Articles January 20, 2005 at 10:35 am

Installing blojsom with Open Directory Authentication

You may have heard about the upcoming integration of theblojsom blog server in Tiger Server when it comes out.
I really like blojsom, and have been running it for a while now. It is far easier to administer for multi-user and multi-blog setups than anything else I’ve experimented with, and offers some awesome features.My only real gripe with it has been that I kind of hate administering passwords in flat files when it comes to services which feel naturally aligned with my current directory services.

Well, recently an LDAP authentication plugin has been contributed to blojsom, which means that right now you can install it and set up blogs for your Open Directory users such that they authenticate using their OD username and password. Installing and configuring all of this is a little bit of work, especially if you haven’t set up Tomcat on your OS X Server box yet, but hopefully the step by step instructions here will make it easy enough.

<code>
mkdir ~/blojsom_files
cd ~/blojsom_files
curl -O http://optusnet.dl.sourceforge.net/sourceforge/blojsom/blojsom.war
curl -O http://optusnet.dl.sourceforge.net/sourceforge/blojsom/blojsom-2.22-addons.zip
unzip blojsom-2.22-addons.zip
</code>

if you can’t get to that direct download link, or want to use a SourceForge mirror closer to you, go to the following two links:

http://prdownloads.sourceforge.net/blojsom/blojsom.war?download

http://prdownloads.sourceforge.net/blojsom/blojsom-2.22-addons.zip?download

Step 1: Configuring blojsom.

<code>
sudo mkdir /Library/Tomcat/webapps/blojsom
cd /Library/Tomcat/webapps/blojsom
sudo jar xvf ~/blojsom_files/blojsom.war
sudo cp ~/blojsom_files/radeox-1.0b2.jar /Library/Tomcat/webapps/blojsom/WEB-INF/lib/
sudo cp ~/blojsom_files/blojsom-addon-core-2.22.jar /Library/Tomcat/webapps/blojsom/WEB-INF/lib/
sudo cp ~/blojsom_files/netscape-ldapjdk-4.17.jar /Library/Tomcat/webapps/blojsom/WEB-INF/lib/
</code>

Now edit the file:

<code>/Library/Tomcat/webapps/blojsom/WEB-INF/blojsom.properties</code>

and change:

<code>
blojsom-authorization-provider=org.blojsom.authorization.PropertiesAuthorizationProvider
</code>

to:

<code>
blojsom-authorization-provider=org.blojsom.authorization.LDAPAuthorizationProvider
</code>

and

<code>
blojsom-blog-home={user.home}/blojsom-blogs/
</code>

to:

<code>
blojsom-blog-home=/usr/local/blog-data/
</code>

Now edit

<code>/Library/Tomcat/webapps/blojsom/WEB-INF/web.xml</code>

insert the following text into each servlet entry that you wish to use LDAP authentication for:

<code>
&lt;init-param&gt;
    &lt;param-name&gt;blog-ldap-authorization-server&lt;/param-name&gt;
    &lt;param-value&gt;DNS/IP Address of your LDAP server&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
    &lt;param-name&gt;blog-ldap-authorization-dn&lt;/param-name&gt;
    &lt;param-value&gt;DN of your Open Directory User branch&lt;/param-value&gt;
&lt;/init-param&gt;
</code>

ie, say your Open Directory master is “odmaster.mydomain.com”, it is more than likely that your OD User branch is something like “cn=users,dc=mydomain,dc=com”, so it would look like:

<code>
&lt;init-param&gt;
    &lt;param-name&gt;blog-ldap-authorization-server&lt;/param-name&gt;
    &lt;param-value&gt;odmaster.mydomain.com&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
    &lt;param-name&gt;blog-ldap-authorization-dn&lt;/param-name&gt;
    &lt;param-value&gt;cn=users,dc=mydomain,dc=com&lt;/param-value&gt;
&lt;/init-param&gt;
</code>

so, at a minimum, you’ll want to set up LDAP authentication for the main blojsom servlet.
Look for the lines:

