Re: LDAP Connection Error
one minute with 28.000 users -is the when you do a propfind on all users? Also what realm are you using - I have been looking at the Krb5LoginModule as described by Stefan Fromm. I was just wondering what experiences people has with integrating with an AD. /jacob - Original Message - From: James Mason [EMAIL PROTECTED] To: Slide Users Mailing List slide-user@jakarta.apache.org Sent: Saturday, March 12, 2005 7:20 AM Subject: RE: LDAP Connection Error Just to elaborate (you've all probably figured this out by now), the JNDIPrincipalStore actually *searches* your LDAP server for users/groups. The configuration settings you give describe the search parameters. The deciding factor on performance is how many results are returned by the search. If you have a lot of users/groups Slide will take a long time to start. It takes about a minute for me with 28,000 user accounts. -James On Mon, 2005-02-28 at 09:48 +, Miguel Figueiredo wrote: Hello Jacob, The JNDIStore does not look for anything here. The configuration u give to her, tells her 'what is what, and where is it' ... Hmmm, with others words, the configuration tells the LDAP/Active Directory server what kind of objects she is looking for, and where she expects to be found. When you start configuring it, you will get more insightful regarding this statement. When the JNDIStore asks something to the server, it asks by means of a bind request, and the server shall have the responsibility to find objects, in the configured places, that match the bind request. 'Modus Operandis' of the LDAP or Active Directory is exactly the same regarding the bind operation, the difference comes in the schemas they offer: standard schemas with LDAP, proprietary but standard-based schema on Active Directory (M$ strikes again :P ). Also, as you correctly stated, most companies split users and groups in several OUs. I'm glad to report that the JNDIStore is generic enough to adapt it's configuration to any deployment choices (at least we did not found any trouble in its configuration until now). Hope this helps, Miguel Figueiredo -Original Message- From: Jacob Lund [mailto:[EMAIL PROTECTED] Sent: segunda-feira, 28 de Fevereiro de 2005 8:46 To: Slide Users Mailing List Subject: Re: LDAP Connection Error Well - you mentioned exactly what I have been wondering about! Most companies split users and groups in several OUs (Organizational units). Can the JNDIStore search through the AD and fetch all users and groups, also how will that affect the performance? I have an AD with several OU ready for testing, but I have not had the time to look into this deeper yet! /jacob - Original Message - From: John Gilbert [EMAIL PROTECTED] To: Slide Users Mailing List slide-user@jakarta.apache.org; Slide Users Mailing List slide-user@jakarta.apache.org Sent: Friday, February 25, 2005 4:14 PM Subject: RE: LDAP Connection Error There isn't much to say. I just follow the instructions I found in the comment block of the source code and the postings to the user group. There was nothing too special for AD. Here is a link to a posting by James Mason. http://cvs.apache.org/viewcvs.cgi/jakarta-slide/src/conf/webapp/JNDI-Domain. xml?rev=1.2view=auto I did have to play with the jndi.attributes.groupmemberset and jndi.search.filter settings settings. Just use any old ldap browser to browse the schema. One thing I have found is that AD admins seem to like spreading their groups and people around in the tree, instead of having a single people root and a single groups root. I don't think the JNDIPrincipalStore handles this case, but I didn't have time to test it thoroughly. It might have to do with the jndi.search.scope setting. Also having the passwords in cleartext has been a battle. From: Jacob Lund [mailto:[EMAIL PROTECTED] Sent: Fri 2/25/2005 5:53 AM To: Slide Users Mailing List Subject: Re: LDAP Connection Error Hi John! I would like to create a Wiki on how to integrate slide with an AD! Would you mind sharing your configuration of the JNDIPrincipalStore, realm and other experiences on this integration? Thanks /Jacob - Original Message - From: John Gilbert [EMAIL PROTECTED] To: Slide Users Mailing List slide-user@jakarta.apache.org Sent: Thursday, February 24, 2005 4:33 PM Subject: LDAP Connection Error I am using the JNDIPrincipalStore to connect to Active Directory to retrieve Users and Roles. Everything works fine for a while. Then it eventually gets a connection error and I have to restart the Slide war. I have several other applications connecting to the same Active Directory instance and they are not experiencing any problems or may be they are handling the error and reconnecting automatically. Has anyone had this problem? Is the JNDIPrincipalStore supposed to gracefully reconnect? There is nothing for this in the code. Is this handled by the framework? Thanks John
