My two cents on LDAP SSO. How to set up LDAP:
1. Set up the LDAP related configuration in security.xml. You need to provide your own URL, manager DN, password, and user search clause. My setting is posted here: http://www.mail-archive.com/[email protected]/msg01436.html 2. Add ldapAuthProvider to the Provider Manager list in the beginning of security.xml. This step is very important, it is not mentioned clearly in most documents. 3. If your LDAP uses SSL (most enterprise ldaps do), you need to add the LDAP root certificate to your JVM's key store and start up with it. Refer to tomcat.apache.org for how to set up java keystore. 4. Roller admin adds users via UI. 5. The user should be able to login using LDAP password. But for a new user, automatic signup is still buggy as of 3.0 RC1... See my post here: http://www.mail-archive.com/[email protected]/msg01419.html Steve Lihn -----Original Message----- From: Dave [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 03, 2006 11:35 AM To: [email protected] Subject: Re: LDAP/roller users uncertainty On the topic of docs -- If somebody writes up a rough outline of the process to setup SSO via LDAP ((or just a list of bullets in an email message) I'd be glad to try it out and write-up some docs. - Dave On 10/3/06, Phil Wilson <[EMAIL PROTECTED]> wrote: > Hi all, > > I know the LDAP/SSO docs are on the "to do" list, but in lieu of those, could do with some > clarification. > > http://rollerweblogger.org/wiki/Wiki.jsp?page=LDAP_SSP_FAQ says that Roller users aren't > created upon a successful first-time LDAP-backed login. > > Is this still the case in 2.1? i.e. if I wanted to roll out Roller across a large > organisation I'd have to make sure that all users existed in the Roller DB beforehand? > > Additionally, how does this work with the admin role in Roller? i.e. if I set up Roller > with LDAP correctly, do I still need to set up a roller user with admin rights, or can I > specify the username and password of an LDAP user and they will be assigned the correct > role? Again I presume this bumps into the "user must be in the roller database to begin with"? > > Thanks for any help and I hope I've not got the wrong end of the stick here. > > Cheers, > > Phil Wilson > ------------------------------------------------------------------------------ Notice: This e-mail message, together with any attachments, contains information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station, New Jersey, USA 08889), and/or its affiliates (which may be known outside the United States as Merck Frosst, Merck Sharp & Dohme or MSD and in Japan, as Banyu - direct contact information for affiliates is available at http://www.merck.com/contact/contacts.html) that may be confidential, proprietary copyrighted and/or legally privileged. It is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please notify us immediately by reply e-mail and then delete it from your system. ------------------------------------------------------------------------------
