HI Dave,
please find comments below.
After finding a thread from august/06 in roller-dev where Elias seems to
have done just what I need I mailed him directly. Hopefully he will
provide the examples and doc he did talk about.
Another question : Where is the right place to post bugs in 3.1 RC1 ?
After getting this installed I might be able to provide something like
"How to install Roller in a corporate environment ".
We are using LDAP v3 on Sun Directory Server
best regard
Thomas
Dave <[EMAIL PROTECTED]> schrieb am 30/11/2006 16:23:20:
> On 11/28/06, Thomas-W Hofmann <thomas-w.hofmann AT DB.com> wrote:
> > I am currently working to get Roller LDAP authentication to work in
our
> > corporate environment.
> > I managed to get users authenticated using their email address(using
the
> > username field) and LDAP password.
> >
> > Question : Once authentication is fine by LDAP how does Roller
retrieve
> > the user rights from Roller db ?
> > I tried to change the select statements from daoauthentication to
"SELECT
> > xxx WHERE mail=(0) " but this did not work.
>
> I haven't tried it myself but, with LDAP authentication I believe each
> user still has to register with Roller to establish an entry in the
> USER and ROLE tables. Which set of instructions (if any) did you use
> to get LDAP auth working? And out of curiousity, what LDAP server are
> you using?
>
I tried setting up a user in Roller first.
Username=emailaddress (found out about the undocumented property by
scanning lots of your sourcecode)
Then the user logs in, authenticates correctly against LDAP but 403 is
thrown because the roles are NOT retrieved from the rollerdb !
SECURITIES.XML (Authorities populator sets anonymous role as default-
your comment says it will fetch correct role from database)
<bean id="initialDirContextFactory"
class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
<constructor-arg
value="ldaps://ldaps.xx.xx:636/ou=people,ou=global,dc=xxxxxx,dc=com"/>
<property
name="managerDn"><value>uid=xxxxxxxxx,ou=Directory
Administrators,dc=xxxxxxx,dc=com</value></property>
<property
name="managerPassword"><value>password</value></property>
<property name="extraEnvVars">
<map>
<entry>
<key>
<value>java.naming.referral</value>
</key>
<value>follow</value>
</entry>
</map>
</property>
</bean>
<bean id="userSearch"
class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0">
<value/>
</constructor-arg>
<constructor-arg index="1">
<value>(mail={0})<!-- FOR Active directory use
this or use (uid={0}) for openldpap --></value>
</constructor-arg>
<constructor-arg index="2">
<ref local="initialDirContextFactory" />
</constructor-arg>
<property name="searchSubtree">
<value>true</value>
</property>
</bean>
<bean id="ldapAuthProvider"
class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
<constructor-arg>
<bean
class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg><ref
local="initialDirContextFactory"/></constructor-arg>
<property name="userSearch">
<ref local="userSearch" />
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg><ref
local="initialDirContextFactory"/></constructor-arg>
<constructor-arg><value></value></constructor-arg>
<property
name="groupRoleAttribute"><value>cn</value></property>
<!-- use role from your ldap entry and set role search for
that or use default role as given below -->
<!-- it won't give any problem as actual roles will be
used from roller db only -->
<property
name="defaultRole"><value>anonymous</value></property>
</bean>
</constructor-arg>
</bean>
I worked on the SSO section but its still disabled because I dont want to
use SSO, only authentication against LDAP
#----------------------------------
# Single-Sign-On
# Enables Roller to behave differently when registering new users
# in an SSO-enabled environment. You must configure security.xml
appropriately.
users.sso.enabled=false
# Set these properties for a custom LDAP schema (optional)
users.sso.registry.ldap.attributes.name=mail
users.sso.registry.ldap.attributes.email=mail
#users.sso.registry.ldap.attributes.locale=locale
#users.sso.registry.ldap.attributes.timezone=timezone
# If you don't want user credentials from LDAP/etc to be stored in
Roller
# (possibly in clear-text) leave this alone, otherwise set to
true.
# i.e. you would like a backup auth mechanism in case LDAP is
down.
users.sso.passwords.save=false
# if you don't want passwords stored in DB, set this to the
default value.
users.sso.passwords.defaultValue=<unknown>
users.sso.autoProvision.enabled=false
users.sso.autoProvision.className=org.apache.roller.ui.core.security.BasicUserAutoProvision
>
> > Other question : Why is there a restriction to the username not to
include
> > spaces or anything except a-z,A-z,0-9 ?
> > It would help to use the emailaddress as username (at least for our
> > environment)
>
> We want username to be a URL safe string, so we stick to a very safe
> ASCII subset, but this can be configured. You can set the allowed
> character string by setting the (apparently undocumented) property
> "username.allowedChars" in your roller-custom.properties file. The
> default is "A-Za-z0-9"
>
> - Dave
--
Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht gestattet.
This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please
notify the sender immediately and destroy this e-mail. Any unauthorized
copying, disclosure or distribution of the material in this e-mail is strictly
forbidden.