Recent behavior change
I just updated to HEAD after ignoring our WebDAV gateway for several (6 or so) weeks. I'm using the WCK (this obviously stands for WebDAV For Dummies, I just don't know in what language :-P ). With the latest code, several of the the litmus (http://www.webdav.org/neon/litmus/) copymove tests are failing. I can reproduce this with the slide webdavclient. For example a simple COPY source destination through the webdav client returns a 412 Precondition failed because destination already exists. If I trace the calls I see the WCK setResourceContent() being called correctly and then I see a subsequent createFolder() call on the same resource. This is the call that fails and generates the error that the client is seeing (because the resource already exists). The ContentImpl is trying to store the revision descriptor after storing the content, and that's why I'm getting called with the createFolder(). I'm configured to not use DeltaV in slide.properties. This worked correctly before I updated the codebase. Bug or configuration issue? Here's a call trace from the WCK createFolder. Ideas? Thanks! -John java.lang.Exception: Stack trace at java.lang.Thread.dumpStack(Thread.java:1101) at com.ris.manager.gateway.http.WebdavStoreImpl.createFolder(WebdavStoreImpl.java:198) at org.apache.slide.simple.store.WebdavStoreAdapter$TransactionId.storeRevisionDescriptor(WebdavStoreAdapter.java:733) at org.apache.slide.simple.store.WebdavStoreAdapter.storeRevisionDescriptor(WebdavStoreAdapter.java:295) at org.apache.slide.store.AbstractStore.storeRevisionDescriptor(AbstractStore.java:1373) at org.apache.slide.store.ExtendedStore.storeRevisionDescriptor(ExtendedStore.java:1093) at org.apache.slide.content.ContentImpl.create(ContentImpl.java:607) at org.apache.slide.macro.MacroImpl.copyObject(MacroImpl.java:838) at org.apache.slide.macro.MacroImpl.copy(MacroImpl.java:274) at org.apache.slide.webdav.method.CopyMethod.executeRequest(CopyMethod.java:202) at org.apache.slide.webdav.method.AbstractWebdavMethod.executeRedirect(AbstractWebdavMethod.java:586) at org.apache.slide.webdav.method.AbstractWebdavMethod.run(AbstractWebdavMethod.java:419) at org.apache.slide.webdav.WebdavServlet.service(WebdavServlet.java:151) at javax.servlet.http.HttpServlet.service(HttpServlet.java:688) -- John Rousseau Archivas, Inc. [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Lazy authentication and Active Authentication
No solution from me, but I join in the question, as I wanted to achieve a similar thing: Some Slide directories should stay public and should not require authentication, others should require it. If I activate the security constraints in web.xml, Slide does not let up until I authenticate, even if the directory I was trying to access is not limited in terms of authorization (configured in Domain.xml). IMO the best solution would be when no authentication data at all is found on first connect, the user should be assumed as unauthenticated, otherwise there should be n attempts to authenticate him. Is this possible somehow? Or is there a way to define different security contraints for different url-patterns in web.xml? Any other ideas or hints? Kolja Hello, I'm using Slide to build a sort of file server with security and versioning features. Now I need to let see through DAV both public and protected content. For the public content I don't want to ask for authentication, instead I need to let the user choose when to authenticate himself; then when the user is authenticated I want him to see protected content too. Public and protected content may stay in the same folder, so I cant't use container manager security acting on web.xml. I need also to avoid lazy authentication for DAV: the user mustn't be asked to login, but must choose to login. Summarizing I need to know if Active Authentication can be done in DAV (with Slide API I've already done this by setting the org.apache.slide.webdav.method.credentials Session attribute). Can I add a DAV method (or use an already existing one) that asks the server to authenticate the user? I use DAV Explorer and Microsoft Windows Web Folders and I haven't found something similar to this feature. Has anyone experienced this problem? Andrea Colleoni PlaneCom S.r.l. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.6.0 - Release Date: 02/03/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- DSL Komplett von GMX +++ Supergünstig und stressfrei einsteigen! AKTION Kein Einrichtungspreis nutzen: http://www.gmx.net/de/go/dsl - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: Is Projector running?
