Tuesday, October 20, 2015

How To install Apache Fortress with OpenLDAP

Apache Fortress™ is a standards-based access management system, written in Java, that provides role-based access control, delegated administration and password policy services with LDAP.
Included are the following components:
  •     Core - Java Access Management SDK
  •     Realm - Java EE security for Apache Tomcat
  •     Rest - HTTP protocol wrappers for the APIs
  •     Web - HTML pages for the APIs
In short Fortress implements ANSI Role-Based Access Control (INCITS 359) and has a nice Web interface:

How to install Apache Fortress with OpenLDAP backend

Clone git repositories:

Run commands:

git clone https://git-wip-us.apache.org/repos/asf/directory-fortress-core.git
git clone https://git-wip-us.apache.org/repos/asf/directory-fortress-realm.git
git clone https://git-wip-us.apache.org/repos/asf/directory-fortress-commander.git
git clone https://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse.git

OpenLDAP

The OpenLDAP server is in Ubuntu's default repositories under the package "slapd", so we can install it easily with apt-get. We will also install some additional utilities:

sudo apt-get update
sudo apt-get install slapd ldap-utils
You will be asked to enter and confirm an administrator password for the administrator LDAP account.
Stop slapd service:

sudo service slapd stop
Copy fortress and rbac schemas:

sudo cp directory-fortress-core/ldap/schema/{fortress.schema,rbac.schema} /etc/ldap/schema/
Replace /etc/ldap/slapd.conf with date:

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/ppolicy.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/openldap.schema
include         /etc/ldap/schema/fortress.schema
include         /etc/ldap/schema/rbac.schema

disallow bind_anon
idletimeout 0
sizelimit 5000
timelimit 60
threads 8
loglevel 32768
gentlehup on
pidfile         /var/lib/ldap/slapd.pid
argsfile        /var/lib/ldap/slapd.args

modulepath      /usr/lib/ldap
moduleload      back_mdb.la
moduleload      ppolicy.la
moduleload  accesslog.la
### This one allows user to modify their own password (needed for pw policies):
### This also allows user to modify their own ftmod attributes (needed for audit):
access to attrs=userpassword
         by self write
         by * auth
### Must allow access to dn.base to read supported features on this directory:
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
        by self write
        by anonymous auth
### Disable null base search of rootDSE
### This disables auto-discovery capabilities of clients.
# Changed -> access to dn.base="" by * read <- to the following:
access to dn.base=""
     by * none
password-hash {SSHA}
#######################################################################
# History DB Settings
#######################################################################
database         mdb
maxreaders 64
maxsize 1000000000
suffix          "cn=log"
rootdn      "cn=Manager,cn=log"
rootpw      "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU"
index objectClass,reqDN,reqAuthzID,reqStart,reqAttr eq
directory       "/var/lib/ldap/hist"
access to *
    by dn.base="cn=Manager,cn=log" write
dbnosync
checkpoint   64 5
#######################################################################
# Default DB Settings
#######################################################################
database        mdb
maxreaders 64
maxsize 1000000000
suffix          "dc=openldap,dc=org"
rootdn      "cn=Manager,dc=openldap,dc=org"
rootpw      "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU"
index uidNumber,gidNumber,objectclass eq
index cn,sn,ftObjNm,ftOpNm,ftRoleName,uid,ou eq,sub
index ftId,ftPermName,ftRoles,ftUsers,ftRA,ftARA eq
directory       "/var/lib/ldap/dflt"
overlay accesslog
logdb   "cn=log"
dbnosync
checkpoint      64 5
#######################################################################
# Audit Log Settings
#######################################################################
logops bind writes compare
logoldattr ftModifier ftModCode ftModId ftRC ftRA ftARC ftARA ftCstr ftId ftPermName ftObjNm ftOpNm ftObjId ftGroups ftRoles ftUsers ftType
logpurge 5+00:00 1+00:00
#######################################################################
# PW Policy Settings
#######################################################################
# Enable the Password Policy overlay to enforce password policies on this database.
overlay     ppolicy
ppolicy_default "cn=PasswordPolicy,ou=Policies,dc=openldap,dc=org"
ppolicy_use_lockout
ppolicy_hash_cleartext
Configure slapd dbs:

sudo su -l
cd /var/lib/ldap/
mkdir hist
mkdir dflt
cd ../
chown -R openldap ldap/
chgrp -R openldap ldap/
Edit /etc/default/slapd, set SLAPD_SERVICES:

SLAPD_SERVICES="ldap://<hostname or ip>:389/ ldaps:/// ldapi:///"
Remove from /etc/default/slapd SLAPD_USER and SLAPD_CROUP
Start slapd service

sudo slapd service start
If you have any issues with slapd service try to start it with debug logs:

sudo slapd -h "ldap://<hostname or ip>/ ldaps:/// ldapi:///" -f /etc/ldap/slapd.conf -d -1

