Thanks
Eric
-----Message d'origine-----
De : Matt Raible [mailto:[EMAIL PROTECTED]
Envoyé : lundi 19 juin 2006 19:30
À : [email protected]
Objet : Re: Roller LDAP Support : solution?
On 6/19/06, Matt Raible <[EMAIL PROTECTED]> wrote:
> Thanks for the details Eric. If you use a snapshot of Acegi Security,
> you don't need Spring 2.0-m4. I'm using Acegi 1.0.1 with Spring 1.2.8
> on my own site and its working fine. I'll try to commit this to HEAD
> today so it goes into the next release. After that, you should simply
> need to use your LDAP instructions in your e-mail.
Dave/Allen - where should I check this in? branches/roller_3.0 or trunk/HEAD?
Matt
>
> Thanks - this should probably go on the wiki or in the User Guide at some
point.
>
> Do you also have instructions for setting up LDAP? Which server are you
using?
>
> Matt
>
> On 6/19/06, [EMAIL PROTECTED]
> <[EMAIL PROTECTED]> wrote:
> > Hi all,
> >
> > As far as my last issues are with my ldap configuration, and no more
> > with Roller, here are the elements i can give you today to set up an
> > identification with LDAP on Roller.
> >
> > First of all, you must know that the jar delivered with Roller are
> > not really "up-to-date".
> > - So first, you have to download the Acegi 1.0.0 (not the RC1), and
> > spring 2.0-m4.
> > - In your WEB-INF/lib, remove the old acegi jar (RC1 named one) and
> > copy the new one from your download.
> > - Open the spring 2.0-m4 jar file, and extract only the
> > org\springframework\dao\EmptyResultDataAccessException.class (with
> > this same path to your WEB-INF/classes folder.
> >
> > Now we have our file, we will have to make some small changes to the
> > security.xml file.
> > - First, as far as the html filter has been reviewed in the new
> > Acegi jar, you must change your filter list in the filter chain
> > bean. To do that, look for the definition of this bean at the
> > beginning of the security.xml "filterChainProxy"
> > In this bean, you must have the chain of filters applyed to every
> > request. At the very end of this chain, you should find the
> > "securityEnforcementFilter". Replace it with those two new filters :
> > "exceptionTranslationFilter,filterSecurityInterceptor"
> >
> > Now your bean must be :
> > <bean id="filterChainProxy"
> > class="org.acegisecurity.util.FilterChainProxy">
> > <property name="filterInvocationDefinitionSource">
> > <value>
> > CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
> > PATTERN_TYPE_APACHE_ANT
> >
> > /**=httpSessionContextIntegrationFilter,authenticationProcessingFilt
> > er,r
> > ememberMeProcessingFilter,channelProcessingFilter,remoteUserFilter,a
> > nony
> > mousProcessingFilter,exceptionTranslationFilter,filterInvocationInte
> > rcep
> > tor
> > </value>
> > </property>
> > </bean>
> >
> > - Then, we must define those two new filters, and remove the old
> > one. To do that, in the security.xml file, look for the <bean
> > id="securityEnforcementFilter", and remove the whole bean.
> >
> > - Add this bean at its place :
> > <bean id="exceptionTranslationFilter"
> > class="org.acegisecurity.ui.ExceptionTranslationFilter">
> > <property name="authenticationEntryPoint"
> > ref="authenticationProcessingFilterEntryPoint"/>
> > </bean>
> >
> > - The filterInvocationInterceptor Bean should be already defined (it
> > was used by the old securityEnforcementFilter).
> > Just check it.
> >
> >
> > At this point, you should be able to start Roller, and it should
> > work in its initial configuration. Please check it. If it doesn't
> > work now, it won't work after ;)
> >
> > Ok, now, let's set up the ldap authentication.
> > - First, we must tell Roller to try an LDAP authentification first,
> > then try in the database, and then, an anonymous.
> > The tries in database and anonymous are already set up, so we just
> > have to add the ldap one.
> > So, in the security.xml file, look for the bean which id is
> > "authenticationManager", and add as the first tag of the <list> this
> > one
> > : <ref local="ldapAuthProvider"/>
> > It should look like :
> > <bean id="authenticationManager"
> > class="org.acegisecurity.providers.ProviderManager">
> > <property name="providers">
> > <list>
> > <ref local="ldapAuthProvider"/>
> > <ref local="daoAuthenticationProvider"/>
> > <ref local="anonymousAuthenticationProvider"/>
> > <!-- rememberMeAuthenticationProvider added
> > programmatically -->
> > </list>
> > </property>
> > </bean>
> >
> > - We are very near from the end now! As you can imagine, we now have
> > to set up the ldapAuthProvider!
