Hi Dave, I've followed your instructions, and all works fine. Eric
-----Message d'origine----- De : Dave [mailto:[EMAIL PROTECTED] Envoyé : jeudi 1 février 2007 15:33 À : [email protected] Objet : Documenting Roller/LDAP setup We gained some SSO options back in the 3.0 timeframe, but we never got any documentation (please correct me if I am wrong) about how to setup Roller to take advantage of those options. By using those SSO options and tweaking the LDAP configuration in Acegi security.xml, it is possible to get Roller working with LDAP. With this setup, when a new user registers for Roller we are able to pull her user information from LDAP and setup a new Roller account for her. We authentication against LDAP (where passwords are stored) and keep user info info Roller. With our current setup, I believe here's how things should work: 1) Enable SSO option Define a roller-custom.properties file, override the users.sso.enabled option like so: users.sso.enabled=true 2) Uncomment the LDAP section in Acegi security.xml Uncomment the section that begins with: <!-- Sample LDAP/RollerDB hybrid security configuration 3) Protect the user registration page via Acegi security.xml In the XML for the filterInvocationInterceptor bean, add the user registration page to the list of URL patterns in the objectDefinitionSource as shown below. The new line is the one that reads " /roller-ui/user.do*=register". What does this do? It requires the user to have the role "register" in order to view the user registration page. Therefore he user is shown the login page and expected to enter their LDAP username and password -- but we don't tell them that so it's pretty confusing. Once the login, we know their user info so we are able to pre-populate the user registration form with information from LDAP. <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager"/> <property name="accessDecisionManager" ref="accessDecisionManager"/> <property name="objectDefinitionSource"> <value> PATTERN_TYPE_APACHE_ANT /roller-ui/login-redirect.jsp=admin,editor /roller-ui/yourProfile**=admin,editor /roller-ui/createWebsite**=admin,editor /roller-ui/yourWebsites**=admin,editor /roller-ui/authoring/**=admin,editor /roller-ui/admin/**=admin /roller-ui/user.do*=register /rewrite-status*=admin </value> </property> </bean> 4) Enable LDAP authentication provider via security.xml In the XML for the authenticationManager bean, comment out the DAO provider and add in the LDAP provider, as shown below: <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <!-- <ref local="daoAuthenticationProvider"/> --> <ref local="ldapAuthProvider"/> <ref local="anonymousAuthenticationProvider"/> <!-- rememberMeAuthenticationProvider added programmatically --> </list> </property> </bean> But that's not all I had to do. I also had to do this: 5) Add LDAP username and password to Acegi security.xml I've got my LDAP server (OpenDS - https://opends.dev.java.net/ ) setup to require authentication. So I had to add two new properties to the initialDirContextFactory bean, as shown below: <bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> <constructor-arg value="ldap://localhost:1389/dc=example,dc=com"/> <property name="managerDn"> <value>cn=Directory Manager</value> </property> <property name="managerPassword"> <value>password</value> </property> </bean> 6) Change LDAP user search to use uid instead of email in Acegi security.xml In the ldapUserSearch bean, I changed mail={0} to uid={0}. Not sure, but maybe uid is a better default than mail for most users. <bean id="ldapUserSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch"> <constructor-arg index="0"> <value></value> </constructor-arg> <constructor-arg index="1"> <value>uid={0}</value> </constructor-arg> <constructor-arg index="2"> <ref local="initialDirContextFactory" /> </constructor-arg> <property name="searchSubtree"> <value>true</value> </property> </bean> 7) Java code change in Added "request.getSession().invalidate();" after line 186 in NewUserAction, as shown below. Without this change, the user will remain logged in, but with only the role "register". The user will have to close his browser and restart before being able to login with their new account. } else { // User registered, so go to welcome page request.setAttribute("contextURL", RollerRuntimeConfig.getAbsoluteContextURL()); request.getSession().invalidate(); return mapping.findForward("welcome.page"); } To solve those problems above, I'd like to change security.xml to include a comments explaining what needs to be done. I'd like to make that code change in #7 and I'd like to write up a nice friendly wiki page explaining how to configure Roller and LDAP. Any comments or suggestions? - Dave ------------------------------------------------------------------------------------------- "Cette communication (y compris les pieces jointes) est reservee a l'usage exclusif du destinataire (des destinataires) et peut contenir des informations privilegiees, confidentielles, exemptees de divulgation selon la loi ou protegees par les droits d'auteur. Si vous n'etes pas un destinataire, toute utilisation, divulgation, distribution, reproduction, examen ou copie (totale ou partielle) est non-autorisee et peut etre illegale. Tout message electronique est susceptible d'alteration et son integrite ne peut etre assuree. Sanofi Pasteur decline toute responsabilite au titre de ce message s'il a ete modifie ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur de l'erreur de distribution et de la destruction du message. Merci. This transmission (including any attachments) is intended solely for the use of the addressee(s) and may contain confidential information including trade secrets which are privileged, confidential, exempt from disclosure under applicable law and/or subject to copyright. If you are not an intended recipient, any use, disclosure, distribution, reproduction, review or copying (either whole or partial) is unauthorized and may be unlawful. E-mails are susceptible to alteration and their integrity cannot be guaranteed.Sanofi Pasteur shall not be liable for this e-mail if modified or falsified. If you are not the intended recipient of this e-mail, please delete it immediately from your system and notify the sender of the wrong delivery and the mail deletion. Thank you." **********************************************************************
