incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christophe Dupriez" <christophe.dupr...@poisoncentre.be>
Subject Re: LDAP groups
Date Thu, 06 Mar 2008 06:45:52 GMT
At my knowledge, with Microsoft Active Directory, roleSearch="(uniqueMember={0})" must be changed
to roleSearch="(member={0})"


Christophe Dupriez
Centre Antipoisons-Antigifcentrum
C/o Hôpital Central de la Base Reine Astrid
Rue Bruyn
1120 Bruxelles
Belgique
tel 32-(0)2.264.96.36
fax 32-(0)2.264.96.46



----- Original Message -----
From: David Gao [mailto:davidgjm@gmail.com]
To: jspwiki-user@incubator.apache.org
Subject: Re: LDAP groups


> Andrew,
> 
> My configuration just works fine.  Every user in the dedicated LDAP 
> group can login JSPWiki with proper access rights defined in security 
> policy.
> 
> -------- Original Message --------
> > David --
> >
> > Your configuration looks fine. Does it work for you? It looks like it 
> > should...
> >
> > Milt --JSPWiki does have a role called "Authenticated" that is granted 
> > to *every* user who successfully authenticates, regardless of the 
> > method used to authenticate (container-based or custom). 
> > "Authenticated" is the role name you should use in the jspwiki.policy 
> > file to denote authenticated users, and indeed, its name cannot be 
> > changed. It's what we call a "built-in" role, along with the 
> > "Anonymous" and "Asserted" roles. It might help you to think of these 
> > "states" rather than logical roles.
> >
> > In addition to granting privileges to built-in roles (states), you can 
> > grant privileges to specific container-managed roles (such as those 
> > returned by an LDAP lookup). These are entered as grant blocks in 
> > jspwiki.policy. These container roles must also be entered into 
> > web.xml, preferably as "security-role" elements, or as 
> > "auth-constraint/role-name" elements. David has done both of these 
> > things in his examples: in jspwiki.policy you see a permission grant 
> > for the container role "tomcat-admin", and a corresponding 
> > auth-constraint/role-name element for "tomcat-admin" in web.xml.
> >
> > Milt, if I've failed to answer your (implied) question, please let me 
> > know and we can investigate further.
> >
> > Andrew
> >
> > On Mar 5, 2008, at 5:45 PM, David Gao wrote:
> >
> >> Hi Milton,
> >>
> >> I did not change the policy for "Authenticated" as I think jspwiki 
> >> may need that internally. Hope my configuration below may help
> >>
> >> Tomcat server.xml (only JNDIRealm enabled) (LDAP server is Sun One 
> >> Directory Server)
> >>     <Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
> >>          connectionURL="ldap://localhost:389"
> >>          connectionName="cn=Directory Manager"
> >>          connectionPassword="password"
> >>          userPassword="userPassword"
> >>          userPattern="uid={0}, ou=People,dc=example,dc=com"
> >>          roleBase="ou=Groups,dc=example,dc=com"
> >>          roleName="cn"
> >>          roleSubtree="true"
> >>          roleSearch="(uniqueMember={0})"
> >>     />
> >>
> ----------------------------------------------------------------------------
> 
> >>
> >> JSPWiki web.xml Security constraint
> >>
> >>      <auth-constraint>
> >>          <role-name>tomcat-admin</role-name>
> >>          <role-name>LGE-SH</role-name>
> >> ...................
> >>
> >>  <security-role>
> >>      <description>
> >>          This logical role includes all administrative users
> >>      </description>
> >>      <role-name>tomcat-admin</role-name>
> >>  </security-role>
> >>
> -------------------------------------------------------------------------------
> 
> >>
> >> Security policy: (added the following as a new entry, no new policy 
> >> added for other LDAP groups)
> >>
> >> grant principal com.ecyrd.jspwiki.auth.authorize.Role "tomcat-admin" {
> >>   permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> >> };
> >>
> >>
> >> -------- Original Message --------
> >>> Can I just clarify that it is not possible to "rename" the 
> >>> Authenticated role in the policy file in order to map it to 
> >>> something else in the LDAP directory?
> >>>
> >>> Last time I investigated this, it seemed that jspwiki expected there 
> >>> to be a role named "Authenticated" that the user was a member of, 
> >>> regardless of what the policy file might call this role.
> >>>
> >>>
> >>> Andrew Jaquith wrote:
> >>>> David - your simple example works much better than my long-winded 
> >>>> explanation might have. :) Nice one.
> >>>>
> >>>> Ryan - the important point here is that you can add container roles

> >>>> to your security policy file using the syntax in David's example. 
> >>>> You can use container roles in wiki page ACLs, too. To make this 
> >>>> work, you need to make sure you have a "role" element in your 
> >>>> web.xml for each LDAP group you are referencing.
> >>>>
> >>>> Andrew
> >>>>
> >>>> On Mar 5, 2008, at 16:59, David Gao <davidgjm@gmail.com> wrote:
> >>>
> >>>
> >>
> >>
> >> -- 
> >> David Gao (davidgjm@gmail.com)
> >>
> >
> >
> 
> 
> -- 
> David Gao (davidgjm@gmail.com)
> 
> 

Mime
View raw message