NOTICE: This document has been deprecated. It is here for historical purposes. Eventually the
contents will be moved to a new location.
The intent of this document is to help new users with OpenLDAP Fortress IAM software using one of the the linux
QUICKSTART packages located here:
iamfortress.org/download
For instructions on how to get Fortress connected to an existing OpenLDAP instance, follow the instructions
inside SECTION 6 of this document: README.txt
Table of Contents
- System Prerequisites
- Guidelines and Tips for first-time users
- Section I - download Fortress QUICKSTART and prepare the package
- Section II - compile Fortress source and build distribution packages
- Section III - install, configure and load OpenLDAP with seed data
- Section IV - integration test Fortress and OpenLDAP
- Section V - Commander Web Administration demo
- Section VI - integration test Commander with Solenium
- Section VII - connecting to Commander via Web browser
- Section VIII - Instructions to use Fortress Command Line Interpreter (CLI)
- Section IX - Instructions to use Fortress Console utility (CLI)
- Section X - How to generate and view javadoc
- Section XI - EnMasse REST Policy Server demo
- Section XII - integration test Fortress, EnMasse and OpenLDAP
- Section XIII - enable and test the OpenLDAP RBAC Accelerator Overlay
- Section XIV - misc info about other utilities
System Prerequisites
- Internet access to retrieve binary dependencies from online Maven repo.
- Java SDK Version 7 or beyond installed to target environment
- Redhat or Ubuntu server machine (for window environments use README-QUICKSTART-WINDOWS.html)
- 1GB RAM
- 20GB HD
NOTE: The Fortress build.xml may run without connection to Internet iff:
- The binary dependencies have previously been downloaded to FORTRESS_HOME/lib folder
- Local mode has been enabled on target machine. Local mode can be enabled by adding this property to
build.properties: local.mode=true
Guidelines and Tips for first-time users
- In the document that follows, when you read [version] or [platform] substitute with current
package info. For example - if the downloaded package version is 1.0.0 and platform is 'Debian Silver i386', the
instructions show fortressBuilder-[platform]-[version].jar your file name would be
fortressBuilder-Debian-Silver-i386-1.0.0.zip
- Is your target machine windows? Go to README-QUICKSTART-WINDOWS.html
- The source code for this project is located here ./src.
-
Instructions to download, extract and configure Fortress Builder Package to Target System
- Download one of the linux packages from here: iamfortress.org/download
- Copy fortressBuilder-[platform]-[version].zip to hard drive on target server env.
- Extract the zip. The location for archive can vary according to requirements. The location of package
will be referred to as FORTRESS_HOME later on.
- Enable permission for the binaries to execute. From FORTRESS_HOME root folder, enter the following
command from a system prompt:
chmod a+x -Rf *
- if debian platform and using sudo, edit file named 'build.properties' and insert sudo password here:
sudo.pw=your pw here
note: For Redhat deployments leave this param's value empty, like below, otherwise the 'stop-slapd'
target may not work.
sudo.pw=

-
Instructions to run the Fortress Ant Build
-
From FORTRESS_HOME root folder, edit the b.sh script to point to java home:
export JAVA_HOME=/opt/jdk1.7.0_10

-
Run the distribution target:
./b.sh dist

Note: The b.sh batch file referred to here uses Ant package that is local to Fortress quickstart
package.
-
Verify it ran correctly according to Ant:
BUILD SUCCESSFUL

You may now view the project binaries and documentation located under FORTRESS_HOME/dist.

-
Instructions to run the Builder to Install Symas OpenLDAP, configure and load with seed data
Important: This target reinstalls and reloads the OpenLDAP server
program, configuration and data.
-
The fortress 'init-slapd' uses LDAPv3 to perform initial operations.
edit build.properties, ensure the following line has been commented out:

Note: The default for this setting is 'false' or disabled.
-
From FORTRESS_HOME root folder, enter the following command from a system prompt:
if sudo:
sudo ./b.sh init-slapd

if not sudo you must run as user that has priv to modify folders in /var and /opt folders:
su
[enter your pw]
before running the command to kick off the install
./b.sh init-slapd
-
Verify it ran correctly according to Ant.
BUILD SUCCESSFUL

-
After above step completes, Symas OpenLDAP will be installed, configured and loaded with fortress
bootstrap config. This
step also runs provisioning scripts which may be tailored according to requirements. Check out the xml
load scripts
in FORTRESS_HOME/ldap/setup folder.
-
Point your preferred LDAP browser, ours is Apache
Directory Studio, to the installed directory.
The configuration parameters you'll need to browse can be found in the generated 'slapd.conf' file.
To view data stored in default database:
suffix "dc=openldap,dc=org"
rootdn "cn=Manager,dc=openldap,dc=org"
rootpw "secret"
The root pw will be encrypted before stored in slapd.conf

To view data stored in audit log database:
suffix "cn=log"
rootdn "cn=Manager,cn=log"
rootpw "secret"
The log root pw will be encrypted before stored in slapd.conf

-
Instructions to regression test Fortress and Symas OpenLDAP on target machine (optional)
- From FORTRESS_HOME root folder, enter the following command from a system prompt:
./b.sh test-full

Note: The Fortress regression tests will run for around 3 minutes.
- Verify these tests ran with no ERRORS.
BUILD SUCCESSFUL