> > Here it is. Some fields has to be changed to match your own ldap
> > configuration :
> >
> > <bean id="ldapAuthProvider"
> >
> > class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
> > <constructor-arg>
> > <bean
> > class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"
> > >
> > <constructor-arg><ref
> > local="initialDirContextFactory"/></constructor-arg>
> > <property name="userDnPatterns"><list><value>uid={0}
> > [ERIC'S NOTES : CHANGE IT?]</value></list></property>
> > </bean>
> > </constructor-arg>
> > <constructor-arg>
> > <bean
> > class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthori
> > ties
> > Populator">
> > <constructor-arg><ref
> > local="initialDirContextFactory"/></constructor-arg>
> > <constructor-arg><value>ou=groups</value></constructor-arg>
> > <property
> > name="groupRoleAttribute"><value>ou</value></property>
> > </bean>
> > </constructor-arg>
> > </bean>
> >
> > - and finally, you have to set up the initialDirContextFactory used
> > here. Put it BEFORE the ldapAuthProvider bean :
> > <bean id="initialDirContextFactory"
> >
> > class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
> > <constructor-arg value="ldap://ldap.url...[TO BE
> > CHANGED]:389/dc=[TO BE CHANGED],[dc, dn, whatever you need]"/>
> > <!-- <property
> > name="managerDn"><value>dc=pasteur,dc=aventis,dc=com</value></property>
> > <property
> > name="managerPassword"><value>password</value></property> -->
> > [ERIC'S NOTE : uncomment if your LDAP need authentication]
> > </bean>
> >
> >
> > - Now, this should work.
> >
> > Hope this will help some of you ;)
> >
> > Eric
> > --------------------------------------------------------------------
> > ----------------------- "Cette communication (y compris les pieces
> > jointes) est reservee a l'usage exclusif du destinataire (des
destinataires) et peut contenir des informations privilegiees, confidentielles,
exemptees de divulgation selon la loi ou protegees par les droits d'auteur. Si vous
n'etes pas un destinataire, toute utilisation, divulgation, distribution,
reproduction, examen ou copie (totale ou partielle) est non-autorisee et peut etre
illegale. Tout message electronique est susceptible d'alteration et son integrite ne
peut etre assuree. Sanofi Pasteur decline toute responsabilite au titre de ce message
s'il a ete modifie ou falsifie. Si vous n'etes pas destinataire de ce message, merci
de le detruire immediatement et d'avertir l'expediteur de l'erreur de distribution et
de la destruction du message. Merci.
> > This transmission (including any attachments) is intended solely for the use of
the addressee(s) and may contain confidential information including trade secrets which
are privileged, confidential, exempt from disclosure under applicable law and/or subject
to copyright. If you are not an intended recipient, any use, disclosure, distribution,
reproduction, review or copying (either whole or partial) is unauthorized and may be
unlawful. E-mails are susceptible to alteration and their integrity cannot be
guaranteed.Sanofi Pasteur shall not be liable for this e-mail if modified or falsified. If
you are not the intended recipient of this e-mail, please delete it immediately from your
system and notify the sender of the wrong delivery and the mail deletion. Thank you."
> > ********************************************************************
> > **
> >
> >
>
-------------------------------------------------------------------------------------------
"Cette communication (y compris les pieces jointes) est reservee a l'usage
exclusif du destinataire (des destinataires) et peut contenir des informations
privilegiees, confidentielles, exemptees de divulgation selon la loi ou protegees
par les droits d'auteur. Si vous n'etes pas un destinataire, toute utilisation,
divulgation, distribution, reproduction, examen ou copie (totale ou partielle) est
non-autorisee et peut etre illegale. Tout message electronique est susceptible
d'alteration et son integrite ne peut etre assuree. Sanofi Pasteur decline toute
responsabilite au titre de ce message s'il a ete modifie ou falsifie. Si vous n'etes
pas destinataire de ce message, merci de le detruire immediatement et d'avertir
l'expediteur de l'erreur de distribution et de la destruction du message. Merci.
This transmission (including any attachments) is intended solely for the use of the
addressee(s) and may contain confidential information including trade secrets which
are privileged, confidential, exempt from disclosure under applicable law and/or
subject to copyright. If you are not an intended recipient, any use, disclosure,
distribution, reproduction, review or copying (either whole or partial) is
unauthorized and may be unlawful. E-mails are susceptible to alteration and their
integrity cannot be guaranteed.Sanofi Pasteur shall not be liable for this e-mail if
modified or falsified. If you are not the intended recipient of this e-mail, please
delete it immediately from your system and notify the sender of the wrong delivery
and the mail deletion. Thank you."
**********************************************************************
