You may have heard about the upcoming integration of theblojsom blog server in Tiger Server when it comes out.
I really like blojsom, and have been running it for a while now. It is far easier to administer for multi-user and multi-blog setups than anything else I’ve experimented with, and offers some awesome features.My only real gripe with it has been that I kind of hate administering passwords in flat files when it comes to services which feel naturally aligned with my current directory services.
Well, recently an LDAP authentication plugin has been contributed to blojsom, which means that right now you can install it and set up blogs for your Open Directory users such that they authenticate using their OD username and password. Installing and configuring all of this is a little bit of work, especially if you haven’t set up Tomcat on your OS X Server box yet, but hopefully the step by step instructions here will make it easy enough.
<code> mkdir ~/blojsom_files cd ~/blojsom_files curl -O http://optusnet.dl.sourceforge.net/sourceforge/blojsom/blojsom.war curl -O http://optusnet.dl.sourceforge.net/sourceforge/blojsom/blojsom-2.22-addons.zip unzip blojsom-2.22-addons.zip </code>
if you can’t get to that direct download link, or want to use a SourceForge mirror closer to you, go to the following two links:
http://prdownloads.sourceforge.net/blojsom/blojsom.war?download
http://prdownloads.sourceforge.net/blojsom/blojsom-2.22-addons.zip?download
Step 1: Configuring blojsom.
<code> sudo mkdir /Library/Tomcat/webapps/blojsom cd /Library/Tomcat/webapps/blojsom sudo jar xvf ~/blojsom_files/blojsom.war sudo cp ~/blojsom_files/radeox-1.0b2.jar /Library/Tomcat/webapps/blojsom/WEB-INF/lib/ sudo cp ~/blojsom_files/blojsom-addon-core-2.22.jar /Library/Tomcat/webapps/blojsom/WEB-INF/lib/ sudo cp ~/blojsom_files/netscape-ldapjdk-4.17.jar /Library/Tomcat/webapps/blojsom/WEB-INF/lib/ </code>
Now edit the file:
<code>/Library/Tomcat/webapps/blojsom/WEB-INF/blojsom.properties</code>
and change:
<code> blojsom-authorization-provider=org.blojsom.authorization.PropertiesAuthorizationProvider </code>
to:
<code> blojsom-authorization-provider=org.blojsom.authorization.LDAPAuthorizationProvider </code>
and
<code> blojsom-blog-home={user.home}/blojsom-blogs/ </code>
to:
<code> blojsom-blog-home=/usr/local/blog-data/ </code>
Now edit
<code>/Library/Tomcat/webapps/blojsom/WEB-INF/web.xml</code>
insert the following text into each servlet entry that you wish to use LDAP authentication for:
<code> <init-param> <param-name>blog-ldap-authorization-server</param-name> <param-value>DNS/IP Address of your LDAP server</param-value> </init-param> <init-param> <param-name>blog-ldap-authorization-dn</param-name> <param-value>DN of your Open Directory User branch</param-value> </init-param> </code>
ie, say your Open Directory master is “odmaster.mydomain.com”, it is more than likely that your OD User branch is something like “cn=users,dc=mydomain,dc=com”, so it would look like:
<code> <init-param> <param-name>blog-ldap-authorization-server</param-name> <param-value>odmaster.mydomain.com</param-value> </init-param> <init-param> <param-name>blog-ldap-authorization-dn</param-name> <param-value>cn=users,dc=mydomain,dc=com</param-value> </init-param> </code>
so, at a minimum, you’ll want to set up LDAP authentication for the main blojsom servlet.
Look for the lines:
<code> <servlet> <servlet-name>blojsom</servlet-name> <servlet-class>org.blojsom.servlet.BlojsomServlet</servlet-class> </code>
and insert your LDAP configuration from above just after this, like so:
<code> <servlet> <servlet-name>blojsom</servlet-name> <servlet-class>org.blojsom.servlet.BlojsomServlet</servlet-class> <init-param> <param-name>blog-ldap-authorization-server</param-name> <param-value>odmaster.mydomain.com</param-value> </init-param> <init-param> <param-name>blog-ldap-authorization-dn</param-name> <param-value>cn=users,dc=mydomain,dc=com</param-value> </init-param> </code>
If you’re planning on using the XML-RPC API of blojsom so that you can use the Blogger, MetaWeblog and MovableType APIs, you’ll also want to add the LDAP configuration to the appropriate servlet.
