On 6/19/06, Matt Raible <[EMAIL PROTECTED]> wrote:
Thanks for the details Eric. If you use a snapshot of Acegi Security,
you don't need Spring 2.0-m4. I'm using Acegi 1.0.1 with Spring 1.2.8
on my own site and its working fine. I'll try to commit this to HEAD
today so it goes into the next release. After that, you should simply
need to use your LDAP instructions in your e-mail.
Dave/Allen - where should I check this in? branches/roller_3.0 or trunk/HEAD?
Matt
Thanks - this should probably go on the wiki or in the User Guide at some point.
Do you also have instructions for setting up LDAP? Which server are you using?
Matt
On 6/19/06, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
> Hi all,
>
> As far as my last issues are with my ldap configuration, and no more
> with Roller, here are the elements i can give you today to set up an
> identification with LDAP on Roller.
>
> First of all, you must know that the jar delivered with Roller are not
> really "up-to-date".
> - So first, you have to download the Acegi 1.0.0 (not the RC1), and
> spring 2.0-m4.
> - In your WEB-INF/lib, remove the old acegi jar (RC1 named one) and copy
> the new one from your download.
> - Open the spring 2.0-m4 jar file, and extract only the
> org\springframework\dao\EmptyResultDataAccessException.class (with this
> same path to your WEB-INF/classes folder.
>
> Now we have our file, we will have to make some small changes to the
> security.xml file.
> - First, as far as the html filter has been reviewed in the new Acegi
> jar, you must change your filter list in the filter chain bean. To do
> that, look for the definition of this bean at the beginning of the
> security.xml "filterChainProxy"
> In this bean, you must have the chain of filters applyed to every
> request. At the very end of this chain, you should find the
> "securityEnforcementFilter". Replace it with those two new filters :
> "exceptionTranslationFilter,filterSecurityInterceptor"
>
> Now your bean must be :
> <bean id="filterChainProxy"
> class="org.acegisecurity.util.FilterChainProxy">
> <property name="filterInvocationDefinitionSource">
> <value>
> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
> PATTERN_TYPE_APACHE_ANT
>
> /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,r
> ememberMeProcessingFilter,channelProcessingFilter,remoteUserFilter,anony
> mousProcessingFilter,exceptionTranslationFilter,filterInvocationIntercep
> tor
> </value>
> </property>
> </bean>
>
> - Then, we must define those two new filters, and remove the old one. To
> do that, in the security.xml file, look for the
> <bean id="securityEnforcementFilter", and remove the whole bean.
>
> - Add this bean at its place :
> <bean id="exceptionTranslationFilter"
> class="org.acegisecurity.ui.ExceptionTranslationFilter">
> <property name="authenticationEntryPoint"
> ref="authenticationProcessingFilterEntryPoint"/>
> </bean>
>
> - The filterInvocationInterceptor Bean should be already defined (it was
> used by the old securityEnforcementFilter).
> Just check it.
>
>
> At this point, you should be able to start Roller, and it should work in
> its initial configuration. Please check it. If it doesn't work now, it
> won't work after ;)
>
> Ok, now, let's set up the ldap authentication.
> - First, we must tell Roller to try an LDAP authentification first, then
> try in the database, and then, an anonymous.
> The tries in database and anonymous are already set up, so we just have
> to add the ldap one.
> So, in the security.xml file, look for the bean which id is
> "authenticationManager", and add as the first tag of the <list> this one
> : <ref local="ldapAuthProvider"/>
> It should look like :
> <bean id="authenticationManager"
> class="org.acegisecurity.providers.ProviderManager">
> <property name="providers">
> <list>
> <ref local="ldapAuthProvider"/>
> <ref local="daoAuthenticationProvider"/>
> <ref local="anonymousAuthenticationProvider"/>
> <!-- rememberMeAuthenticationProvider added
> programmatically -->
> </list>
> </property>
> </bean>
>
> - We are very near from the end now! As you can imagine, we now have to
> set up the ldapAuthProvider!
> Here it is. Some fields has to be changed to match your own ldap
> configuration :
>
> <bean id="ldapAuthProvider"
>
> class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
> <constructor-arg>
> <bean
> class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"
> >
> <constructor-arg><ref
> local="initialDirContextFactory"/></constructor-arg>
> <property name="userDnPatterns"><list><value>uid={0} [ERIC'S
> NOTES : CHANGE IT?]</value></list></property>
> </bean>
> </constructor-arg>
> <constructor-arg>
> <bean
> class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthorities
> Populator">
> <constructor-arg><ref
> local="initialDirContextFactory"/></constructor-arg>
> <constructor-arg><value>ou=groups</value></constructor-arg>
> <property
> name="groupRoleAttribute"><value>ou</value></property>
> </bean>
> </constructor-arg>
> </bean>
>
> - and finally, you have to set up the initialDirContextFactory used
> here. Put it BEFORE the ldapAuthProvider bean :
> <bean id="initialDirContextFactory"
>
> class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
> <constructor-arg value="ldap://ldap.url...[TO BE
> CHANGED]:389/dc=[TO BE CHANGED],[dc, dn, whatever you need]"/>
> <!-- <property
> name="managerDn"><value>dc=pasteur,dc=aventis,dc=com</value></property>
> <property
> name="managerPassword"><value>password</value></property> -->
> [ERIC'S NOTE : uncomment if your LDAP need authentication]
> </bean>
>
>
> - Now, this should work.
>
> Hope this will help some of you ;)
>
> Eric
>
-------------------------------------------------------------------------------------------
> "Cette communication (y compris les pieces jointes) est reservee a l'usage
exclusif du destinataire (des destinataires) et peut contenir des informations
privilegiees, confidentielles, exemptees de divulgation selon la loi ou protegees par
les droits d'auteur. Si vous n'etes pas un destinataire, toute utilisation,
divulgation, distribution, reproduction, examen ou copie (totale ou partielle) est
non-autorisee et peut etre illegale. Tout message electronique est susceptible
d'alteration et son integrite ne peut etre assuree. Sanofi Pasteur decline toute
responsabilite au titre de ce message s'il a ete modifie ou falsifie. Si vous n'etes
pas destinataire de ce message, merci de le detruire immediatement et d'avertir
l'expediteur de l'erreur de distribution et de la destruction du message. Merci.
> This transmission (including any attachments) is intended solely for the use of
the addressee(s) and may contain confidential information including trade secrets which
are privileged, confidential, exempt from disclosure under applicable law and/or
subject to copyright. If you are not an intended recipient, any use, disclosure,
distribution, reproduction, review or copying (either whole or partial) is unauthorized
and may be unlawful. E-mails are susceptible to alteration and their integrity cannot
be guaranteed.Sanofi Pasteur shall not be liable for this e-mail if modified or
falsified. If you are not the intended recipient of this e-mail, please delete it
immediately from your system and notify the sender of the wrong delivery and the mail
deletion. Thank you."
> **********************************************************************
>
>
