jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Burch <br...@PingToo.com>
Subject Re: LDAP Authentication?
Date Sun, 24 Apr 2011 19:19:43 GMT
On 24/04/11 17:50, Brian Bowling wrote:
> Hi Brian,
> I have been looking at adding LDAP authentication to my jspwiki implementation also,
so this was very helpful.  Would it be possible for you to post a sample LDIF entry for a
user or two?

I should start by saying that I use the apacheds project for my ldap 
server. I used to use the iPlanet/Sun/Fedora directory server and it has 
taken me a while to come to terms with the more modern (standards 
conformant) schema and access control mechanisms in apacheds. (I'm not 
at the bleeding edge - I've been using 1.5.4 in production for nearly 2 
years). The last time I looked, most of the alternatives are 
incompatible in these important areas, but I'll offer mine and you'll 
have to convert if necessary (you'll get the general idea).

I have a lot of SIP mods in my directory, so I "stole" some "spare" 
oid's from the SIP space...

dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: (
      NAME 'tomcatRole'
      DESC ' the name of a tomcat security role'
      EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX )

dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: (
      NAME 'tomcatRoleAllowed'
      DESC 'tomcatRoleAllowed aux object'
      MAY tomcatRole

I'll leave it to you to define an authenticator user entry and suitable 
ACI's (because they are not critical to getting something working). I 
have a group called ldapAuths and define ACI's to say what they can and 
can't do. My tomcat container authenticator is a member of that group, 
so it can read a wider range of sensitive attributes than it actually 
needs, but it can't change anything.

Here is how I give a typical user permission to access jspwiki:

dn: uid=testUser1,ou=People,o=PingToo.com
changetype: modify
replace: objectclass
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectclass: tomcatRoleAllowed
replace: tomcatRole
tomcatRole: tomcat
tomcatRole: family
tomcatRole: photoview
tomcatRole: wikiuser
replace: userpassword
# tomcat is setup for SHA digests but can't handle multiple hashes
userPassword: {SHA}nvRBAtZQFzdRld1vS1TWlBb6kuQ=

Don't be afraid - the best way to eat an elephant is one bite at a time!



View raw message