<code>
    &lt;servlet&gt;
        &lt;servlet-name&gt;blojsom&lt;/servlet-name&gt;
        &lt;servlet-class&gt;org.blojsom.servlet.BlojsomServlet&lt;/servlet-class&gt;
</code>

and insert your LDAP configuration from above just after this, like so:

<code>
    &lt;servlet&gt;
        &lt;servlet-name&gt;blojsom&lt;/servlet-name&gt;
        &lt;servlet-class&gt;org.blojsom.servlet.BlojsomServlet&lt;/servlet-class&gt;
&lt;init-param&gt;
    &lt;param-name&gt;blog-ldap-authorization-server&lt;/param-name&gt;
    &lt;param-value&gt;odmaster.mydomain.com&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
    &lt;param-name&gt;blog-ldap-authorization-dn&lt;/param-name&gt;
    &lt;param-value&gt;cn=users,dc=mydomain,dc=com&lt;/param-value&gt;
&lt;/init-param&gt;
</code>

If you’re planning on using the XML-RPC API of blojsom so that you can use the Blogger, MetaWeblog and MovableType APIs, you’ll also want to add the LDAP configuration to the appropriate servlet.

Look for the lines:

<code>
    &lt;servlet&gt;
        &lt;servlet-name&gt;blojsomxmlrpc&lt;/servlet-name&gt;
        &lt;servlet-class&gt;org.blojsom.extension.xmlrpc.BlojsomXMLRPCServlet&lt;/servlet-class&gt;
        </code>

and insert your LDAP configuration just after, like so:

<code>
    &lt;servlet&gt;
        &lt;servlet-name&gt;blojsomxmlrpc&lt;/servlet-name&gt;
        &lt;servlet-class&gt;org.blojsom.extension.xmlrpc.BlojsomXMLRPCServlet&lt;/servlet-class&gt;
&lt;init-param&gt;
    &lt;param-name&gt;blog-ldap-authorization-server&lt;/param-name&gt;
    &lt;param-value&gt;odmaster.mydomain.com&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
    &lt;param-name&gt;blog-ldap-authorization-dn&lt;/param-name&gt;
    &lt;param-value&gt;cn=users,dc=mydomain,dc=com&lt;/param-value&gt;
&lt;/init-param&gt;
</code>

If you’re planning on using the Atom API then add your LDAP config to the to Atom servlet:

Look for the lines:

<code>
    &lt;servlet&gt;
        &lt;servlet-name&gt;blojsomatomapi&lt;/servlet-name&gt;
        &lt;servlet-class&gt;org.blojsom.extension.atomapi.AtomAPIServlet&lt;/servlet-class&gt;
        </code>

and again, insert your LDAP configuration just after it, like so:

<code>
    &lt;servlet&gt;
        &lt;servlet-name&gt;blojsomatomapi&lt;/servlet-name&gt;
        &lt;servlet-class&gt;org.blojsom.extension.atomapi.AtomAPIServlet&lt;/servlet-class&gt;
&lt;init-param&gt;
    &lt;param-name&gt;blog-ldap-authorization-server&lt;/param-name&gt;
    &lt;param-value&gt;odmaster.mydomain.com&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;init-param&gt;
    &lt;param-name&gt;blog-ldap-authorization-dn&lt;/param-name&gt;
    &lt;param-value&gt;cn=users,dc=mydomain,dc=com&lt;/param-value&gt;
&lt;/init-param&gt;
</code>

The comments servlet doesn’t do authentication, so we don’t need to modify it.

We need to set up an area for blog data to be stored. These are text files that contain the entries themselves.
I’m going to use /usr/local/blog-data, and set up the default blog here as well.

<code>
mkdir /usr/local/blog-data
mkdir /usr/local/blog-data/default
</code>

Step 2: Setting up a blog

now, we need to create our first blog for an LDAP user.

First, let’s make sure that Tomcat has permission to update the settings for the default user, and for the resources folder, which is where images and theme data are stored.

