iklan

Sunday 10 April 2011

Using a POSIX directory schema with Nuxeo




Nuxeo patch

Nuxeo doesn’t support RFC 2307 POSIX LDAP schemas out of the box. Even if the configuration options for LDAP directories in Nuxeo are extremely flexible, a small patch is required for POSIX group to work. The patch makes Nuxeo search for group members using an ID instead of a DN (DistinguishedName). The last version of the patch is available in the Nuxeo JIRA bug tracker as bug 6430. The patch requires very limited change to the LDAP directory configuration.
For your convenience, I have provided a pre-compiled binary .jar including the patch. This will work on Nuxeo 5.4.0.1 and probably Nuxeo 5.4.0 but it may already be outdated as you read this article. In the download links below, you will also find the integral version of some relevant configuration files. I can’t post all the configuration files I have used because they include private informations.
The following block of XML is an excerpt of the group directory configuration in Nuxeo. I can’t provided this file in its entirety but I can show just the section that needs to be modified. To properly support POSIX groups, you first don’t need references for subGroups and parentGroups. You only need a ldapReference for the group members but they need to be searched in way different than what Nuxeo usually does.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<component name="com.rlnx.nuxeo.ldap.group">
  <implementation class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor"/>
  <implementation class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor"/>
 
  <require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>
  <require>com.rlnx.nuxeo.posix.schema</require>
 
  <extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="directories">
    <directory name="groupDirectory">
...
      <references>
        <ldapReference field="members"
                       directory="userDirectory"
                       forceDnConsistencyCheck="false"
                       staticAttributeId="memberUID"
                       staticAttributeIsId="true" />
      </references>
    </directory>
  </extension>
</component>
The magic happens in the new staticAttributeIsId configuration which tells Nuxeo that the content of  staticAttribute is an ID and not a DN. The patch then makes Nuxeo search for the members of groups accordingly.
After this simple change with the patch, the new schema can be used in read-only mode. To use the POSIX schema in read/write mode you need modify several more things because the POSIX schema requires to input things like UIDs and GIDs when creating a new user account or a new group.
The rest of what is required is based on the information available in the Nuxeo documentation: Adding custom LDAP fields to the UI. For my own use, I just decided to do the minimum that is required to properly create a new user and new groups in the directory: add UID and GID fields and remove subGroups and parentGroups which are not supported by the schema. You might need to add or remove more fields to and from the UI to support your schema but the process will stay mostly the same as with those fields.

Schema extension

Since Nuxeo is accessing the user and group accounts data through Document objects, you need to redefine the user and group schemas so they are able to provide the right informations to Nuxeo.
Here is an excerpt of the user schema definition (posix-ldap-user-schema.xsd).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?xml version="1.0"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:nxs="http://www.revolutionlinux.com/nuxeo/posix-user"
            targetNamespace="http://www.revolutionlinux.com/nuxeo/posix-user">
 
...
 
  <xs:element name="username" type="xs:string" />
  <xs:element name="password" type="xs:string" />
  <xs:element name="email" type="xs:string" />
  <xs:element name="firstName" type="xs:string" />
  <xs:element name="lastName" type="xs:string" />
  <xs:element name="company" type="xs:string" />
 
  <xs:element name="uidNumber" type="xs:int" />
  <xs:element name="gidNumber" type="xs:int" />
 
  <xs:element name="groups" type="nxs:stringList" />
 
</xs:schema>
This is an excerpt of the group schema definition (posix-ldap-group-schema.xsd).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?xml version="1.0"?>
           xmlns:nxs="http://www.revolutionlinux.com/nuxeo/posix-group"
           xmlns:xs="http://www.w3.org/2001/XMLSchema">
 
...
 
  <xs:element name="groupname" type="xs:string" />
  <xs:element name="description" type="xs:string" />
 
  <!-- references -->
  <xs:element name="members" type="nxs:stringList" />
 
  <xs:element name="gidNumber" type="xs:int" />
</xs:schema>
Extension of the type service with the new schemas.
1
2
3
4
5
6
7
<?xml version="1.0"?>
<component name="com.rlnx.nuxeo.posix.schema">
  <extension target="org.nuxeo.ecm.core.schema.TypeService" point="schema">
    <schema name="posix-user" src="posix-ldap-user-schema.xsd" />
    <schema name="posix-group" src="posix-ldap-group-schema.xsd" />
  </extension>
</component>

Layout extension

Finally, you need to redefine the UI used to create users and groups. Here is a small excerpt of what was added to the default layout.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<layout ...
...
  <row>
    <widget>uidNumber</widget>
  </row>
  <row>
    <widget>gidNumber</widget>
  </row>
...
  <widget name="uidNumber" type="text">
    <labels>
      <label mode="any">UID</label>
    </labels>
    <fields>
      <field schema="posix-user">uidNumber</field>
    </fields>
    <widgetModes>
      <mode value="create">edit</mode>
      <mode value="editPassword">hidden</mode>
      <mode value="any">view</mode>
    </widgetModes>
    <properties widgetMode="edit">
      <property name="required">true</property>
      <property name="styleClass">dataInputText</property>
    </properties>
  </widget>
  <widget name="gidNumber" type="text">
    <labels>
      <label mode="any">GID</label>
    </labels>
    <fields>
      <field schema="posix-user">gidNumber</field>
    </fields>
    <widgetModes>
      <mode value="create">edit</mode>
      <mode value="editPassword">hidden</mode>
      <mode value="any">view</mode>
    </widgetModes>
    <properties widgetMode="edit">
      <property name="required">true</property>
      <property name="styleClass">dataInputText</property>
    </properties>
  </widget>
...
</layout>
You should follow the instructions in the Nuxeo documentation page I linked to properly configure your repository. I can’t expose my directory configuration files to the world and the other files I linked may not be suited to your organisation.

Configuration files

Patched component

Copy this file in the bundles directory of your Nuxeo installation, replacing the file of the same name. Erase the earlier version of the file (5.4.0) if you are running with an older version of Nuxeo.
Written by François-Denis Gonthier
March 21st, 2011 at 12:37 am
Posted in Java,Nuxeo,Programming
Tagged with , , ,

0 comments:

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Blogger Templates