Araya:
The LDAP User manager I wrote can (and is) be used to repalce the Orion's
default user manager. In the next few days, I should be finishing a
tutorial for orionsupport.com on how to compile and install the LDAP User
Manager. However, I will try to provide some more detailed information
here.
I have only tested the LDAP User Manager with OpenLdap. A few people
have reported that it does work with other LDAP directories and even
Active Directories. Thus, this information should work for others.
After downloading and unpacking the LDAP User Manager (hereafter
abbreviated lum/LUM because I am truly lazy), there shoudl be a
'build.xml' located in the LUM's unpacked directory. You will probably
need to edit only one line of this file- specifically line 8
which reads '<property name="orionhome" value="/opt/orion" />'. Change
the value section to point to your orion installation. This is necessary
in order to build the LUM.
Once you have done this, run the 'ant' command
(http://jakarta.apache.org). This should compile all the necessary
classes and copy the needed resource files. This will be located in the
newly created "bin" subdirectory. Inside the "bin" subdirectory, you will
find everything that you need to run the LUM.
First, copy the "linjafoo.jar" file to Orion's lib directory. (I know,
I know, I should probably have the build script do this automatically but
I have a number of other Orion enhancements that I will soon release and
don't want to overwrite this file.)
The other file is the orion-application.xml.sample file. This file
gives a breakdown of all the properties needed for the LUM to operate
correctly. If you are replacing the default UM, you will need to cut
and paste the information to the $ORION/config/application.xml file.
Here is a brief description of each property:
-ldapAdminPassword = the LDAP server's administrator account's
password
-ldapAdminUser = the LDAP server's administrator accounts fully
qualified name
-authType = authentication type (it currently only does
cleartext/simple authentication)
-baseDN = the base DN for the LDAP tree
-searchBase = the DN to search from for users and groups
-serverHost = LDAP server's name or IP address
-serverPort = LDAP server's port
-defaultUserOrgUnit = location where users are created by default
(this is only applicable when creating users via Orion's GUI console)
-defaultGroupOrgUnit = location where groups are created by
default (this is only applicable when creating groups via Orion's GUI
console)
-orionAdminUser = default orion admin user which creates a
user object returned from the method getAdminUser in the LUM (*see NOTE)
-orionAdminPassword = default orion admin user's password which
creates a user object returned from the method getAdminUser in the LUM
(*see NOTE)
-orionAnonymousUser = default orion anonymous user which creates a
user object returned from the method getAnonymousUser in the LUM
-orionAnonymousPassword = default orion anonymous user's password
which creates a user object returned from the method getAnonymousUser in
the LUM
*NOTE: Does this mean that this is the only admin? Hell no. Any
user which belongs to the an orion group given an orion permission named
"administration" can be an administrator. This may be part of the cause
of your specific problems.
OK, now begins the fun part- the LDAP server itself. When I started
writing the LUM, I wanted to have a way to deem which users and groups
could be used by the LUM. Furthermore, I needed an attribute for groups
which defined one or more permission. Thus, the answer is what is find in
the "$LUM/bin/openldap/" directory. There, you will find a file named
"orion.schema".
This file does three things for the OpenLDAP server.
1. Creates an attributetype named "orionPermission" which is used
by LDAP groupsto define their Orion permission ('administration',
'rmi:login', etc.)
2. Creates an object class called orionGroup (which basically
extends groupOfUniqueNames - aka. a traditional LDAP group object).
3. Creates an object class called orionUser (which basically
extends inetOrgPerson)
(Remember that an LDAP object can be a multiple types- both
inetOrgPerson and orionUser or groupOfUniqueNames and orionGroup!)
Any LDAP user which needs to be visible from Orion (really the LUM)
needs to be of type orionUser. And any LDAP group which needs to be
visible from Orion needs to be of type orionGroup.
Even if you are *not* using OpenLDAP, by implementing these three
requirements for your specific LDAP server, you should be able to use the
LUM.
If you have any more questions, please feel free to e-mail me either via
this list or directly. Also, any suggestions, requests, patches, etc. are
always welcome!
-matthew porter
PS: Sorry for the delay in replying, I was in Alaska away from computers
and the rest of civilization.
On Thu, 9 Aug 2001, Araya Danilo wrote:
> Hello!
> I`m trying to have the LDAP user manager that Matthew Porter published
> working together with an orion server.
> Is there somebody here that already installed it and has it working
> succesfully?
>
> I have been trying to set it up with the default application
> to restrict access using basic authentication...
> but the dialog box rejects all user/password pair...
>
> Can somebody give me a little help?
>
> Best regards.
>
> Danilo Araya
>
>
>
