incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Gao <david...@gmail.com>
Subject Re: LDAP groups
Date Thu, 06 Mar 2008 09:37:03 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi,<br>
<br>
I added a wiki page about LDAP authentication on jspwiki.org based on
Cristophe's config and mine. Here goes the link:<br>
<br>
        <a class="moz-txt-link-freetext" href="http://www.jspwiki.org/wiki/WebContainerAuthenticationViaLDAP">http://www.jspwiki.org/wiki/WebContainerAuthenticationViaLDAP</a><br>
<br>
-------- Original Message --------<br>
<blockquote
 cite="mid:635EA31E-C8D8-4010-9A90-86EC1B290F1F@poisoncentre.be"
 type="cite">
  <pre wrap="">To be fully precise, this is what we use:
        &lt;Realm className="org.apache.catalina.realm.JNDIRealm"
               connectionName="CN=Ldaplogin,OU=EDP Login,OU=All Users XP,DC=poison,DC=in"
               connectionPassword="***secret***" connectionURL=<a class="moz-txt-link-rfc2396E"
href="ldap://domaincontroller-host:389">"ldap://domaincontroller-host:389"</a>
               userBase="OU=All Users XP,DC=domain" userSubtree="true"
               userSearch=<a class="moz-txt-link-rfc2396E" href="mailto:(userPrincipalName={0}@yourdomain.com)">"(userPrincipalName={0}@yourdomain.com)"</a>
userRoleName="memberOf"
               roleBase="CN=Groups,DC=domain" roleName="cn" roleSubtree="true"
               roleSearch="(member={0})" /&gt;
(this because we use the e-mail as the login identifier)

By the way, BEWARE: recursive groups are NOT supported by org.apache.catalina.realm.JNDIRealm
: your users will NOT inherit from roles (groups) containing the groups within which your
users are placed.

Good luck!

Christophe

-----Original Message-----
From: David Gao [<a class="moz-txt-link-freetext" href="mailto:davidgjm@gmail.com">mailto:davidgjm@gmail.com</a>]

Sent: jeudi 6 mars 2008 6:53
To: <a class="moz-txt-link-abbreviated" href="mailto:jspwiki-user@incubator.apache.org">jspwiki-user@incubator.apache.org</a>
Subject: Re: LDAP groups

Andrew,

My configuration just works fine.  Every user in the dedicated LDAP 
group can login JSPWiki with proper access rights defined in security 
policy.

-------- Original Message --------
  </pre>
  <blockquote type="cite">
    <pre wrap="">David --

Your configuration looks fine. Does it work for you? It looks like it 
should...

Milt --JSPWiki does have a role called "Authenticated" that is granted 
to *every* user who successfully authenticates, regardless of the 
method used to authenticate (container-based or custom). 
"Authenticated" is the role name you should use in the jspwiki.policy 
file to denote authenticated users, and indeed, its name cannot be 
changed. It's what we call a "built-in" role, along with the 
"Anonymous" and "Asserted" roles. It might help you to think of these 
"states" rather than logical roles.

In addition to granting privileges to built-in roles (states), you can 
grant privileges to specific container-managed roles (such as those 
returned by an LDAP lookup). These are entered as grant blocks in 
jspwiki.policy. These container roles must also be entered into 
web.xml, preferably as "security-role" elements, or as 
"auth-constraint/role-name" elements. David has done both of these 
things in his examples: in jspwiki.policy you see a permission grant 
for the container role "tomcat-admin", and a corresponding 
auth-constraint/role-name element for "tomcat-admin" in web.xml.

Milt, if I've failed to answer your (implied) question, please let me 
know and we can investigate further.

Andrew

On Mar 5, 2008, at 5:45 PM, David Gao wrote:

    </pre>
    <blockquote type="cite">
      <pre wrap="">Hi Milton,

I did not change the policy for "Authenticated" as I think jspwiki 
may need that internally. Hope my configuration below may help

Tomcat server.xml (only JNDIRealm enabled) (LDAP server is Sun One 
Directory Server)
    &lt;Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
         connectionURL=<a class="moz-txt-link-rfc2396E" href="ldap://localhost:389">"ldap://localhost:389"</a>
         connectionName="cn=Directory Manager"
         connectionPassword="password"
         userPassword="userPassword"
         userPattern="uid={0}, ou=People,dc=example,dc=com"
         roleBase="ou=Groups,dc=example,dc=com"
         roleName="cn"
         roleSubtree="true"
         roleSearch="(uniqueMember={0})"
    /&gt;
---------------------------------------------------------------------------- 

JSPWiki web.xml Security constraint

     &lt;auth-constraint&gt;
         &lt;role-name&gt;tomcat-admin&lt;/role-name&gt;
         &lt;role-name&gt;LGE-SH&lt;/role-name&gt;
...................

 &lt;security-role&gt;
     &lt;description&gt;
         This logical role includes all administrative users
     &lt;/description&gt;
     &lt;role-name&gt;tomcat-admin&lt;/role-name&gt;
 &lt;/security-role&gt;
------------------------------------------------------------------------------- 

Security policy: (added the following as a new entry, no new policy 
added for other LDAP groups)

grant principal com.ecyrd.jspwiki.auth.authorize.Role "tomcat-admin" {
  permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};


-------- Original Message --------
      </pre>
      <blockquote type="cite">
        <pre wrap="">Can I just clarify that it is not possible to "rename" the 
Authenticated role in the policy file in order to map it to 
something else in the LDAP directory?

Last time I investigated this, it seemed that jspwiki expected there 
to be a role named "Authenticated" that the user was a member of, 
regardless of what the policy file might call this role.


Andrew Jaquith wrote:
        </pre>
        <blockquote type="cite">
          <pre wrap="">David - your simple example works much better than my long-winded

explanation might have. :) Nice one.

Ryan - the important point here is that you can add container roles 
to your security policy file using the syntax in David's example. 
You can use container roles in wiki page ACLs, too. To make this 
work, you need to make sure you have a "role" element in your 
web.xml for each LDAP group you are referencing.

Andrew

On Mar 5, 2008, at 16:59, David Gao <a class="moz-txt-link-rfc2396E" href="mailto:davidgjm@gmail.com">&lt;davidgjm@gmail.com&gt;</a>
wrote:
          </pre>
        </blockquote>
        <pre wrap="">
        </pre>
      </blockquote>
      <pre wrap="">
-- 
David Gao (<a class="moz-txt-link-abbreviated" href="mailto:davidgjm@gmail.com">davidgjm@gmail.com</a>)

      </pre>
    </blockquote>
    <pre wrap="">
    </pre>
  </blockquote>
  <pre wrap=""><!---->

  </pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">-- 
David Gao (<a class="moz-txt-link-abbreviated" href="mailto:davidgjm@gmail.com">davidgjm@gmail.com</a>)</pre>
</body>
</html>

Mime
View raw message