Return-Path: Delivered-To: apmail-incubator-jspwiki-user-archive@locus.apache.org Received: (qmail 46213 invoked from network); 8 Mar 2008 09:13:22 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 8 Mar 2008 09:13:22 -0000 Received: (qmail 66283 invoked by uid 500); 8 Mar 2008 09:13:19 -0000 Delivered-To: apmail-incubator-jspwiki-user-archive@incubator.apache.org Received: (qmail 66272 invoked by uid 500); 8 Mar 2008 09:13:19 -0000 Mailing-List: contact jspwiki-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jspwiki-user@incubator.apache.org Delivered-To: mailing list jspwiki-user@incubator.apache.org Received: (qmail 66261 invoked by uid 99); 8 Mar 2008 09:13:19 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 08 Mar 2008 01:13:19 -0800 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE X-Spam-Check-By: apache.org Received-SPF: unknown (athena.apache.org: error in processing during lookup of jim@willeke.com) Received: from [209.85.198.190] (HELO rv-out-0910.google.com) (209.85.198.190) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 08 Mar 2008 09:12:39 +0000 Received: by rv-out-0910.google.com with SMTP id k20so482509rvb.0 for ; Sat, 08 Mar 2008 01:12:49 -0800 (PST) Received: by 10.141.172.6 with SMTP id z6mr1619006rvo.54.1204967569838; Sat, 08 Mar 2008 01:12:49 -0800 (PST) Received: by 10.114.185.13 with HTTP; Sat, 8 Mar 2008 01:12:49 -0800 (PST) Message-ID: Date: Sat, 8 Mar 2008 04:12:49 -0500 From: "Jim Willeke" To: jspwiki-user@incubator.apache.org Subject: Re: LDAP groups In-Reply-To: <47CFBB3F.7030203@gmail.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_36532_17075852.1204967569830" References: <635EA31E-C8D8-4010-9A90-86EC1B290F1F@poisoncentre.be> <47CFBB3F.7030203@gmail.com> X-Virus-Checked: Checked by ClamAV on apache.org ------=_Part_36532_17075852.1204967569830 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Good article. However, it is only for using group authentication of a users. You can also authenticate users by a role on the user entry. To authenticate the user (may work for dynamic group setup) you only need to change the realm to be like: Where userBase is where users reside userSearch= what attribute to search on the user to find them userRoleName = the attribute on the user to use for the role name. connectionName= the user that tomcat will use to auth to LDAP to look things up connectionPassword=password for above. userSubtree=searches from userSearch through all subcontainers -jim On 3/6/08, David Gao wrote: > > Hi, > > I added a wiki page about LDAP authentication on jspwiki.org based on > Cristophe's config and mine. Here goes the link: > > http://www.jspwiki.org/wiki/WebContainerAuthenticationViaLDAP > > -------- Original Message -------- > > To be fully precise, this is what we use: > connectionName="CN=Ldaplogin,OU=EDP Login,OU=All Users XP,DC=poison,DC=in" > connectionPassword="***secret***" connectionURL="ldap://domaincontroller-host:389" > userBase="OU=All Users XP,DC=domain" userSubtree="true" > userSearch="(userPrincipalName={0}@yourdomain.com)" <%28userPrincipalName=%7B0%7D@yourdomain.com%29> userRoleName="memberOf" > roleBase="CN=Groups,DC=domain" roleName="cn" roleSubtree="true" > roleSearch="(member={0})" /> > (this because we use the e-mail as the login identifier) > > By the way, BEWARE: recursive groups are NOT supported by org.apache.catalina.realm.JNDIRealm : your users will NOT inherit from roles (groups) containing the groups within which your users are placed. > > Good luck! > > Christophe > > -----Original Message----- > From: David Gao [mailto:davidgjm@gmail.com ] > Sent: jeudi 6 mars 2008 6:53 > To: jspwiki-user@incubator.apache.org > Subject: Re: LDAP groups > > Andrew, > > My configuration just works fine. Every user in the dedicated LDAP > group can login JSPWiki with proper access rights defined in security > policy. > > -------- Original Message -------- > > David -- > > Your configuration looks fine. Does it work for you? It looks like it > should... > > Milt --JSPWiki does have a role called "Authenticated" that is granted > to *every* user who successfully authenticates, regardless of the > method used to authenticate (container-based or custom). > "Authenticated" is the role name you should use in the jspwiki.policy > file to denote authenticated users, and indeed, its name cannot be > changed. It's what we call a "built-in" role, along with the > "Anonymous" and "Asserted" roles. It might help you to think of these > "states" rather than logical roles. > > In addition to granting privileges to built-in roles (states), you can > grant privileges to specific container-managed roles (such as those > returned by an LDAP lookup). These are entered as grant blocks in > jspwiki.policy. These container roles must also be entered into > web.xml, preferably as "security-role" elements, or as > "auth-constraint/role-name" elements. David has done both of these > things in his examples: in jspwiki.policy you see a permission grant > for the container role "tomcat-admin", and a corresponding > auth-constraint/role-name element for "tomcat-admin" in web.xml. > > Milt, if I've failed to answer your (implied) question, please let me > know and we can investigate further. > > Andrew > > On Mar 5, 2008, at 5:45 PM, David Gao wrote: > > Hi Milton, > > I did not change the policy for "Authenticated" as I think jspwiki > may need that internally. Hope my configuration below may help > > Tomcat server.xml (only JNDIRealm enabled) (LDAP server is Sun One > Directory Server) > connectionURL="ldap://localhost:389" > connectionName="cn=Directory Manager" > connectionPassword="password" > userPassword="userPassword" > userPattern="uid={0}, ou=People,dc=example,dc=com" > roleBase="ou=Groups,dc=example,dc=com" > roleName="cn" > roleSubtree="true" > roleSearch="(uniqueMember={0})" > /> > ---------------------------------------------------------------------------- > > JSPWiki web.xml Security constraint > > > tomcat-admin > LGE-SH > ................... > > > > This logical role includes all administrative users > > tomcat-admin > > ------------------------------------------------------------------------------- > > Security policy: (added the following as a new entry, no new policy > added for other LDAP groups) > > grant principal com.ecyrd.jspwiki.auth.authorize.Role "tomcat-admin" { > permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*"; > }; > > > -------- Original Message -------- > > Can I just clarify that it is not possible to "rename" the > Authenticated role in the policy file in order to map it to > something else in the LDAP directory? > > Last time I investigated this, it seemed that jspwiki expected there > to be a role named "Authenticated" that the user was a member of, > regardless of what the policy file might call this role. > > > Andrew Jaquith wrote: > > David - your simple example works much better than my long-winded > explanation might have. :) Nice one. > > Ryan - the important point here is that you can add container roles > to your security policy file using the syntax in David's example. > You can use container roles in wiki page ACLs, too. To make this > work, you need to make sure you have a "role" element in your > web.xml for each LDAP group you are referencing. > > Andrew > > On Mar 5, 2008, at 16:59, David Gao wrote: > > -- > David Gao (davidgjm@gmail.com) > > > > -- > David Gao (davidgjm@gmail.com) > > -- -jim Jim Willeke ------=_Part_36532_17075852.1204967569830--