incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Gao <david...@gmail.com>
Subject Re: LDAP groups
Date Thu, 06 Mar 2008 01:45:14 GMT
Hi Milton,

I did not change the policy for "Authenticated" as I think jspwiki may 
need that internally. Hope my configuration below may help

Tomcat server.xml (only JNDIRealm enabled) (LDAP server is Sun One 
Directory Server)
      <Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
           connectionURL="ldap://localhost:389"
           connectionName="cn=Directory Manager"
           connectionPassword="password"
           userPassword="userPassword"
           userPattern="uid={0}, ou=People,dc=example,dc=com"
           roleBase="ou=Groups,dc=example,dc=com"
           roleName="cn"
           roleSubtree="true"
           roleSearch="(uniqueMember={0})"
      />
----------------------------------------------------------------------------
JSPWiki web.xml Security constraint

       <auth-constraint>
           <role-name>tomcat-admin</role-name>
           <role-name>LGE-SH</role-name>
...................

   <security-role>
       <description>
           This logical role includes all administrative users
       </description>
       <role-name>tomcat-admin</role-name>
   </security-role>
-------------------------------------------------------------------------------
Security policy: (added the following as a new entry, no new policy 
added for other LDAP groups)

grant principal com.ecyrd.jspwiki.auth.authorize.Role "tomcat-admin" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};


-------- Original Message --------
> Can I just clarify that it is not possible to "rename" the 
> Authenticated role in the policy file in order to map it to something 
> else in the LDAP directory?
>
> Last time I investigated this, it seemed that jspwiki expected there 
> to be a role named "Authenticated" that the user was a member of, 
> regardless of what the policy file might call this role.
>
>
> Andrew Jaquith wrote:
>> David - your simple example works much better than my long-winded 
>> explanation might have. :) Nice one.
>>
>> Ryan - the important point here is that you can add container roles 
>> to your security policy file using the syntax in David's example. You 
>> can use container roles in wiki page ACLs, too. To make this work, 
>> you need to make sure you have a "role" element in your web.xml for 
>> each LDAP group you are referencing.
>>
>> Andrew
>>
>> On Mar 5, 2008, at 16:59, David Gao <davidgjm@gmail.com> wrote:
>
>


-- 
David Gao (davidgjm@gmail.com)


Mime
View raw message