incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christophe Dupriez" <>
Subject LDAP recursive groups + Kerberos automatic authentication
Date Thu, 06 Mar 2008 10:19:21 GMT
Very nice work David! Thank you very much!

My example is tested with Tomcat 6 (where debug attribute does not exist anymore).
For Intranets, may I suggest SSO valve in the <Host> element of Tomcat's server.xml:
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />

In the MS$ World, what we need to do (intranet Wiki):

1) replace NTLM Authentication (phased out by Microsoft and hated by my network admin) switching
to SPNEGO+Kerberos Authentication. This implies JAAS Realm (and not JNDI) + standard Sun Kerberos

2) I did not succeed up to now to have Kerberos authentication without ever showing a login
form to user (but most of them already disappeared)

3) Standard Sun Kerberos LoginModule does not provide ANY role after authentication: those
have to be added by LDAP queries.
    a) Basic example: 
    b) LDAP queries example: 

4) So I need to merge both to create a Krb5LDAPLoginModule able to authenticate with Kerberos
and get roles from LDAP. Roles will have to be obtained recursively to allow groups of groups
in Active Directory (this may have to be cached or user principals are already cached?)

If anybody knows better examples to start with than those given above, please let me know!
    (I am so surprised nothing simple has been published before)

Have a nice day!


-----Original Message-----
From: David Gao [] 
Sent: jeudi 6 mars 2008 10:37
Subject: Re: LDAP groups


I added a wiki page about LDAP authentication on based on Cristophe's config and
mine. Here goes the link:

-------- Original Message --------

To be fully precise, this is what we use:
        <Realm className="org.apache.catalina.realm.JNDIRealm"
               connectionName="CN=Ldaplogin,OU=EDP Login,OU=All Users XP,DC=poison,DC=in"
               connectionPassword="***secret***" connectionURL="ldap://domaincontroller-host:389"
               userBase="OU=All Users XP,DC=domain" userSubtree="true"
               userSearch="(userPrincipalName={0}" userRoleName="memberOf"
               roleBase="CN=Groups,DC=domain" roleName="cn" roleSubtree="true"
               roleSearch="(member={0})" />
(this because we use the e-mail as the login identifier)
By the way, BEWARE: recursive groups are NOT supported by org.apache.catalina.realm.JNDIRealm
: your users will NOT inherit from roles (groups) containing the groups within which your
users are placed.
Good luck!
-----Original Message-----
From: David Gao [] 
Sent: jeudi 6 mars 2008 6:53
Subject: Re: LDAP groups
My configuration just works fine.  Every user in the dedicated LDAP 
group can login JSPWiki with proper access rights defined in security 
-------- Original Message --------
David --
Your configuration looks fine. Does it work for you? It looks like it 
Milt --JSPWiki does have a role called "Authenticated" that is granted 
to *every* user who successfully authenticates, regardless of the 
method used to authenticate (container-based or custom). 
"Authenticated" is the role name you should use in the jspwiki.policy 
file to denote authenticated users, and indeed, its name cannot be 
changed. It's what we call a "built-in" role, along with the 
"Anonymous" and "Asserted" roles. It might help you to think of these 
"states" rather than logical roles.
In addition to granting privileges to built-in roles (states), you can 
grant privileges to specific container-managed roles (such as those 
returned by an LDAP lookup). These are entered as grant blocks in 
jspwiki.policy. These container roles must also be entered into 
web.xml, preferably as "security-role" elements, or as 
"auth-constraint/role-name" elements. David has done both of these 
things in his examples: in jspwiki.policy you see a permission grant 
for the container role "tomcat-admin", and a corresponding 
auth-constraint/role-name element for "tomcat-admin" in web.xml.
Milt, if I've failed to answer your (implied) question, please let me 
know and we can investigate further.
On Mar 5, 2008, at 5:45 PM, David Gao wrote:
Hi Milton,
I did not change the policy for "Authenticated" as I think jspwiki 
may need that internally. Hope my configuration below may help
Tomcat server.xml (only JNDIRealm enabled) (LDAP server is Sun One 
Directory Server)
    <Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
         connectionName="cn=Directory Manager"
         userPattern="uid={0}, ou=People,dc=example,dc=com"
JSPWiki web.xml Security constraint
         This logical role includes all administrative users
Security policy: (added the following as a new entry, no new policy 
added for other LDAP groups)
grant principal com.ecyrd.jspwiki.auth.authorize.Role "tomcat-admin" {
  permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
-------- Original Message --------
Can I just clarify that it is not possible to "rename" the 
Authenticated role in the policy file in order to map it to 
something else in the LDAP directory?
Last time I investigated this, it seemed that jspwiki expected there 
to be a role named "Authenticated" that the user was a member of, 
regardless of what the policy file might call this role.
Andrew Jaquith wrote:
David - your simple example works much better than my long-winded 
explanation might have. :) Nice one.
Ryan - the important point here is that you can add container roles 
to your security policy file using the syntax in David's example. 
You can use container roles in wiki page ACLs, too. To make this 
work, you need to make sure you have a "role" element in your 
web.xml for each LDAP group you are referencing.
On Mar 5, 2008, at 16:59, David Gao <> wrote:
David Gao (

David Gao (
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message