Return-Path: Delivered-To: apmail-roller-user-archive@www.apache.org Received: (qmail 74447 invoked from network); 18 Apr 2008 11:09:40 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 18 Apr 2008 11:09:40 -0000 Received: (qmail 55607 invoked by uid 500); 18 Apr 2008 11:09:40 -0000 Delivered-To: apmail-roller-user-archive@roller.apache.org Received: (qmail 55586 invoked by uid 500); 18 Apr 2008 11:09:40 -0000 Mailing-List: contact user-help@roller.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@roller.apache.org Delivered-To: mailing list user@roller.apache.org Received: (qmail 55577 invoked by uid 99); 18 Apr 2008 11:09:40 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Apr 2008 04:09:40 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of s.mccain@bradford.ac.uk designates 143.53.238.3 as permitted sender) Received: from [143.53.238.3] (HELO hydrogen.cen.brad.ac.uk) (143.53.238.3) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Apr 2008 11:08:46 +0000 Received: from radon.cen.brad.ac.uk (radon.cen.brad.ac.uk [143.53.238.18]) by hydrogen.cen.brad.ac.uk (8.13.6/8.13.4) with ESMTP id m3IB970C007475 for ; Fri, 18 Apr 2008 12:09:07 +0100 (BST) Received: from [143.53.1.87] (SMcCain-VL350.acc.brad.ac.uk [143.53.1.87]) by radon.cen.brad.ac.uk (8.13.6/8.13.4) with ESMTP id m3IB96wn025676 for ; Fri, 18 Apr 2008 12:09:07 +0100 (BST) Message-ID: <48088157.301@bradford.ac.uk> Date: Fri, 18 Apr 2008 12:09:11 +0100 From: Steve McCain User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: user@roller.apache.org Subject: ldap authentication & authorisation Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org By using the Sample LDAP/RollerDB hybrid config in the security.xml file supplied with Roller 4.0 I have users being authenticated by ldap while their authorisation remains under the control of the database (users and roles). So far so good. I work in a university and would like to restrict access to roller to staff only. We have a 'staff' group in our ldap so I'm looking how I could use group membership to do this. To test this out I've created a 'register' group with myself as a uniqueMember. I've changed the LdapAuthenticationProvider bean to use a DefaultLdapAuthoritiesPopulator instead of the AuthoritiesPopulator (id=jdbcAuthoritiesPopulator) as in the supplied security.xml. I now get 403 errors when I try to log in. How do I trace what roller is sending to ldap? Am I barking up the wrong tree entirely with this approach? Have I crippled roller's ability to get user/role info from the database by not using the AuthoritiesPopulator bean? Can anyone suggest a way of configuring roller to use ldap group membership for a broad-brush access control while control of which users can contribute to which blog is controlled by the database? thanks Steve