-
To re-run these tests:
./b.sh test-full
Note 1: WARNING messages in test output are good as these are negative tests in action:
Note 2: If you made it this far without junit or ant ERRORS, the Fortress and Symas OpenLDAP IAM system
are certified to run on your machine.
Note 3: These tests load tens of thousands of records into your newly installed directory.
The 'init-slapd' and 'test-full' targets may be re-run as often as necessary. After regressions testing has
completed, you may run the 'init-slapd' target to remove all test data from the directory.
-
Instructions to install Commander Web UI Demo (optional)
Run the install-commander-demo target:
./b.sh install-commander-demo
-
Instructions to automatically test Commander Web UI Demo (optional)
Run the commander-maven-test target to perform headless test of Commander Web:
./b.sh commander-maven-test
note: Firefox must be preinstalled to target system.
-
Instructions to connect to Commander Web Admin
Open up browser and enter the following URL:
http://localhost:8080/commander
userId: test
password: test
Click on links on top or buttons on side of page to navigate between pages
-
Instructions to run the Fortress Command Line Interpreter (CLI) utility (optional)
This command line tool provides an interactive session with the user based on a simple command line
syntax.
-
To start the CLI, enter:
./b.sh cli

Which will bring up the command interpreter:

-
enter the command:
review fuser -u demo

This example will return all users with userId that begins with 'demo':

-
To learn more about the CLI and what it can do, follow instructions in the command line interpreter
reference
manual in the javadoc located here:
Command Line Interpreter
Note: if javadocs are not found, go to Section X
-
Instructions to run Fortress Console (optional)
For tasks like one-time setup of new users, password resets, searches
the Fortress Console application can be used.
-
From FORTRESS_HOME root folder, enter the following command
from a system prompt:
./b.sh console

-
Console Screenshots...
-
Main Menu:

-
Enter choice and follow the screen prompts to edit RBAC data:

-
Enter choice and follow the screen prompts to search RBAC data:

-
Enter choice and follow the screen prompts to test RBAC policies:

-
Enter choice and follow the screen prompts to setup ARBAC delegated policies:

-
Enter choice and follow the screen prompts to search through the AUDIT log:
-
Instructions to generate and view Javadoc (optional)
-
Run the javadoc target:
./b.sh javadoc

- Navigate to where docs are genned:

- Open 'index.html' using your preferred HTML Browser:

- The javadoc provides coverage of the Fortress APIs and also provides explanations on how RBAC, ARBAC, PW
Policies and Audit work.
-
Good places to start learning about Fortress:
-
Instructions to install EnMasse Policy Server Demo (optional)
-
Run the install-enmasse-demo target:
./b.sh install-enmasse-demo
-
Verify it ran correctly according to Ant.
BUILD SUCCESSFUL

-
After above step completes, Fortress EnMasse will be installed
-
Instructions to regression test EnMasse Policy server on target machine (optional)
- Edit file named 'build.properties' and enable REST protocol here:
enable.mgr.impl.rest=true
Accept the defaults for other HTTP parameters in build.properties:
http.user=demouser4
http.pw=gX9JbCTxJW5RiH+otQEX0Ja0RIAoPBQf
http.host=localhost
http.port=8080
Should look like the following:

- Save and exit the text file editor
- From FORTRESS_HOME root folder, enter the following command from a system prompt:
./b.sh test-full

Note: The EnMasse regression tests will run for around 20 minutes.
- Verify these tests ran with no ERRORS.
BUILD SUCCESSFUL

-
This regression test may be rerun as often as necessary:
./b.sh test-full
Note 1: WARNING messages in test output are good as these are negative tests in action:
Note 2: If you made it this far without junit or ant ERRORS, EnMasse is installed and certified to
run on your machine.
Note 3: These tests load tens of thousands of records into your directory.
The 'test-full' target may be re-run as often as necessary. After regressions testing have completed, you
may run the 'init-slapd' target to remove all test data from the directory.
Instructions to enable RBAC Accelerator Overlay in OpenLDAP and test Java-side bindings (optional)
- Edit file named 'build.properties' and enable RBAC accelerator by adding:
rbac.accelerator=true
- Save and exit the text file editor
- Reinstall Symas OpenLDAP by running the init-slapd target described in Section III: Instructions
to run the Builder to Install Symas OpenLDAP, configure and load with seed data
- Load necessary test data for unit tests:
./b.sh admin
-Dparam1=ldap/setup/RbacAcceleratorTestUsers.xml
- Now you can run the rbac accelerator unit tests:
./b.sh test-accel
- Verify the test-accel target completed with no ant or junit errors
- Reload necessary regression test data by running the test-full target described in Section IV:
Instructions to regression test Fortress and Symas OpenLDAP on target machine
- Now you can run the rbac accelerator regression tests:
./b.sh test-accel-full
- Verify the test-full-accel target completed with no ant or junit errors
- Check out the javadoc for learning about APIs supported within the RBAC accelerator:
Fortress Accelerator Client
Note 1: The RBAC accelerator turns OpenLDAP into an RBAC Policy Decision Point (PDP) server. All state is
maintained in OpenLDAP LMDB databases including session and audit trail.
Note 2: The slapd.conf file contains the mappings for the new database backends. You can view this
data using any LDAP browser.
Note 3: Bindings for C and Python are being worked on and will be released soon.
Note 4: SessionPermissions will be in future release as required by ANSI RBAC (INCITS 359) Core
functionality.
More Utilities
Other execution targets you may find useful:
-
'test-samples' - contains examples of how the Fortress API's work
check out the following javadoc for more info on the samples package:
Samples Javadoc
-
'admin' - provides an XML-centric way to provision RBAC data policies and user accounts.
check out the following javadoc for more info on this utility:
Fortress Ant admin script utility
document
- 'encrypt' - interface to jacypt encryption utility
- 'start-slapd' - Starts OpenLDAP on target machine.
- 'stop-slapd' - Stops OpenLDAP on target machine.
Note: for slapd commands sudo or elevated privileges may be required.
- display all ant targets available:

Copyright (c) 2003-2015, The Apache Software Foundation. All Rights Reserved.