Look for the lines:
<code> <servlet> <servlet-name>blojsomxmlrpc</servlet-name> <servlet-class>org.blojsom.extension.xmlrpc.BlojsomXMLRPCServlet</servlet-class> </code>
and insert your LDAP configuration just after, like so:
<code> <servlet> <servlet-name>blojsomxmlrpc</servlet-name> <servlet-class>org.blojsom.extension.xmlrpc.BlojsomXMLRPCServlet</servlet-class> <init-param> <param-name>blog-ldap-authorization-server</param-name> <param-value>odmaster.mydomain.com</param-value> </init-param> <init-param> <param-name>blog-ldap-authorization-dn</param-name> <param-value>cn=users,dc=mydomain,dc=com</param-value> </init-param> </code>
If you’re planning on using the Atom API then add your LDAP config to the to Atom servlet:
Look for the lines:
<code> <servlet> <servlet-name>blojsomatomapi</servlet-name> <servlet-class>org.blojsom.extension.atomapi.AtomAPIServlet</servlet-class> </code>
and again, insert your LDAP configuration just after it, like so:
<code> <servlet> <servlet-name>blojsomatomapi</servlet-name> <servlet-class>org.blojsom.extension.atomapi.AtomAPIServlet</servlet-class> <init-param> <param-name>blog-ldap-authorization-server</param-name> <param-value>odmaster.mydomain.com</param-value> </init-param> <init-param> <param-name>blog-ldap-authorization-dn</param-name> <param-value>cn=users,dc=mydomain,dc=com</param-value> </init-param> </code>
The comments servlet doesn’t do authentication, so we don’t need to modify it.
We need to set up an area for blog data to be stored. These are text files that contain the entries themselves.
I’m going to use /usr/local/blog-data, and set up the default blog here as well.
<code> mkdir /usr/local/blog-data mkdir /usr/local/blog-data/default </code>
Step 2: Setting up a blog
now, we need to create our first blog for an LDAP user.
First, let’s make sure that Tomcat has permission to update the settings for the default user, and for the resources folder, which is where images and theme data are stored.
<code> chown -R appserver /Library/Tomcat/webapps/blojsom/WEB-INF/default chown -R appserver /Library/Tomcat/webapps/blojsom/resources </code>
I prefer to create my own template directory based upon the default that I can then use for all my users like so:
<code> cd /Library/Tomcat/webapps/blojsom sudo cp -Rp WEB-INF/default WEB-INF/default_template sudo cp -Rp resources/default resources/default_template </code>
We’re going to be using LDAP for authorization, so delete the authorization.properties file:
<code> sudo rm default_template/authorization.properties </code>
Edit the file “blog.properties” in the WEB-INF/default_template folder so that it looks like this:
<code> # # blojsom user properties configuration file # blog-directory-depth=6 blog-language=en blog-country=US blog-name=BLOGOWNER blog-description=BLOGOWNER - blog blog-home=/usr/local/blog-data/BLOGOWNER blog-base-url=http://myserver.mydomain.com/blojsom/ blog-url=http://myserver.mydomain.com/blojsom/blog/BLOGOWNER/ blog-file-extensions=.*html, .*txt, .*textile blog-entry-meta-data-extension=.meta blog-properties-extensions=.properties blog-entries-display=15 blog-default-category-mapping= blog-directory-filter=.*/CVS blog-owner=BLOGOWNER [email protected] blog-comments-enabled=true blog-comments-directory=.comments blog-trackbacks-enabled=true blog-trackbacks-directory=.trackbacks blog-email-enabled=false blog-file-encoding= blog-blacklist-file=blacklist.filters blog-xmlrpc-entry-extension=.html blog-banned-ip-addresses= blog-default-flavor=html plugin-comment-autoformat=true linear-navigation-enabled=false # # MetaWeblob extension properties # blojsom-extension-metaweblog-accepted-types=image/jpeg, image/jpg, image/gif, image/png, img </code>
We’ve set things up so that we will be using Apache with mod_jk for blojsom, so that users behind strict firewalls can still view the pages. If you don’t want to do this, and you just want to serve these pages out using Tomcat without Apache, change the lines:
<code> blog-base-url=http://myserver.mydomain.com/blojsom/ blog-url=http://myserver.mydomain.com/blojsom/blog/BLOGOWNER/ </code>
so that they look like:
<code> blog-base-url=http://myserver.mydomain.com:9006/blojsom/ blog-url=http://myserver.mydomain.com:9006/blojsom/blog/BLOGOWNER/ </code>
You may also want to change the blog-owner-email property if this isn’t the format of your email addresses.
Now we’re going to copy our template blog to set up a blog for a user who exists in Open Directory with the short name ‘odusername’. Replace this with the username you wish to create a blog for.
