACE VALUES WITH ONES THAT ARE SPECIFIC TO YOUR INSTALLATION/ENVIRONMENT
- Find the following code in the web.xml file: Replace <LDAP_HOST> with your actual LDAP server hostname
<filter> <filter-name>XmlUserfileFilter</filter-name> <filter-class>fedora.server.security.servletfilters.xmluserfile.FilterXmlUserfile</filter-class> </filter>
append the following section after it:
<filter>
<filter-name>LdapFilterForAttributes</filter-name>
<filter-class>fedora.server.security.servletfilters.ldap.FilterLdap</filter-class>
<init-param>
<param-name>version</param-name>
<param-value>3</param-value>
</init-param>
<init-param>
<param-name>authenticate</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>security-authentication</param-name>
<param-value>simple</param-value>
</init-param>
<init-param>
<param-name>id-attribute</param-name>
<param-value>uid</param-value>
</init-param>
<init-param>
<param-name>bind-filter</param-name>
<param-value>uid={0},ou=asm,dc=localhost,dc=localdomain</param-value>
</init-param>
<init-param>
<param-name>url</param-name>
<param-value>ldap://<LDAP HOST>:389/</param-value>
</init-param>
<init-param>
<param-name>search-base</param-name>
<param-value>ou=asm,dc=localhost,dc=localdomain</param-value>
</init-param>
<init-param>
<param-name>search-filter</param-name>
<param-value>(uid={0})</param-value>
</init-param>
<init-param>
<param-name>attributes</param-name>
<param-value>eduPersonEntitlement</param-value>
</init-param>
<init-param>
<param-name>attributes-common-name</param-name>
<param-value>fedoraRole</param-value>
</init-param>
<init-param>
<param-name>lookup-success-timeout-unit</param-name>
<param-value>SECOND</param-value>
</init-param>
<init-param>
<param-name>lookup-success-timeout-duration</param-name>
<param-value>30</param-value>
</init-param>
</filter>
- Find the following code in the web.xml file:
<filter-mapping> <filter-name>XmlUserfileFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
and append the following section after it:
<filter-mapping> <filter-name>LdapFilterForAttributes</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Back to Deployment Guide