Daniel Florey wrote: In order to get the demo application (admin-app) running you need to unpack the stores.zip that can hopefully be found in the distro to the stores folder. Projector is bundled with 2.1b1, so if you want to get it running the easiest way is to download the 2.1beta1 release. Projector will hopefully make it into the final 2.2 release. Cheers, Daniel How does one obtain 2.1b1? http://jakarta.apache.org/slide/download.html has a link for Slide 2.1 RC 1, but that leads to exactly the same page as the link to Slide 2.1, namely http://jakarta.apache.org/site/downloads/index.html.
Using Active Directory Server with Slide
Hi,
I noticed some people are also working on using Slide with AD. I'm also trying
that, but it's far from a done deal.
My Tomcat server.xml now has:
Context path=/slide debug=0 privileged=true useNaming=true
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://adserver:3268;
connectionName=[EMAIL PROTECTED]
connectionPassword=secret
userBase=dc=domainname,dc=nl
userSearch=(sAMAccountName={0})
userSubtree=true
roleBase=dc=domainname,dc=nl
roleName=cn
roleSearch=(member={0})
roleSubtree=true
debug=99/
Authenticating users works with this configuration, but it only finds
roles/groups that the user belongs to explicitely, not the implicit ones
defined by nesting AD groups.
What I can't seem to get working is having all the /users and /roles stuff work
automatically. I want to define as little as possible in terms of Slide users
and roles, just the minimum to get AD users and roles working. I also want to
use an AD administrator role for administering Slide, not the default root
account in Slide.
Also, I'd like to use SSL for protecting the passwords that get transmitted.
I would more than welcome examples of server.xml, Domain.xml and web.xml of a
working Slide / AD setup.
Thanks,
Gwendolyn.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
missing owner when locking - 2.2pre1
We are using the 2.2pre1 slide .jars to create custom stores for
retrieving resources (specific to our business) from an Oracle database.
We have implemented the JAAS LoginModule in Jetty to leverage our
existing user/roles. Lastly, we are using Eclipse as our client to
modify/save the properties on the resources. We have had success with
the authentication and retrieval of the resources from the database.
However, the lock owner is missing after performing a lock on the
resource.I saw another thread with the same issue, but it looks to
have been fixed:
http://www.mail-archive.com/slide-user@jakarta.apache.org/msg07379.html.
Here is the client code I am using in Eclipse.
HttpURL url = new HttpURL( url );
url.setUserinfo( user, pass );
WebdavResource res = new WebdavResource( url, true);
if (res.isLocked()) {
System.out.println(locked by -
+res.lockDiscoveryPropertyFindMethod().getPropertyAsString());
} else {
res.lockMethod( user, DepthSupport.DEPTH_INFINITY);
System.out.println(just locked by +res.getOwner());
System.out.println(lock property-
+res.lockDiscoveryPropertyFindMethod().getPropertyAsString());
}
res.close();
The res.lockMethod() call seems to work. We are storing the lock
information in the database and the user is correctly assigned to the
lock in the database (although I log in as 'admin' and 'users/admin' is
stored). Also, I have put debug code in our store and the subject is
retrieved when the getLockInfo method is called by slide. But for some
reason, the owner is not displayed when the
res.lockDiscoveryPropertyFindMethod().getPropertyAsString() call is
executed. All the other lock properties are present (i.e. type,
depth).
I tried rolling back the .jars to version 2.1, but I am still
experiencing the missing owner.
I am wondering if I have missed some configuration in the Domain.xml.
Or, if there may be some disconnect between slide and our custom store
(when passing the user) Slide Users Mailing List since I am
authenticating against our DB directly.
Any help/advice is appreciated.
Thanks,
Paul