<code> sudo cp -Rp WEB-INF/default_template WEB-INF/odusername sudo cp -Rp resources/default_template resources/odusername sudo mkdir /usr/local/blog-data/odusername sudo chown -R appserver /usr/local/blog-data/odusername </code>
Edit odusername/blog.properties and replace all instances of ‘BLOGOWNER’ with the equivalent of ‘odusername’. If you’re wondering why we’ve done it like this, it is so that you can easily script creating a new user with a simple sed script, which I’ll put at the end of this entry.
Step 3: Setting up mod_jk
Now, before we start up blojsom, we need to configure Apache to use mod_jk with Tomcat so that visitors can browse the blogs over port 80. If you’re not planning on doing this, you can skip this whole section.
Open up Server Admin for your server, and in the Web service, go to the Modules tab. Enable the “jk_module” module.
edit the file:
<code>/etc/httpd/httpd.conf</code>
and change the section:
<code> <IfModule mod_jk.c> JKWorkersFile /etc/httpd/workers.properties JKLogFile /var/log/httpd/mod_jk.log JKLogLevel error JKMount /*.jsp JBoss1 JKMount /servlet/* JBoss1 JKMount /examples/* JBoss1 </IfModule> </code>
to:
<code> <IfModule mod_jk.c> JKWorkersFile /etc/httpd/workers.properties JKLogFile /var/log/httpd/mod_jk.log JKLogLevel error JKMount /*.jsp JBoss1 JKMount /servlet/* JBoss1 JKMount /examples/* JBoss1 JKMount /blojsom/* blojsomworker </IfModule> </code>
edit the file:
<code>/etc/httpd/workers.properties</code>
and make the following changes:
Change the line:
<code> worker.list=JBoss1, JBoss2, loadbalancer </code>
to
<code> worker.list=JBoss1, JBoss2, loadbalancer, blojsomworker </code>
and after the line:
<code> worker.loadbalancer.balanced_workers=JBoss1, JBoss2 </code>
add:
<code> # ----------------------- # Blojsom worker # ----------------------- worker.blojsomworker.port=9007 worker.blojsomworker.host=127.0.0.1 worker.blojsomworker.type=ajp13 worker.blojsomworker.lbfactor=100 </code>
Now check your apache config:
<code> sudo apachectl configtest </code>
If no errors were reported (spurious [warn messages about WebObjects are ok, just make sure you have a “Syntax Ok” result returned) then do:
<code> sudo apachectl graceful </code>
Try starting Tomcat. If you haven’t set it up before, go to the Application Server service in Server Admin, and in the General tab, choose “Tomcat only”. Save, and Start Service. It takes a little while to start up, so wait a few seconds, and hit Refresh to check that it is working. If you’ve already got Tomcat working, you can skip to the next section “Testing Blojsom”.
To check that Tomcat is working properly, go to this page:
<code> http://myserver.mydomain.com:9006 </code>
and click on “Servlet Examples” on the left hand side.
If this all seems ok, then Tomcat is fine.
Now to test mod_jk, try:
<code> http://myserver.mydomain.com/examples/servlets/ </code>
If this gives you the same page, then mod_jk is working happily.
Step 4: Testing Blojsom
Now try:
<code> http://myserver.mydomain.com/blojsom/blog/default/ </code>
to see the default blog.
If that all looks ok, try the blog of the Open Directory user you’ve set up.
<code> http://myserver.mydomain.com/blojsom/blog/odusername/ </code>
If that all looks ok, try logging into the admin interface for your blog.
<code> http://myserver.mydomain.com/blojsom/blog/odusername/?flavor=admin </code>
You should be able to login with your Open Directory username and password.
If that works, try adding some entries, and try switching the theme,
(Plugin Settings -> Configure Available Plugins -> Theme Switcher Plugin)
If that all works, then it looks like everything is working. You now have a multi-user blog server set up, and have create a blog for a user that authenticates against Open Directory.
Now, if you want an easy way to have this automatically set up blogs for your OD users, you might want to look at a script like this:
This version loops over the listing of a folder. I’ve done this one this way, as this allows me to quickly loop over all these users who are logically grouped, without having to actually interrogate the Open Directory server for group memberships. The ‘grep -e’ statement that the ls gets piped through is there to preclude those pesky “.DS_Store” and “.VolumeIcon.icns” files, as well as my group shared folders, which all start with uppercase characters.
