incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Craig <mark.cr...@gmail.com>
Subject Re: LDAP Authentication?
Date Mon, 25 Apr 2011 13:56:56 GMT
On Sun, Apr 24, 2011 at 9:19 PM, Brian Burch <brian@pingtoo.com> wrote:

> On 24/04/11 17:50, Brian Bowling wrote:
>
>> Hi Brian,
>> I have been looking at adding LDAP authentication to my jspwiki
>> implementation also, so this was very helpful.  Would it be possible for you
>> to post a sample LDIF entry for a user or two?
>>
>
> I should start by saying that I use the apacheds project for my ldap
> server. I used to use the iPlanet/Sun/Fedora directory server and it has
> taken me a while to come to terms with the more modern (standards
> conformant) schema and access control mechanisms in apacheds. (I'm not at
> the bleeding edge - I've been using 1.5.4 in production for nearly 2 years).
> The last time I looked, most of the alternatives are incompatible in these
> important areas, but I'll offer mine and you'll have to convert if necessary
> (you'll get the general idea).
>
> I have a lot of SIP mods in my directory, so I "stole" some "spare" oid's
> from the SIP space...
>
> dn: cn=schema
> changetype: modify
> add: attributetypes
> attributetypes: ( 0.0.8.350.1.1.6.1.20
>     NAME 'tomcatRole'
>     DESC ' the name of a tomcat security role'
>     EQUALITY caseIgnoreMatch
>     SUBSTR caseIgnoreSubstringsMatch
>     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
>
> dn: cn=schema
> changetype: modify
> add: objectclasses
> objectclasses: ( 0.0.8.350.1.1.6.2.80
>     NAME 'tomcatRoleAllowed'
>     DESC 'tomcatRoleAllowed aux object'
>     SUP top AUXILIARY
>     MAY tomcatRole
>   )
>
>
OpenDJ (and I think OpenDS, too) does not recognize "SUBSTR
caseIgnoreSubstringsMatch" in the attribute type definition.

I put the following in a file called
99-tomcat-roles.ldif<http://mcraig.org/ldif/99-tomcat-roles.ldif>,
copied it to OpenDJ/config/schema, and it seemed to work for me. (YMMV
copying LDIF out of email, hence the link.)

dn: cn=schema
objectClass: top
objectClass: ldapSubentry
objectClass: subschema
attributeTypes: ( 0.0.8.350.1.1.6.1.20 NAME 'tomcatRole' DESC 'the
name of a tomcat security role' EQUALITY caseIgnoreMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
objectClasses: ( 0.0.8.350.1.1.6.2.80 NAME 'tomcatRoleAllowed' DESC
'tomcatRoleAllowed aux object' SUP top AUXILIARY MAY tomcatRole )

Regards,
Mark


> I'll leave it to you to define an authenticator user entry and suitable
> ACI's (because they are not critical to getting something working). I have a
> group called ldapAuths and define ACI's to say what they can and can't do.
> My tomcat container authenticator is a member of that group, so it can read
> a wider range of sensitive attributes than it actually needs, but it can't
> change anything.
>
> Here is how I give a typical user permission to access jspwiki:
>
> dn: uid=testUser1,ou=People,o=PingToo.com
> changetype: modify
> replace: objectclass
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectclass: tomcatRoleAllowed
> -
> replace: tomcatRole
> tomcatRole: tomcat
> tomcatRole: family
> tomcatRole: photoview
> tomcatRole: wikiuser
> -
> replace: userpassword
> # tomcat is setup for SHA digests but can't handle multiple hashes
> userPassword: {SHA}nvRBAtZQFzdRld1vS1TWlBb6kuQ=
>
> Don't be afraid - the best way to eat an elephant is one bite at a time!
>
> Regards,
>
> Brian
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message