Return-Path: Delivered-To: apmail-incubator-jspwiki-user-archive@locus.apache.org Received: (qmail 22554 invoked from network); 6 Mar 2008 07:40:57 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 6 Mar 2008 07:40:57 -0000 Received: (qmail 39485 invoked by uid 500); 6 Mar 2008 07:40:53 -0000 Delivered-To: apmail-incubator-jspwiki-user-archive@incubator.apache.org Received: (qmail 39465 invoked by uid 500); 6 Mar 2008 07:40:53 -0000 Mailing-List: contact jspwiki-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jspwiki-user@incubator.apache.org Delivered-To: mailing list jspwiki-user@incubator.apache.org Received: (qmail 39456 invoked by uid 99); 6 Mar 2008 07:40:53 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Mar 2008 23:40:53 -0800 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [81.246.0.42] (HELO mail.poisoncentre.be) (81.246.0.42) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Mar 2008 07:40:06 +0000 Subject: RE: LDAP groups Date: Thu, 6 Mar 2008 08:40:23 +0100 Message-ID: <635EA31E-C8D8-4010-9A90-86EC1B290F1F@poisoncentre.be> In-Reply-To: <47CF86A7.7040701@gmail.com> From: "Christophe Dupriez" To: "jspwiki-user@incubator.apache.org" Reply-To: christophe.dupriez@poisoncentre.be MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" X-Virus-Checked: Checked by ClamAV on apache.org To be fully precise, this is what we use: (this because we use the e-mail as the login identifier) By the way, BEWARE: recursive groups are NOT supported by org.apa= che.catalina.realm.JNDIRealm : your users will NOT inherit from r= oles (groups) containing the groups within which your users are p= laced. Good luck! Christophe -----Original Message----- From: David Gao [mailto:davidgjm@gmail.com] Sent: jeudi 6 mars 2008 6:53 To: jspwiki-user@incubator.apache.org Subject: Re: LDAP groups Andrew, My configuration just works fine. Every user in the dedicated LD= AP group can login JSPWiki with proper access rights defined in secu= rity policy. -------- Original Message -------- > David -- > > Your configuration looks fine. Does it work for you? It looks l= ike it > should... > > Milt --JSPWiki does have a role called "Authenticated" that is=20= granted > to *every* user who successfully authenticates, regardless of t= he > method used to authenticate (container-based or custom). > "Authenticated" is the role name you should use in the jspwiki.= policy > file to denote authenticated users, and indeed, its name cannot= be > changed. It's what we call a "built-in" role, along with the > "Anonymous" and "Asserted" roles. It might help you to think of= these > "states" rather than logical roles. > > In addition to granting privileges to built-in roles (states),=20= you can > grant privileges to specific container-managed roles (such as t= hose > returned by an LDAP lookup). These are entered as grant blocks=20= in > jspwiki.policy. These container roles must also be entered into= > web.xml, preferably as "security-role" elements, or as > "auth-constraint/role-name" elements. David has done both of th= ese > things in his examples: in jspwiki.policy you see a permission=20= grant > for the container role "tomcat-admin", and a corresponding > auth-constraint/role-name element for "tomcat-admin" in web.xml= . > > Milt, if I've failed to answer your (implied) question, please=20= let me > know and we can investigate further. > > Andrew > > On Mar 5, 2008, at 5:45 PM, David Gao wrote: > >> Hi Milton, >> >> I did not change the policy for "Authenticated" as I think jsp= wiki >> may need that internally. Hope my configuration below may help= >> >> Tomcat server.xml (only JNDIRealm enabled) (LDAP server is Sun= One >> Directory Server) >> > connectionURL=3D"ldap://localhost:389" >> connectionName=3D"cn=3DDirectory Manager" >> connectionPassword=3D"password" >> userPassword=3D"userPassword" >> userPattern=3D"uid=3D{0}, ou=3DPeople,dc=3Dexample,dc= =3Dcom" >> roleBase=3D"ou=3DGroups,dc=3Dexample,dc=3Dcom" >> roleName=3D"cn" >> roleSubtree=3D"true" >> roleSearch=3D"(uniqueMember=3D{0})" >> /> >> --------------------------------------------------------------= -------------- >> >> JSPWiki web.xml Security constraint >> >> >> tomcat-admin >> LGE-SH >> ................... >> >> >> >> This logical role includes all administrative users >> >> tomcat-admin >> >> --------------------------------------------------------------= ----------------- >> >> Security policy: (added the following as a new entry, no new p= olicy >> added for other LDAP groups) >> >> grant principal com.ecyrd.jspwiki.auth.authorize.Role "tomcat-= admin" { >> permission com.ecyrd.jspwiki.auth.permissions.AllPermission=20= "*"; >> }; >> >> >> -------- Original Message -------- >>> Can I just clarify that it is not possible to "rename" the >>> Authenticated role in the policy file in order to map it to >>> something else in the LDAP directory? >>> >>> Last time I investigated this, it seemed that jspwiki expecte= d there >>> to be a role named "Authenticated" that the user was a member= of, >>> regardless of what the policy file might call this role. >>> >>> >>> Andrew Jaquith wrote: >>>> David - your simple example works much better than my long-w= inded >>>> explanation might have. :) Nice one. >>>> >>>> Ryan - the important point here is that you can add containe= r roles >>>> to your security policy file using the syntax in David's exa= mple. >>>> You can use container roles in wiki page ACLs, too. To make=20= this >>>> work, you need to make sure you have a "role" element in you= r >>>> web.xml for each LDAP group you are referencing. >>>> >>>> Andrew >>>> >>>> On Mar 5, 2008, at 16:59, David Gao wro= te: >>> >>> >> >> >> -- >> David Gao (davidgjm@gmail.com) >> > > -- David Gao (davidgjm@gmail.com)