incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christophe Dupriez" <christophe.dupr...@poisoncentre.be>
Subject RE: LDAP groups
Date Thu, 06 Mar 2008 07:40:23 GMT
To be fully precise, this is what we use:
        <Realm className="org.apache.catalina.realm.JNDIRealm"
               connectionName="CN=Ldaplogin,OU=EDP Login,OU=All Users XP,DC=poison,DC=in"
               connectionPassword="***secret***" connectionURL="ldap://domaincontroller-host:389"
               userBase="OU=All Users XP,DC=domain" userSubtree="true"
               userSearch="(userPrincipalName={0}@yourdomain.com)" userRoleName="memberOf"
               roleBase="CN=Groups,DC=domain" roleName="cn" roleSubtree="true"
               roleSearch="(member={0})" />
(this because we use the e-mail as the login identifier)

By the way, BEWARE: recursive groups are NOT supported by org.apache.catalina.realm.JNDIRealm
: your users will NOT inherit from roles (groups) containing the groups within which your
users are placed.

Good luck!

Christophe

-----Original Message-----
From: David Gao [mailto:davidgjm@gmail.com] 
Sent: jeudi 6 mars 2008 6:53
To: jspwiki-user@incubator.apache.org
Subject: Re: LDAP groups

Andrew,

My configuration just works fine.  Every user in the dedicated LDAP 
group can login JSPWiki with proper access rights defined in security 
policy.

-------- Original Message --------
> David --
>
> Your configuration looks fine. Does it work for you? It looks like it 
> should...
>
> Milt --JSPWiki does have a role called "Authenticated" that is granted 
> to *every* user who successfully authenticates, regardless of the 
> method used to authenticate (container-based or custom). 
> "Authenticated" is the role name you should use in the jspwiki.policy 
> file to denote authenticated users, and indeed, its name cannot be 
> changed. It's what we call a "built-in" role, along with the 
> "Anonymous" and "Asserted" roles. It might help you to think of these 
> "states" rather than logical roles.
>
> In addition to granting privileges to built-in roles (states), you can 
> grant privileges to specific container-managed roles (such as those 
> returned by an LDAP lookup). These are entered as grant blocks in 
> jspwiki.policy. These container roles must also be entered into 
> web.xml, preferably as "security-role" elements, or as 
> "auth-constraint/role-name" elements. David has done both of these 
> things in his examples: in jspwiki.policy you see a permission grant 
> for the container role "tomcat-admin", and a corresponding 
> auth-constraint/role-name element for "tomcat-admin" in web.xml.
>
> Milt, if I've failed to answer your (implied) question, please let me 
> know and we can investigate further.
>
> Andrew
>
> On Mar 5, 2008, at 5:45 PM, David Gao wrote:
>
>> Hi Milton,
>>
>> I did not change the policy for "Authenticated" as I think jspwiki 
>> may need that internally. Hope my configuration below may help
>>
>> Tomcat server.xml (only JNDIRealm enabled) (LDAP server is Sun One 
>> Directory Server)
>>     <Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
>>          connectionURL="ldap://localhost:389"
>>          connectionName="cn=Directory Manager"
>>          connectionPassword="password"
>>          userPassword="userPassword"
>>          userPattern="uid={0}, ou=People,dc=example,dc=com"
>>          roleBase="ou=Groups,dc=example,dc=com"
>>          roleName="cn"
>>          roleSubtree="true"
>>          roleSearch="(uniqueMember={0})"
>>     />
>> ---------------------------------------------------------------------------- 
>>
>> JSPWiki web.xml Security constraint
>>
>>      <auth-constraint>
>>          <role-name>tomcat-admin</role-name>
>>          <role-name>LGE-SH</role-name>
>> ...................
>>
>>  <security-role>
>>      <description>
>>          This logical role includes all administrative users
>>      </description>
>>      <role-name>tomcat-admin</role-name>
>>  </security-role>
>> ------------------------------------------------------------------------------- 
>>
>> Security policy: (added the following as a new entry, no new policy 
>> added for other LDAP groups)
>>
>> grant principal com.ecyrd.jspwiki.auth.authorize.Role "tomcat-admin" {
>>   permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
>> };
>>
>>
>> -------- Original Message --------
>>> Can I just clarify that it is not possible to "rename" the 
>>> Authenticated role in the policy file in order to map it to 
>>> something else in the LDAP directory?
>>>
>>> Last time I investigated this, it seemed that jspwiki expected there 
>>> to be a role named "Authenticated" that the user was a member of, 
>>> regardless of what the policy file might call this role.
>>>
>>>
>>> Andrew Jaquith wrote:
>>>> David - your simple example works much better than my long-winded 
>>>> explanation might have. :) Nice one.
>>>>
>>>> Ryan - the important point here is that you can add container roles 
>>>> to your security policy file using the syntax in David's example. 
>>>> You can use container roles in wiki page ACLs, too. To make this 
>>>> work, you need to make sure you have a "role" element in your 
>>>> web.xml for each LDAP group you are referencing.
>>>>
>>>> Andrew
>>>>
>>>> On Mar 5, 2008, at 16:59, David Gao <davidgjm@gmail.com> wrote:
>>>
>>>
>>
>>
>> -- 
>> David Gao (davidgjm@gmail.com)
>>
>
>


-- 

David Gao (davidgjm@gmail.com)




Mime
View raw message