Hi all,
As far as my last issues are with my ldap configuration, and no more
with Roller, here are the elements i can give you today to set up an
identification with LDAP on Roller.
First of all, you must know that the jar delivered with Roller are not
really "up-to-date".
- So first, you have to download the Acegi 1.0.0 (not the RC1), and
spring 2.0-m4.
- In your WEB-INF/lib, remove the old acegi jar (RC1 named one) and copy
the new one from your download.
- Open the spring 2.0-m4 jar file, and extract only the
org\springframework\dao\EmptyResultDataAccessException.class (with this
same path to your WEB-INF/classes folder.
Now we have our file, we will have to make some small changes to the
security.xml file.
- First, as far as the html filter has been reviewed in the new Acegi
jar, you must change your filter list in the filter chain bean. To do
that, look for the definition of this bean at the beginning of the
security.xml "filterChainProxy"
In this bean, you must have the chain of filters applyed to every
request. At the very end of this chain, you should find the
"securityEnforcementFilter". Replace it with those two new filters :
"exceptionTranslationFilter,filterSecurityInterceptor"
Now your bean must be :
<bean id="filterChainProxy"
class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,r
ememberMeProcessingFilter,channelProcessingFilter,remoteUserFilter,anony
mousProcessingFilter,exceptionTranslationFilter,filterInvocationIntercep
tor
</value>
</property>
</bean>
- Then, we must define those two new filters, and remove the old one. To
do that, in the security.xml file, look for the
<bean id="securityEnforcementFilter", and remove the whole bean.
- Add this bean at its place :
<bean id="exceptionTranslationFilter"
class="org.acegisecurity.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint"
ref="authenticationProcessingFilterEntryPoint"/>
</bean>
- The filterInvocationInterceptor Bean should be already defined (it was
used by the old securityEnforcementFilter).
Just check it.
At this point, you should be able to start Roller, and it should work in
its initial configuration. Please check it. If it doesn't work now, it
won't work after ;)
Ok, now, let's set up the ldap authentication.
- First, we must tell Roller to try an LDAP authentification first, then
try in the database, and then, an anonymous.
The tries in database and anonymous are already set up, so we just have
to add the ldap one.
So, in the security.xml file, look for the bean which id is
"authenticationManager", and add as the first tag of the <list> this one
: <ref local="ldapAuthProvider"/>
It should look like :
<bean id="authenticationManager"
class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref local="ldapAuthProvider"/>
<ref local="daoAuthenticationProvider"/>
<ref local="anonymousAuthenticationProvider"/>
<!-- rememberMeAuthenticationProvider added
programmatically -->
</list>
</property>
</bean>
- We are very near from the end now! As you can imagine, we now have to
set up the ldapAuthProvider!
Here it is. Some fields has to be changed to match your own ldap
configuration :
<bean id="ldapAuthProvider"
class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
<constructor-arg>
<bean
class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"
>
<constructor-arg><ref
local="initialDirContextFactory"/></constructor-arg>
<property name="userDnPatterns"><list><value>uid={0} [ERIC'S
NOTES : CHANGE IT?]</value></list></property>
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthorities
Populator">
<constructor-arg><ref
local="initialDirContextFactory"/></constructor-arg>
<constructor-arg><value>ou=groups</value></constructor-arg>
<property
name="groupRoleAttribute"><value>ou</value></property>
</bean>
</constructor-arg>
</bean>
- and finally, you have to set up the initialDirContextFactory used
here. Put it BEFORE the ldapAuthProvider bean :
<bean id="initialDirContextFactory"
class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
<constructor-arg value="ldap://ldap.url...[TO BE
CHANGED]:389/dc=[TO BE CHANGED],[dc, dn, whatever you need]"/>
<!-- <property
name="managerDn"><value>dc=pasteur,dc=aventis,dc=com</value></property>
<property
name="managerPassword"><value>password</value></property> -->
[ERIC'S NOTE : uncomment if your LDAP need authentication]
</bean>
- Now, this should work.
Hope this will help some of you ;)
Eric
-------------------------------------------------------------------------------------------
"Cette communication (y compris les pieces jointes) est reservee a l'usage
exclusif du destinataire (des destinataires) et peut contenir des informations
privilegiees, confidentielles, exemptees de divulgation selon la loi ou
protegees par les droits d'auteur. Si vous n'etes pas un destinataire, toute
utilisation, divulgation, distribution, reproduction, examen ou copie (totale
ou partielle) est non-autorisee et peut etre illegale. Tout message
electronique est susceptible d'alteration et son integrite ne peut etre
assuree. Sanofi Pasteur decline toute responsabilite au titre de ce message
s'il a ete modifie ou falsifie. Si vous n'etes pas destinataire de ce message,
merci de le detruire immediatement et d'avertir l'expediteur de l'erreur de
distribution et de la destruction du message. Merci.
This transmission (including any attachments) is intended solely for the use of
the addressee(s) and may contain confidential information including trade
secrets which are privileged, confidential, exempt from disclosure under
applicable law and/or subject to copyright. If you are not an intended
recipient, any use, disclosure, distribution, reproduction, review or copying
(either whole or partial) is unauthorized and may be unlawful. E-mails are
susceptible to alteration and their integrity cannot be guaranteed.Sanofi
Pasteur shall not be liable for this e-mail if modified or falsified. If you
are not the intended recipient of this e-mail, please delete it immediately
from your system and notify the sender of the wrong delivery and the mail
deletion. Thank you."
**********************************************************************