Apache Directory Studio

Download and install Apache Directory Studio

wget http://mirrors.ibiblio.org/apache/directory/studio/2.0.0.v20150606-M9/ApacheDirectoryStudio-2.0.0.v20150606-M9-linux.gtk.x86_64.tar.gz
tar xvf ApacheDirectoryStudio-2.0.0.v20150606-M9-linux.gtk.x86_64.tar.gz
cd ApacheDirectoryStudio-2.0.0.v20150606-M9-linux.gtk.x86_64/
./ApacheDirectoryStudio
Create new LDAP connection to <hostname or ip>:389 with user="cn=Manager,dc=openldap,dc=org" and password = "secret"

 JDK

Install jdk:

sudo apt-get install openjdk-7-jdk
Find jdk path:

sudo update-alternatives --config java
Copy path and add JAVA_HOME environment variable to /etc/environment file:

JAVA_HOME="/usr/lib/jvm/java-7-openjdk-amd64"
Install maven:

sudo apt-get install maven
Add maven path to the PATH variable in /etc/environment file:

PATH="/home/xusha/apache-maven-3.3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"

Fortress Core

Go to fortress directory and create build.properties file:

cd directory-fortress-core/
cp build.properties.example build.properties
Modify build.properties file:
  • Set server type to openldap
# This is default, tells fortress what type of ldap server in use:
#ldap.server.type=apacheds
ldap.server.type=openldap
  • Set host/port
# These parameters point fortress to LDAP host:
ldap.host=<hostname or ip>
ldap.port=389
ldap.uris=ldap://${ldap.host}:${ldap.port}
  • Set suffix
# These are used to construct suffix for DIT, i.e. dc=example,dc=com.
suffix.name=openldap
suffix.dc=org
suffix=dc=${suffix.name},dc=${suffix.dc}
  • Set min/max connection for user:
# This speicifes the number of user LDAP connections (used for user authentication operations only) to maintain in the pool:
# User Pool:
user.min.conn=1
user.max.conn=10
  • Set root.dn
# These are the connection parameters used for LDAP service account:
root.dn=cn=Manager,${suffix}
#root.dn=uid=admin,ou=system
Build fortress core. This step will generate config artifacts using settings from build.properties.

mvn install
Fix ldap/setup/refreshLDAPData.xml:
  • Replace "@USR_MIN_CONN@" with "1"
  • Replace "@USR_MAX_CONN@" with "10"
  • Replace "@SERVER_TYPE@" with "openldap"
Build the fortress LDAP DIT, create its config node and load the A/RBAC policies:

mvn install -Dload.file=./ldap/setup/refreshLDAPData.xml
mvn install -Dload.file=./ldap/setup/DelegatedAdminManagerLoad.xml

Fortress Realm

Change directory:

cd directory-fortress-realm/
Build fortress realm with maven and install to local repo:

mvn clean install

Tomcat Web Server

Issue the following commands:

wget http://apache.claz.org/tomcat/tomcat-7/v7.0.64/bin/apache-tomcat-7.0.64.tar.gz
sudo tar xzf apache-tomcat-7.0.59.tar.gz mv apache-tomcat-7.0.59 /usr/local/tomcat7
Place the fortress-realm proxy jar into Tomcat server's /lib folder. The proxy jar name is fortress-realm-proxy-[version].jar and located here: directory-fortress-realm/proxy/target

cp [directory-fortress-realm]/proxy/target/fortress-realm-proxy-[VERSION]-proxy.jar /usr/local/tomcat7/lib
Edit /usr/local/tomcat7/conf/tomcat-users.xml
Add privilege for tcmanager user to connect with Tomcat Manager. This account can access GUI and deploy via maven.

<role rolename="manager-script"/>
<role rolename="manager-gui"/>
<user username="tcmanager" password="m@nager123" roles="manager-script"/>
<user username="tcmanagergui" password="m@nager123" roles="manager-gui"/>
Start Tomcat:

/usr/local/tomcat7/bin/startup.sh
Verify setup by signing onto the Tomcat Manager app with credentials userId: tcmanagergui, password: m@nager123 http://localhost:8080/manager


Fortress Commander

Change directory:

cd directory-fortress-commander/
Copy the fortress.properties:

cp [directory-fortress-core]/config/fortress.properties [directory-fortress-commander]/src/main/resources
To load policies for testing into ldap, run this command:

mvn install -Dload.file=./src/main/resources/FortressWebDemoUsers.xml
To deploy fortress web, run this command:

mvn tomcat:deploy
Connect to web app:
http://localhost:8080/fortress-web with userId: test, password: password

Fortress Enmasse

Change directory:

cd directory-fortress-enmasse/
Copy the fortress.properties:

cp [directory-fortress-core]/config/fortress.properties [directory-fortress-enmasse]/src/main/resources
To load policies for testing into ldap, run this command:

mvn install -Dload.file=./src/main/resources/FortressRestServerPolicy.xml
To deploy fortress rest, run this command:

mvn tomcat:deploy
Run tests:

mvn test -Dtest=EmTest
Try to send request:

curl --user demouser4:password -X POST -d @userRead.xml -H "Accept: text/xml" -H "Content-Type: text/xml" http://localhost:8080/fortress-rest-1.0-RC41-SNAPSHOT/userRead

No comments:

Post a Comment