<code>
chown -R appserver /Library/Tomcat/webapps/blojsom/WEB-INF/default
chown -R appserver /Library/Tomcat/webapps/blojsom/resources
</code>

I prefer to create my own template directory based upon the default that I can then use for all my users like so:

<code>
cd /Library/Tomcat/webapps/blojsom
sudo cp -Rp WEB-INF/default WEB-INF/default_template
sudo cp -Rp resources/default resources/default_template
</code>

We’re going to be using LDAP for authorization, so delete the authorization.properties file:

<code>
sudo rm default_template/authorization.properties 
</code>

Edit the file “blog.properties” in the WEB-INF/default_template folder so that it looks like this:

<code>
#
# blojsom user properties configuration file
#
blog-directory-depth=6
blog-language=en
blog-country=US
blog-name=BLOGOWNER
blog-description=BLOGOWNER - blog
blog-home=/usr/local/blog-data/BLOGOWNER
blog-base-url=http://myserver.mydomain.com/blojsom/
blog-url=http://myserver.mydomain.com/blojsom/blog/BLOGOWNER/
blog-file-extensions=.*html, .*txt, .*textile
blog-entry-meta-data-extension=.meta
blog-properties-extensions=.properties
blog-entries-display=15
blog-default-category-mapping=
blog-directory-filter=.*/CVS
blog-owner=BLOGOWNER
[email protected]
blog-comments-enabled=true
blog-comments-directory=.comments
blog-trackbacks-enabled=true
blog-trackbacks-directory=.trackbacks
blog-email-enabled=false
blog-file-encoding=
blog-blacklist-file=blacklist.filters
blog-xmlrpc-entry-extension=.html
blog-banned-ip-addresses=
blog-default-flavor=html
plugin-comment-autoformat=true
linear-navigation-enabled=false

#
# MetaWeblob extension properties
#
blojsom-extension-metaweblog-accepted-types=image/jpeg, image/jpg, image/gif, image/png, img
</code>

We’ve set things up so that we will be using Apache with mod_jk for blojsom, so that users behind strict firewalls can still view the pages. If you don’t want to do this, and you just want to serve these pages out using Tomcat without Apache, change the lines:

<code>
blog-base-url=http://myserver.mydomain.com/blojsom/
blog-url=http://myserver.mydomain.com/blojsom/blog/BLOGOWNER/
</code>

so that they look like:

<code>
blog-base-url=http://myserver.mydomain.com:9006/blojsom/
blog-url=http://myserver.mydomain.com:9006/blojsom/blog/BLOGOWNER/
</code>

You may also want to change the blog-owner-email property if this isn’t the format of your email addresses.

Now we’re going to copy our template blog to set up a blog for a user who exists in Open Directory with the short name ‘odusername’. Replace this with the username you wish to create a blog for.

<code>
sudo cp -Rp WEB-INF/default_template WEB-INF/odusername
sudo cp -Rp resources/default_template resources/odusername
sudo mkdir /usr/local/blog-data/odusername
sudo chown -R appserver /usr/local/blog-data/odusername
</code>

Edit odusername/blog.properties and replace all instances of ‘BLOGOWNER’ with the equivalent of ‘odusername’. If you’re wondering why we’ve done it like this, it is so that you can easily script creating a new user with a simple sed script, which I’ll put at the end of this entry.

Step 3: Setting up mod_jk

Now, before we start up blojsom, we need to configure Apache to use mod_jk with Tomcat so that visitors can browse the blogs over port 80. If you’re not planning on doing this, you can skip this whole section.

Open up Server Admin for your server, and in the Web service, go to the Modules tab. Enable the “jk_module” module.

edit the file:

<code>/etc/httpd/httpd.conf</code>

and change the section:

<code>
&lt;IfModule mod_jk.c&gt;
        JKWorkersFile /etc/httpd/workers.properties
        JKLogFile /var/log/httpd/mod_jk.log
        JKLogLevel error
        JKMount /*.jsp JBoss1
        JKMount /servlet/* JBoss1
        JKMount /examples/* JBoss1
&lt;/IfModule&gt;
</code>

to:

<code>
&lt;IfModule mod_jk.c&gt;
        JKWorkersFile /etc/httpd/workers.properties
        JKLogFile /var/log/httpd/mod_jk.log
        JKLogLevel error
        JKMount /*.jsp JBoss1
        JKMount /servlet/* JBoss1
        JKMount /examples/* JBoss1
        JKMount /blojsom/* blojsomworker
&lt;/IfModule&gt;
</code>

edit the file:

<code>/etc/httpd/workers.properties</code>

and make the following changes:
Change the line:

<code>
worker.list=JBoss1, JBoss2, loadbalancer
</code>

to

<code>
worker.list=JBoss1, JBoss2, loadbalancer, blojsomworker
</code>

and after the line:

<code>
worker.loadbalancer.balanced_workers=JBoss1, JBoss2
</code>

add:

<code>
# -----------------------
# Blojsom worker
# -----------------------

worker.blojsomworker.port=9007
worker.blojsomworker.host=127.0.0.1
worker.blojsomworker.type=ajp13
worker.blojsomworker.lbfactor=100
</code>

Now check your apache config:

<code>
sudo apachectl configtest
</code>

If no errors were reported (spurious [warn messages about WebObjects are ok, just make sure you have a “Syntax Ok” result returned) then do:

<code>
sudo apachectl graceful
</code>

Try starting Tomcat. If you haven’t set it up before, go to the Application Server service in Server Admin, and in the General tab, choose “Tomcat only”. Save, and Start Service. It takes a little while to start up, so wait a few seconds, and hit Refresh to check that it is working. If you’ve already got Tomcat working, you can skip to the next section “Testing Blojsom”.

To check that Tomcat is working properly, go to this page:

<code>
http://myserver.mydomain.com:9006
</code>

and click on “Servlet Examples” on the left hand side.

If this all seems ok, then Tomcat is fine.

Now to test mod_jk, try:

<code>
http://myserver.mydomain.com/examples/servlets/
</code>

If this gives you the same page, then mod_jk is working happily.

Step 4: Testing Blojsom

Now try:

<code>
http://myserver.mydomain.com/blojsom/blog/default/
</code>

to see the default blog.

If that all looks ok, try the blog of the Open Directory user you’ve set up.

<code>
http://myserver.mydomain.com/blojsom/blog/odusername/
</code>

If that all looks ok, try logging into the admin interface for your blog.

<code>
http://myserver.mydomain.com/blojsom/blog/odusername/?flavor=admin
</code>

You should be able to login with your Open Directory username and password.

If that works, try adding some entries, and try switching the theme,
(Plugin Settings -> Configure Available Plugins -> Theme Switcher Plugin)

If that all works, then it looks like everything is working. You now have a multi-user blog server set up, and have create a blog for a user that authenticates against Open Directory.

Now, if you want an easy way to have this automatically set up blogs for your OD users, you might want to look at a script like this:

This version loops over the listing of a folder. I’ve done this one this way, as this allows me to quickly loop over all these users who are logically grouped, without having to actually interrogate the Open Directory server for group memberships. The ‘grep -e’ statement that the ls gets piped through is there to preclude those pesky “.DS_Store” and “.VolumeIcon.icns” files, as well as my group shared folders, which all start with uppercase characters.

<code>
#!/bin/sh
#
BLOJHOME=/Library/Tomcat/webapps/blojsom
for user in &#36;(ls /Volumes/raid/mystaff | grep -e "^&#91;a-z&#93;")
do 
  if &#91; ! -e &#36;BLOJHOME/WEB-INF/&#36;user &#93;
  then
    cp -Rp &#36;BLOJHOME/WEB-INF/default_template &#36;BLOJHOME/WEB-INF/&#36;user
    cp -Rp &#36;BLOJHOME/resources/default_template &#36;BLOJHOME/resources/&#36;user
    mkdir -p /usr/local/blog-data/&#36;user
    cat &#36;BLOJHOME/WEB-INF/default_template/blog.properties | sed "s|BLOGOWNER|&#36;user|g" &gt; &#36;BLOJHOME/WEB-INF/&#36;user/blog.properties
    chown appserver &#36;BLOJHOME/WEB-INF/&#36;user/blog.properties
    chown appserver /usr/local/blog-data/&#36;user
    if &#91; ! &#36;(grep &#36;user &#36;BLOJHOME/WEB-INF/blojsom.properties) &#93;
    then
      BLOJUSERS=&#36;(grep blojsom-users &#36;BLOJHOME/WEB-INF/blojsom.properties)
      cat &#36;BLOJHOME/WEB-INF/blojsom.properties 
        | grep -v blojsom-users &gt;  /tmp/blojsom.properties
      echo "&#36;BLOJUSERS,&#36;user" &gt;&gt; /tmp/blojsom.properties
      cp /tmp/blojsom.properties &#36;BLOJHOME/WEB-INF/blojsom.properties
    fi
  fi
done
serveradmin stop appserver &amp;&amp; serveradmin start appserver
</code>

