{"id":174,"date":"2013-12-19T12:32:55","date_gmt":"2013-12-19T11:32:55","guid":{"rendered":"http:\/\/www.francelabs.com\/blog\/?p=174"},"modified":"2014-01-03T13:51:34","modified_gmt":"2014-01-03T12:51:34","slug":"active-directory","status":"publish","type":"post","link":"https:\/\/www.francelabs.com\/blog\/active-directory\/","title":{"rendered":"Active Directory"},"content":{"rendered":"

Disclaimer: This blog is not really new, as it\u2019s just the migration of the technical content of our website \u2013 see further down for the French version.<\/p>\n

NOTE: If you are interested in using AD with Solr, you may want to look at our Datafari software<\/a> (still in Alpha version), which combines Apache ManifoldCF with Solr, so it eases this kind of integration. The code is available on google code: http:\/\/code.google.com\/p\/datafari\/<\/a><\/p>\n

In enterprise environments, enterprise search often needs a security aspect which is not necessary for standard web search. In order to assist you, we release here a small code in order to allow Constellio 1.2 (and probably 1.3 although we didn\u2019t test it) to connect to an Active Directory in order to do the credentials check at authentication time. Here is how it works:<\/p>\n

This modification is composed of 2 projects:<\/p>\n

    \n
  1. First one is responsible for extraction. More precisely, it extracts users and groups from an AD, and injects it in a Constellio 1.2<\/li>\n
  2. Second one contains an authentication class which allows for Constellio to check the credentials of the users with the AD, at authentication time. This user must have been created via the script of step 1, unless he has already been create separately in Constellio.<\/li>\n<\/ol>\n

    These are the Eclipse projects. In order to make it work:<\/p>\n

      \n
    1. In the AD-Extractor project, modify the two property files adconfig.properties and mysqlconfig.properties . In the former, put the host and the domain of the AD, as well as the credentials with enough rights to fetch the info from the AD. In the latter, put the host of the machine hosting the DB of Constellio, as well the admin user\/password.<\/li>\n
    2. Since it is a standalone project (it\u2019s actually a script that fetches the data), you\u2019ll need to start the main class in order to launch it. Note that obviously, if you want a regular synchronization of the AD content, you\u2019ll need to create a batch for regularly starting the script. The script is rather simple, so everytime you call it, it will overwrite the existing users\/groups already existing in mysql.<\/li>\n
    3. Since we query the AD for the authentication step, we don\u2019t store the password or a hash of it in the Constellio, but only the users and groups.<\/li>\n
    4. In the AD-Authentication project, there is a method that overloads the existing authentication method of Constellio (the original one being authenticate() in com.doculibre.constellio.services.authenticationservicesimpl). This new method queries the AD for checking the user credentials. If the response is negative, shall Constellio have also extra users in parallel to the AD (although it\u2019s off course better to centralize the user management, there may be cases where you have users declared in several places), the new authenticate method will query the users base of Constellio through the normal authentication method of Constellio.<\/li>\n
    5. You need to modify the adconfig.properties the same way you have done in step 1.<\/li>\n
    6. You need to make a jar of this project package.<\/li>\n
    7. You need to put it in the WebContent\/WEB-INF\/lib of Constellio<\/li>\n
    8. You need to modify your constellio.xml (at the root of the Constellio classes, which depend whether you\u2019re dealing here an Eclipse Constellio project or with the compiled Constellio), with the following modifications:<\/li>\n<\/ol>\n

      the original line: <\/b> : <bean id=\u201dauthenticationServices\u201d class=\u201dcom.doculibre.constellio.services.AuthenticationServicesImpl\u201d scope=\u201dprototype\u201d> <\/bean><\/p>\n

      the new line: <\/b> : <bean id=\u201dauthenticationServices\u201d class=\u201dcom.doculibre.constellio.services.AuthenticationServicesADImpl\u201d scope=\u201dprototype\u201d> <\/bean><\/p>\n

      And voil\u00e0, this should work, and now you can use AD authentication with a Constellio 1.2, although it should work also with a Constellio 1.3<\/p>\n


      \nDownload
      \n<\/a>
      \n—————————————–<\/p>\n

      French version<\/em><\/p>\n

      Au sein des entreprises, les outils de recherch\u00e9 doivent souvent respecter les exigences de s\u00e9curit\u00e9 interne, contrairement \u00e0 la recherche sur le web. Pour vous aider, nous mettons \u00e0 disposition du code permettant \u00e0 Constellio 1.2 (et probablement aussi 1.3, bien que nous n\u2019ayons pas effectu\u00e9 les tests) de se connecter \u00e0 un Active Directory, de fa\u00e7on \u00e0 verifier les droits d\u2019acc\u00e8s au moment de l\u2019authentification. Voici comment cela fonctionne :<\/p>\n

      Cette modification est compos\u00e9e de 2 projets :<\/p>\n

        \n
      1. Le premier est responsable de l\u2019extraction. Plus pr\u00e9cis\u00e9ment, il extrait les informations utilisateurs et groupes de l\u2019AD, et l\u2019injecte dans Constellio 1.2<\/li>\n
      2. Le second contient la classe d\u2019authentification, qui permet \u00e0 Constellio de contacter l\u2019AD pour v\u00e9rifier les droits d\u2019un utilisateur, au moment de l\u2019authentification. L\u2019utilisateur doit avoir \u00e9t\u00e9 cr\u00e9\u00e9 au pr\u00e9alable par l\u2019\u00e9tape 1, \u00e0 moins qu\u2019il n\u2019ait \u00e9t\u00e9 cr\u00e9\u00e9 s\u00e9par\u00e9ment dans le Constellio.<\/li>\n<\/ol>\n

