Wyllys - Which LDAP server? -jim Jim Willeke
On Thu, Mar 26, 2009 at 9:31 AM, Wyllys Ingersoll <[email protected]>wrote: > > My LDAP Record does have a field that identifies groups within the company, > "departmentnumber". > > I guess I need to figure out how to set up my server.xml to turn those > values into Roles that JSPWiki can recognize. > > My big issue with this whole thing is that JSPWiki seems to assume that you > must have this group/role mapping stuff. It already knows that my users > are authenticated, why isn't that good enough or why can it not > automatically map those authenticated users to the "Authenticated" role? > > -Wyllys > > > > > > TruptiP wrote: > >> Hi wyllys, >> >> There may be different different name given to groups in your LDAP. In >> every >> organization they may set different Name to Rule. >> >> e.g. comany name is = IBM >> >> then there may be role >> >> IBMGroups = IBMALL >> IBMGroups = IBMDevelopment >> IBMGroups = IBMSupport >> IBMGroups = IBMResearch >> >> Now here, every employee may be member of 1 or many groups. >> IBMALL contain all employees. SO employee is member of IBMALL and also >> member of group according to department. >> >> SO while retriving role, you need to use IBMGroups and while giving rights >> in web.xml of JSPWIki you need to use IBMALL or IBMDEvelopment etc. >> >> Now, find out which Role you are going to use it( e.g. memberOf or >> ObjectClass) >> I hope this will help you >> >> Regards, >> Trupti Patil >> >> >> Wyllys Ingersoll wrote: >> >>> >>> I'm not clear on the issue of roles and groups when authenticating to >>> LDAP. >>> >>> My LDAP server does not return that data for any users. I can query the >>> full LDAP record for myself and there are no "role" or "group" values of >>> any kind. >>> >>> How to I force either the container or the application to map any >>> authenticated >>> user to a "group" that JSPWiki will recognize? >>> >>> -Wyllys >>> >>> >>> TruptiP wrote: >>> >>>> Hi Wyllys, >>>> >>>> I forgot to mention part from web.xml of JSPWIKI. >>>> >>>> You have to use RoleName(which you extract from LDAP authentication. in >>>> my >>>> previous mail I have given example of groups (abc,pqr)). >>>> Now we consider abc as a group with admin rights. So in web.xml of >>>> JSPwiki, <security-constraint> >>>> <web-resource-collection> >>>> <web-resource-name>Administrative Area</web-resource-name> >>>> <url-pattern>/Delete.jsp</url-pattern> >>>> </web-resource-collection> >>>> >>>> <auth-constraint> >>>> <role-name>abc</role-name> >>>> </auth-constraint> >>>> >>>> <!-- <user-data-constraint> >>>> <transport-guarantee>CONFIDENTIAL</transport-guarantee> >>>> </user-data-constraint> --> >>>> </security-constraint> >>>> >>>> We consider pqr group as authenticated then >>>> <security-constraint> >>>> <web-resource-collection> >>>> <web-resource-name>Authenticated area</web-resource-name> >>>> <url-pattern>/Edit.jsp</url-pattern> >>>> <url-pattern>/Comment.jsp</url-pattern> >>>> <url-pattern>/Login.jsp</url-pattern> >>>> <url-pattern>/NewGroup.jsp</url-pattern> >>>> <url-pattern>/Rename.jsp</url-pattern> >>>> <url-pattern>/Upload.jsp</url-pattern> >>>> <http-method>DELETE</http-method> >>>> <http-method>GET</http-method> >>>> <http-method>HEAD</http-method> >>>> <http-method>POST</http-method> >>>> <http-method>PUT</http-method> >>>> </web-resource-collection> >>>> >>>> <web-resource-collection> >>>> <web-resource-name>Read-only Area</web-resource-name> >>>> <url-pattern>/attach</url-pattern> >>>> <http-method>DELETE</http-method> >>>> <http-method>POST</http-method> >>>> <http-method>PUT</http-method> >>>> </web-resource-collection> >>>> >>>> >>>> <auth-constraint> >>>> <role-name>pqr</role-name> >>>> </auth-constraint> >>>> >>>> <!-- <user-data-constraint> >>>> <transport-guarantee>CONFIDENTIAL</transport-guarantee> >>>> </user-data-constraint> --> >>>> </security-constraint> >>>> >>>> If you do not take care of extracting RoleName from LDAP and using >>>> properly >>>> in web.xml, then you will get that error. >>>> >>>> Don't use Admin and Authenticated roles which are given by JSPwiki in >>>> web.xml. >>>> >>>> Question - If you don't know connection name and password then how you >>>> implemented LDAp authentication currently? If you are able to do LDAP >>>> authentication then just try to retireve UserRoleName. It will solve >>>> your >>>> problem. >>>> >>>> Regards, >>>> Trupti >>>> >>>> >>>> >>> >>> >> >