If you really do want to loop over all the users in your Open Directory setup, you could change the for loop to something like:

<code>
for user in &#36;(dscl /LDAPv3/odmaster.mydomain.com -list /Users)
</code>

but you’ll probably want to filter out some users like unknown and maybe your OD Dir Admin account.

<code>
for user in &#36;(dscl /LDAPv3/odmaster.mydomain.com -list /Users | grep -v unknown | grep -v myodadmin)
</code>

You could do that more elegantly in the script by checking the username, rather than just grepping, but that works…

This is kind of why I like looping over sharepoints. I know that all the users in a certain group who should have this service will be in one of several sharepoints, and it’s kind of easier. If they don’t have a home directory yet, they shouldn’t be blogging yet either…

So this is how I’m running my blog, and have set up blogs for all my staff. As always though, buyer beware, especially when it’s free… standard I am not responsible for destroying your server disclaimer here.

No Comments

  • when you are setting up the blog for your Open Directory user,

    you need to add their username to the “blojsom-users” property in:


    /Library/Tomcat/webapps/blojsom/WEB-INF/blojsom.properties


    like so:


    blojsom-users=default,odusername

    • BLOJUSERS=$(grep blojsom-users $BLOJHOME/WEB-INF/blojsom.properties)
      cat $BLOJHOME/WEB-INF/blojsom.properties
      | grep -v blojsom-users > /tmp/blojsom.properties
      echo "$BLOJUSERS,$user" >> /tmp/blojsom.properties
      cp /tmp/blojsom.properties $BLOJHOME/WEB-INF/blojsom.properties

      takes care of this….

      • Well I considered that step optional, as I didn’t expect everyone to want
        to create all their OD users blogs automatically.

        Thanks for pointing that out though, I should have mentioned that the
        script does do this for you, but if you’re going through this step by step,
        then when you get to the stage of actually testing the first blog for
        ‘odusername’, then it will not work unless you have added their
        username to the blojsom-users property.

  • Questions:

    a. Having installed the mod_jk thingy etc, the blogs show up on all sites

    ie:
    domain1.com/blojsom/blog/default
    domain2.com/blojsom/blog/default
    etc
    all show up.

    How do I limit it to just one site?

    b. how can I have it so that the url is in the form:

    USERNAME.domain1.com

    or if that’s difficult

    blogs.domain1.com/default

    Cheers.

    • It depends if you want to install any other Tomcat apps.

      Instead of installing blojsom into /Library/Tomcat/webapps/blojsom, you
      can install it into /Library/Tomcat/webapps/ROOT

      Then it will appear at:

      http://your.server:9006/blog/

      If you want it to not even have the /blog suffix, I’m not sure what you
      can do. You might have to mess around with the web.xml settings for
      blojsom and Tomcat. I’d post this to the blojsom users mailing list,
      David is REALLY helpful, one of the most community minded open
      source developers I’ve ever come across.

      You’ll then need to do the JKMount entries on an individual virtual host
      level, rather than globally for specific hosts.

      You’d then need to write your own redirects I guess for
      username.domain to domain/blog/username/ , but there might be a
      better way…

  • Yup. That’s changed since the release I wrote this for, there’s now a
    permissions model for multiple users.

    I’ll update this entry as soon as I can, I’ll re-write the instructions for the
    latest release.

    I also wanted to add some stuff on how to trim down the admin
    interface, as I’ve been restricting my students from being able to upload
    files, and when you’re using OD authentication, you probably want to
    get rid of some of the admin interface to do with authentication and
    authorization.

Leave a reply

You must be logged in to post a comment.