<code> #!/bin/sh # BLOJHOME=/Library/Tomcat/webapps/blojsom for user in $(ls /Volumes/raid/mystaff | grep -e "^[a-z]") do if [ ! -e $BLOJHOME/WEB-INF/$user ] then cp -Rp $BLOJHOME/WEB-INF/default_template $BLOJHOME/WEB-INF/$user cp -Rp $BLOJHOME/resources/default_template $BLOJHOME/resources/$user mkdir -p /usr/local/blog-data/$user cat $BLOJHOME/WEB-INF/default_template/blog.properties | sed "s|BLOGOWNER|$user|g" > $BLOJHOME/WEB-INF/$user/blog.properties chown appserver $BLOJHOME/WEB-INF/$user/blog.properties chown appserver /usr/local/blog-data/$user if [ ! $(grep $user $BLOJHOME/WEB-INF/blojsom.properties) ] then BLOJUSERS=$(grep blojsom-users $BLOJHOME/WEB-INF/blojsom.properties) cat $BLOJHOME/WEB-INF/blojsom.properties | grep -v blojsom-users > /tmp/blojsom.properties echo "$BLOJUSERS,$user" >> /tmp/blojsom.properties cp /tmp/blojsom.properties $BLOJHOME/WEB-INF/blojsom.properties fi fi done serveradmin stop appserver && serveradmin start appserver </code>
If you really do want to loop over all the users in your Open Directory setup, you could change the for loop to something like:
<code> for user in $(dscl /LDAPv3/odmaster.mydomain.com -list /Users) </code>
but you’ll probably want to filter out some users like unknown and maybe your OD Dir Admin account.
<code> for user in $(dscl /LDAPv3/odmaster.mydomain.com -list /Users | grep -v unknown | grep -v myodadmin) </code>
You could do that more elegantly in the script by checking the username, rather than just grepping, but that works…
This is kind of why I like looping over sharepoints. I know that all the users in a certain group who should have this service will be in one of several sharepoints, and it’s kind of easier. If they don’t have a home directory yet, they shouldn’t be blogging yet either…
So this is how I’m running my blog, and have set up blogs for all my staff. As always though, buyer beware, especially when it’s free… standard I am not responsible for destroying your server disclaimer here.
when you are setting up the blog for your Open Directory user,
you need to add their username to the “blojsom-users” property in:
/Library/Tomcat/webapps/blojsom/WEB-INF/blojsom.properties
like so:
blojsom-users=default,odusername
BLOJUSERS=$(grep blojsom-users $BLOJHOME/WEB-INF/blojsom.properties)
cat $BLOJHOME/WEB-INF/blojsom.properties
| grep -v blojsom-users > /tmp/blojsom.properties
echo "$BLOJUSERS,$user" >> /tmp/blojsom.properties
cp /tmp/blojsom.properties $BLOJHOME/WEB-INF/blojsom.properties
takes care of this….
Well I considered that step optional, as I didn’t expect everyone to want
to create all their OD users blogs automatically.
Thanks for pointing that out though, I should have mentioned that the
script does do this for you, but if you’re going through this step by step,
then when you get to the stage of actually testing the first blog for
‘odusername’, then it will not work unless you have added their
username to the blojsom-users property.
Questions:
a. Having installed the mod_jk thingy etc, the blogs show up on all sites
ie:
domain1.com/blojsom/blog/default
domain2.com/blojsom/blog/default
etc
all show up.
How do I limit it to just one site?
b. how can I have it so that the url is in the form:
USERNAME.domain1.com
or if that’s difficult
blogs.domain1.com/default
—
Cheers.
It depends if you want to install any other Tomcat apps.
Instead of installing blojsom into /Library/Tomcat/webapps/blojsom, you
can install it into /Library/Tomcat/webapps/ROOT
Then it will appear at:
http://your.server:9006/blog/
If you want it to not even have the /blog suffix, I’m not sure what you
can do. You might have to mess around with the web.xml settings for
blojsom and Tomcat. I’d post this to the blojsom users mailing list,
David is REALLY helpful, one of the most community minded open
source developers I’ve ever come across.
You’ll then need to do the JKMount entries on an individual virtual host
level, rather than globally for specific hosts.
You’d then need to write your own redirects I guess for
username.domain to domain/blog/username/ , but there might be a
better way…
Yup. That’s changed since the release I wrote this for, there’s now a
permissions model for multiple users.
I’ll update this entry as soon as I can, I’ll re-write the instructions for the
latest release.
I also wanted to add some stuff on how to trim down the admin
interface, as I’ve been restricting my students from being able to upload
files, and when you’re using OD authentication, you probably want to
get rid of some of the admin interface to do with authentication and
authorization.