Very nice work David! Thank you very much! My example is tested with Tomcat 6 (where debug attribute does not exist anymore). For Intranets, may I suggest SSO valve in the <Host> element of Tomcat's server.xml: <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
In the MS$ World, what we need to do (intranet Wiki): 1) replace NTLM Authentication (phased out by Microsoft and hated by my network admin) switching to SPNEGO+Kerberos Authentication. This implies JAAS Realm (and not JNDI) + standard Sun Kerberos LoginModule. http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatKerberosConfigOnly 2) I did not succeed up to now to have Kerberos authentication without ever showing a login form to user (but most of them already disappeared) 3) Standard Sun Kerberos LoginModule does not provide ANY role after authentication: those have to be added by LDAP queries. a) Basic example: http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatKerberosLoginModule b) LDAP queries example: http://www.pramati.com/docstore/1270002/index.htm 4) So I need to merge both to create a Krb5LDAPLoginModule able to authenticate with Kerberos and get roles from LDAP. Roles will have to be obtained recursively to allow groups of groups in Active Directory (this may have to be cached or user principals are already cached?) If anybody knows better examples to start with than those given above, please let me know! (I am so surprised nothing simple has been published before) Have a nice day! Christophe -----Original Message----- From: David Gao [mailto:[EMAIL PROTECTED] Sent: jeudi 6 mars 2008 10:37 To: [email protected] Subject: Re: LDAP groups Hi, I added a wiki page about LDAP authentication on jspwiki.org based on Cristophe's config and mine. Here goes the link: http://www.jspwiki.org/wiki/WebContainerAuthenticationViaLDAP -------- Original Message -------- To be fully precise, this is what we use: <Realm className="org.apache.catalina.realm.JNDIRealm" connectionName="CN=Ldaplogin,OU=EDP Login,OU=All Users XP,DC=poison,DC=in" connectionPassword="***secret***" connectionURL="ldap://domaincontroller-host:389"; userBase="OU=All Users XP,DC=domain" userSubtree="true" userSearch="([EMAIL PROTECTED])" userRoleName="memberOf" roleBase="CN=Groups,DC=domain" roleName="cn" roleSubtree="true" roleSearch="(member={0})" /> (this because we use the e-mail as the login identifier) By the way, BEWARE: recursive groups are NOT supported by org.apache.catalina.realm.JNDIRealm : your users will NOT inherit from roles (groups) containing the groups within which your users are placed. Good luck! Christophe -----Original Message----- From: David Gao [mailto:[EMAIL PROTECTED] Sent: jeudi 6 mars 2008 6:53 To: [email protected] Subject: Re: LDAP groups Andrew, My configuration just works fine. Every user in the dedicated LDAP group can login JSPWiki with proper access rights defined in security policy. -------- Original Message -------- David -- Your configuration looks fine. Does it work for you? It looks like it should... Milt --JSPWiki does have a role called "Authenticated" that is granted to *every* user who successfully authenticates, regardless of the method used to authenticate (container-based or custom). "Authenticated" is the role name you should use in the jspwiki.policy file to denote authenticated users, and indeed, its name cannot be changed. It's what we call a "built-in" role, along with the "Anonymous" and "Asserted" roles. It might help you to think of these "states" rather than logical roles. In addition to granting privileges to built-in roles (states), you can grant privileges to specific container-managed roles (such as those returned by an LDAP lookup). These are entered as grant blocks in jspwiki.policy. These container roles must also be entered into web.xml, preferably as "security-role" elements, or as "auth-constraint/role-name" elements. David has done both of these things in his examples: in jspwiki.policy you see a permission grant for the container role "tomcat-admin", and a corresponding auth-constraint/role-name element for "tomcat-admin" in web.xml. Milt, if I've failed to answer your (implied) question, please let me know and we can investigate further. Andrew On Mar 5, 2008, at 5:45 PM, David Gao wrote: Hi Milton, I did not change the policy for "Authenticated" as I think jspwiki may need that internally. Hope my configuration below may help Tomcat server.xml (only JNDIRealm enabled) (LDAP server is Sun One Directory Server) <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://localhost:389"; connectionName="cn=Directory Manager" connectionPassword="password" userPassword="userPassword" userPattern="uid={0}, ou=People,dc=example,dc=com" roleBase="ou=Groups,dc=example,dc=com" roleName="cn" roleSubtree="true" roleSearch="(uniqueMember={0})" /> ---------------------------------------------------------------------------- JSPWiki web.xml Security constraint <auth-constraint> <role-name>tomcat-admin</role-name> <role-name>LGE-SH</role-name> ................... <security-role> <description> This logical role includes all administrative users </description> <role-name>tomcat-admin</role-name> </security-role> ------------------------------------------------------------------------------- Security policy: (added the following as a new entry, no new policy added for other LDAP groups) grant principal com.ecyrd.jspwiki.auth.authorize.Role "tomcat-admin" { permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*"; }; -------- Original Message -------- Can I just clarify that it is not possible to "rename" the Authenticated role in the policy file in order to map it to something else in the LDAP directory? Last time I investigated this, it seemed that jspwiki expected there to be a role named "Authenticated" that the user was a member of, regardless of what the policy file might call this role. Andrew Jaquith wrote: David - your simple example works much better than my long-winded explanation might have. :) Nice one. Ryan - the important point here is that you can add container roles to your security policy file using the syntax in David's example. You can use container roles in wiki page ACLs, too. To make this work, you need to make sure you have a "role" element in your web.xml for each LDAP group you are referencing. Andrew On Mar 5, 2008, at 16:59, David Gao <[EMAIL PROTECTED]> wrote: -- David Gao ([EMAIL PROTECTED]) -- David Gao ([EMAIL PROTECTED])
