incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Burch <br...@PingToo.com>
Subject Re: LDAP Authentication?
Date Sun, 24 Apr 2011 19:19:43 GMT
On 24/04/11 17:50, Brian Bowling wrote:
> Hi Brian,
> I have been looking at adding LDAP authentication to my jspwiki implementation also,
so this was very helpful.  Would it be possible for you to post a sample LDIF entry for a
user or two?

I should start by saying that I use the apacheds project for my ldap 
server. I used to use the iPlanet/Sun/Fedora directory server and it has 
taken me a while to come to terms with the more modern (standards 
conformant) schema and access control mechanisms in apacheds. (I'm not 
at the bleeding edge - I've been using 1.5.4 in production for nearly 2 
years). The last time I looked, most of the alternatives are 
incompatible in these important areas, but I'll offer mine and you'll 
have to convert if necessary (you'll get the general idea).

I have a lot of SIP mods in my directory, so I "stole" some "spare" 
oid's from the SIP space...

dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 0.0.8.350.1.1.6.1.20
      NAME 'tomcatRole'
      DESC ' the name of a tomcat security role'
      EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: ( 0.0.8.350.1.1.6.2.80
      NAME 'tomcatRoleAllowed'
      DESC 'tomcatRoleAllowed aux object'
      SUP top AUXILIARY
      MAY tomcatRole
    )

I'll leave it to you to define an authenticator user entry and suitable 
ACI's (because they are not critical to getting something working). I 
have a group called ldapAuths and define ACI's to say what they can and 
can't do. My tomcat container authenticator is a member of that group, 
so it can read a wider range of sensitive attributes than it actually 
needs, but it can't change anything.

Here is how I give a typical user permission to access jspwiki:

dn: uid=testUser1,ou=People,o=PingToo.com
changetype: modify
replace: objectclass
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectclass: tomcatRoleAllowed
-
replace: tomcatRole
tomcatRole: tomcat
tomcatRole: family
tomcatRole: photoview
tomcatRole: wikiuser
-
replace: userpassword
# tomcat is setup for SHA digests but can't handle multiple hashes
userPassword: {SHA}nvRBAtZQFzdRld1vS1TWlBb6kuQ=

Don't be afraid - the best way to eat an elephant is one bite at a time!

Regards,

Brian


Mime
View raw message