incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jim Willeke" <...@willeke.com>
Subject Re: LDAP groups
Date Sat, 08 Mar 2008 09:12:49 GMT
Good article.
However, it is only for using group authentication of a users.
You can also authenticate users by a role on the user entry.

To authenticate the user (may work for dynamic group setup) you only need to
change the realm to be like:
   <Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
     connectionURL="ldap://192.168.1.7:389"
        userBase="ou=people,dc=willeke,dc=com"
        userSearch="(cn={0})"
        userSubtree="true"
        userRoleName="dictcrole"
        connectionName="cn=proxy,ou=administration,dc=willeke,dc=com"
        connectionPassword="secretpassword"
    />

Where userBase is where users reside
userSearch= what attribute to search on the user to find them
userRoleName = the attribute on the user to use for the role name.
connectionName= the user that tomcat will use to auth to LDAP to look things
up
connectionPassword=password for above.
 userSubtree=searches from userSearch through all subcontainers

-jim




On 3/6/08, David Gao <davidgjm@gmail.com> wrote:
>
>  Hi,
>
> I added a wiki page about LDAP authentication on jspwiki.org based on
> Cristophe's config and mine. Here goes the link:
>
>         http://www.jspwiki.org/wiki/WebContainerAuthenticationViaLDAP
>
> -------- Original Message --------
>
> To be fully precise, this is what we use:
>         <Realm className="org.apache.catalina.realm.JNDIRealm"
>                connectionName="CN=Ldaplogin,OU=EDP Login,OU=All Users XP,DC=poison,DC=in"
>                connectionPassword="***secret***" connectionURL="ldap://domaincontroller-host:389"
>                userBase="OU=All Users XP,DC=domain" userSubtree="true"
>                userSearch="(userPrincipalName={0}@yourdomain.com)" <%28userPrincipalName=%7B0%7D@yourdomain.com%29>
userRoleName="memberOf"
>                roleBase="CN=Groups,DC=domain" roleName="cn" roleSubtree="true"
>                roleSearch="(member={0})" />
> (this because we use the e-mail as the login identifier)
>
> By the way, BEWARE: recursive groups are NOT supported by org.apache.catalina.realm.JNDIRealm
: your users will NOT inherit from roles (groups) containing the groups within which your
users are placed.
>
> Good luck!
>
> Christophe
>
> -----Original Message-----
> From: David Gao [mailto:davidgjm@gmail.com <davidgjm@gmail.com>]
> Sent: jeudi 6 mars 2008 6:53
> To: jspwiki-user@incubator.apache.org
> Subject: Re: LDAP groups
>
> Andrew,
>
> My configuration just works fine.  Every user in the dedicated LDAP
> group can login JSPWiki with proper access rights defined in security
> policy.
>
> -------- Original Message --------
>
>  David --
>
> Your configuration looks fine. Does it work for you? It looks like it
> should...
>
> Milt --JSPWiki does have a role called "Authenticated" that is granted
> to *every* user who successfully authenticates, regardless of the
> method used to authenticate (container-based or custom).
> "Authenticated" is the role name you should use in the jspwiki.policy
> file to denote authenticated users, and indeed, its name cannot be
> changed. It's what we call a "built-in" role, along with the
> "Anonymous" and "Asserted" roles. It might help you to think of these
> "states" rather than logical roles.
>
> In addition to granting privileges to built-in roles (states), you can
> grant privileges to specific container-managed roles (such as those
> returned by an LDAP lookup). These are entered as grant blocks in
> jspwiki.policy. These container roles must also be entered into
> web.xml, preferably as "security-role" elements, or as
> "auth-constraint/role-name" elements. David has done both of these
> things in his examples: in jspwiki.policy you see a permission grant
> for the container role "tomcat-admin", and a corresponding
> auth-constraint/role-name element for "tomcat-admin" in web.xml.
>
> Milt, if I've failed to answer your (implied) question, please let me
> know and we can investigate further.
>
> Andrew
>
> On Mar 5, 2008, at 5:45 PM, David Gao wrote:
>
>      Hi Milton,
>
> I did not change the policy for "Authenticated" as I think jspwiki
> may need that internally. Hope my configuration below may help
>
> Tomcat server.xml (only JNDIRealm enabled) (LDAP server is Sun One
> Directory Server)
>     <Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
>          connectionURL="ldap://localhost:389"
>          connectionName="cn=Directory Manager"
>          connectionPassword="password"
>          userPassword="userPassword"
>          userPattern="uid={0}, ou=People,dc=example,dc=com"
>          roleBase="ou=Groups,dc=example,dc=com"
>          roleName="cn"
>          roleSubtree="true"
>          roleSearch="(uniqueMember={0})"
>     />
> ----------------------------------------------------------------------------
>
> JSPWiki web.xml Security constraint
>
>      <auth-constraint>
>          <role-name>tomcat-admin</role-name>
>          <role-name>LGE-SH</role-name>
> ...................
>
>  <security-role>
>      <description>
>          This logical role includes all administrative users
>      </description>
>      <role-name>tomcat-admin</role-name>
>  </security-role>
> -------------------------------------------------------------------------------
>
> Security policy: (added the following as a new entry, no new policy
> added for other LDAP groups)
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "tomcat-admin" {
>   permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> };
>
>
> -------- Original Message --------
>
>  Can I just clarify that it is not possible to "rename" the
> Authenticated role in the policy file in order to map it to
> something else in the LDAP directory?
>
> Last time I investigated this, it seemed that jspwiki expected there
> to be a role named "Authenticated" that the user was a member of,
> regardless of what the policy file might call this role.
>
>
> Andrew Jaquith wrote:
>
>  David - your simple example works much better than my long-winded
> explanation might have. :) Nice one.
>
> Ryan - the important point here is that you can add container roles
> to your security policy file using the syntax in David's example.
> You can use container roles in wiki page ACLs, too. To make this
> work, you need to make sure you have a "role" element in your
> web.xml for each LDAP group you are referencing.
>
> Andrew
>
> On Mar 5, 2008, at 16:59, David Gao <davidgjm@gmail.com> <davidgjm@gmail.com>
wrote:
>
>           --
> David Gao (davidgjm@gmail.com)
>
>
>
> --
> David Gao (davidgjm@gmail.com)
>
>


-- 
-jim
Jim Willeke

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message