        Ces projets sont des projets Eclipse. De fa\u00e7on \u00e0 les faire fonctionner :<\/p>\n

          \n
        1. Dans le projet AD-Extractor, modifiez les fichiers de propri\u00e9t\u00e9 adconfig.properties et mysqlconfig.properties . Dans le premier, indiquez le host et le domaine du AD, ainsi que les identifiants ayant suffisament de droits pour r\u00e9cup\u00e9rer les informations du AD. Dans le second, indiquez le host de la machine h\u00e9bergeant la BDD de Constellio, ainsi que les identifiants de l\u2019admin.<\/li>\n
        2. Il s\u2019agit d\u2019un projet autonome (c\u2019est en fait un script dont le but est de r\u00e9cup\u00e9rer les donn\u00e9es de l\u2019AD), donc vous devez d\u00e9marrer sa classe main afin de le lancer. A l\u2019\u00e9vidence, si vous souhaitez une synchronisation r\u00e9guli\u00e8re du contenu de l\u2019AD, vous devez cr\u00e9er un batch pour r\u00e9guli\u00e8rement lancer le script. Ce script est relativement simple, et \u00e0 chaque execution, il \u00e9crasera les utilisateurs\/groupes d\u00e9j\u00e0 pr\u00e9sents dans le mysql de Constellio et provenant du AD.<\/li>\n
        3. L\u2019authentification des utilisateurs se faisant en interrogeant l\u2019AD, nous ne stockons ni les mots de passe ni leur hash dans le Constellio, uniquement les utilisateurs et les groupes.<\/li>\n
        4. Dans le projet AD-Authentication, il y a une m\u00e9thode qui surcharge la m\u00e9thode d\u2019authentification existante de Constellio (l\u2019original s\u2019appelle authenticat() dans com.doculibre.constellio.services.authenticationservicesimpl). Cette nouvelle m\u00e9thode interroge l\u2019AD pour v\u00e9rifier les identifiants. Si la r\u00e9ponse est n\u00e9gative, et dans le cas o\u00f9 Constellio poss\u00e8de des utilisateurs en parral\u00e8le \u00e0 ceux de l\u2019AD (bien qu\u2019\u00e9videmment il soit recommand\u00e9 de centraliser la gestion des utilisateurs, il y a des cas o\u00f9 les utilisateurs sont d\u00e9clar\u00e9s \u00e0 plusieurs endroits), la nouvelle m\u00e9thode d\u2019authentification va alors interroger la base d\u2019utilisateurs de Constellio, en utilisant la m\u00e9thode d\u2019authentification standard de Constellio.<\/li>\n
        5. Vous devez modifier adconfig.properties de la m\u00eame fa\u00e7on qu\u2019\u00e0 l\u2019\u00e9tape 1.<\/li>\n
        6. Vous devez faire un jar du package du projet<\/li>\n
        7. Vous devez mettre ce jar dans WebContent\/WEB-INF\/lib de Constellio<\/li>\n
        8. Vous devez modifier votre constellio.xml (\u00e0 la racine des classes de Constellio, emplacement qui varie selon que vous utilisez un Constellio en projet Eclipse, ou si vous utilisez un Constellio compil\u00e9), avec les modification suivantes :<\/li>\n<\/ol>\n

          l\u2019original<\/b> : <bean id=\u201dauthenticationServices\u201d class=\u201dcom.doculibre.constellio.services.AuthenticationServicesImpl\u201d scope=\u201dprototype\u201d> <\/bean><\/p>\n

          le modifi\u00e9<\/b> : <bean id=\u201dauthenticationServices\u201d class=\u201dcom.doculibre.constellio.services.AuthenticationServicesADImpl\u201d scope=\u201dprototype\u201d> <\/bean><\/p>\n

          Et voil\u00e0, tout devrait fonctionner, et vous pouvez \u00e0 present utiliser une authentification par AD avec un Constellio 1.2, et cela devrait aussi fonctionner avec un Constellio 1.3<\/p>\n


          \nT\u00e9l\u00e9charger
          \n<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

          Disclaimer: This blog is not really new, as it\u2019s just the migration of the technical content of our website \u2013 see further down for the French version. NOTE: If you are interested in using AD with Solr, you may want … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[28,29,8],"class_list":["post-174","post","type-post","status-publish","format-standard","hentry","category-search","tag-active-directory","tag-ldap","tag-security"],"_links":{"self":[{"href":"https:\/\/www.francelabs.com\/blog\/wp-json\/wp\/v2\/posts\/174","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.francelabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.francelabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.francelabs.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.francelabs.com\/blog\/wp-json\/wp\/v2\/comments?post=174"}],"version-history":[{"count":6,"href":"https:\/\/www.francelabs.com\/blog\/wp-json\/wp\/v2\/posts\/174\/revisions"}],"predecessor-version":[{"id":197,"href":"https:\/\/www.francelabs.com\/blog\/wp-json\/wp\/v2\/posts\/174\/revisions\/197"}],"wp:attachment":[{"href":"https:\/\/www.francelabs.com\/blog\/wp-json\/wp\/v2\/media?parent=174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.francelabs.com\/blog\/wp-json\/wp\/v2\/categories?post=174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.francelabs.com\/blog\/wp-json\/wp\/v2\/tags?post=174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}