Hi John, glad to read you finally managed to resolve your issue :-) As Harry has pointed out, the new VM to hold jspwiki.org is nearly there, so you may either wait a little more or just post it on this thread
regards, juan pablo On Fri, Sep 13, 2013 at 6:47 PM, Harry Metske <harry.met...@gmail.com>wrote: > John, > > we are currently waiting for our Linux virtual machine where we will host > the new jspwiki.org, that would be the place to share it. > You could wait for it to become available [#1], we will definitily post and > tweet that, but if you don't want to wait for that, you could also post it > on the mail list here. > > thanks ! > > Harry > > [1] - https://issues.apache.org/jira/browse/INFRA-5588 > > > On 12 September 2013 17:57, John Pimentel <jpimen...@ra.rockwell.com> > wrote: > > > hi Juan Pablo, > > > > I finally resolved my issue, and would like to share my results on the > > Wiki. > > What is the best way for me to contribute it that way, just send the > > details of my finding to the list? > > I don't see a way to participate on the wiki site directly, and the docs > > link (http://doc.jspwiki.org/) seems to be broken. > > > > Regards, > > John Pimentel > > > > [image: Description: Description: ralogo_web] > > *jpimen...@ra.rockwell.com* <jpimen...@ra.rockwell.com> > > Office (414) 382-3354 > > *Mobile (262) 501-4785* < > 2625014...@txt.att.net?subject=RA%20Text%204%20U> > > > > > > > > > > From: Juan Pablo Santos Rodríguez <juanpablo.san...@gmail.com> > > To: user@jspwiki.apache.org > > Date: 08/28/2013 12:30 PM > > Subject: Re: ldaps authentication to jspwiki > > ------------------------------ > > > > > > > > Hello John, > > > > would you mind checking these links: > > - > > > > > http://blog.davekoelmeyer.co.nz/2012/01/28/container-based-authentication-with-jspwiki-glassfish-and-opendj/ > > - > > > > > http://mail-archives.apache.org/mod_mbox/incubator-jspwiki-user/201306.mbox/%3CCAMufup7zBdGP-1J9mR4o8DT6CMYLaipDu63DEt7HB5k9d1Pk2w%40mail.gmail.com%3E > > - http://www.ebel-computing.de/JSPWiki/Wiki.jsp?page=Ldap%20Integration > > > > The first two discuss a similar issue as yours, but using glassfish and > > OpenDJ. In any case, the ldap conifguration might give you a hint. The > last > > one is another "Ldap Integration" page, which may be closer to your issue > > > > > > HTH, > > juan pablo > > > > > > On Wed, Aug 28, 2013 at 4:04 PM, John Pimentel < > jpimen...@ra.rockwell.com > > >wrote: > > > > > Thanks Jim, I will try that today > > > > > > Regards, > > > John Pimentel > > > > > > [image: Description: Description: ralogo_web] > > > *jpimen...@ra.rockwell.com* <jpimen...@ra.rockwell.com> > > > Office (414) 382-3354 > > > *Mobile (262) 501-4785* < > > 2625014...@txt.att.net?subject=RA%20Text%204%20U> > > > > > > > > > > > > > > > From: Jim Willeke <j...@willeke.com> > > > To: user@jspwiki.apache.org > > > Date: 08/27/2013 05:35 PM > > > Subject: Re: ldaps authentication to jspwiki > > > ------------------------------ > > > > > > > > > > > > You might try remove the: > > > userPattern="uid={0},ou=people,dc=mydomain,dc=com" > > > > > > and use (what I am using): > > > > > > userBase="ou=people,dc=mydomain,dc=com" > > > userSearch="(uid={0})" > > > userSubtree="true" > > > > > > We found the LDAP search to be much more flexible using this than the > > > pattern matching. > > > You should also be able to get some error from tomcat if it is failing. > > > You can turn on access logging: > > > http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Access_Logs > > > > > > > > > If you drop the LDAPS, You might also get a trace. (Not sure if SUN can > > > show the ldap requests) but tcdump (or wireshark) will. > > > > > > > > > -- > > > -jim > > > Jim Willeke > > > > > > > > > On Tue, Aug 27, 2013 at 1:18 PM, John Pimentel < > > jpimen...@ra.rockwell.com > > > >wrote: > > > > > > > > > > > Hi Jim, > > > > > > > > Thanks for the response. > > > > > > > > We are using Sun LDAP. Let me give you an example from my user > > account. > > > > Under my group container > > > > cn=UN_CTM_AdminGroup,ou=Control-M,ou=group,dc=mydomain,dc=com > > > > I have a attribute called uniqueMember. > > > > The value for my account is as follows: > > > > uid=JPimen,ou=people,dc=mydomain,dc=com > > > > > > > > I of course substituted our actual domain for mydomain in this > example, > > > but > > > > everything else is verbatim. > > > > > > > > So our groups are nmed by cn but the users are named by uid. > > > > > > > > Unfortunately our LDAP server will not accept anything other than > ldaps > > > > connections, so I am stuck there. > > > > > > > > Also if you have any recommendation on how to enable security > specific > > > > debug I would appreciate that. > > > > > > > > I found what appears to be a log level entry in my jspwiki.properties > > > file. > > > > I changed > > > > log4j.rootCategory=INFO,FileLog > > > > To read > > > > log4j.rootCategory=DEBUG,FileLog > > > > > > > > Now, I do see debug entries in the > /web1/dyscq/tomcat/logs/jspwiki.log > > > > file, but no entries appear when I try (and fail) to log in. > > > > > > > > Thanks again for any ideas. > > > > > > > > Regards, > > > > John Pimentel > > > > > > > > (Embedded image moved to file: pic11833.gif)Description: > Description: > > > > ralogo_web > > > > jpimen...@ra.rockwell.com > > > > Office (414) 382-3354 > > > > Mobile (262) 501-4785 > > > > > > > > > > > > > > > > > > > > From: Jim Willeke <j...@willeke.com> > > > > To: user@jspwiki.apache.org > > > > Date: 08/27/2013 03:40 AM > > > > Subject: Re: ldaps authentication to jspwiki > > > > > > > > > > > > > > > > I would guess, as you show no information on your LDAP setup, this > line > > > is > > > > wrong: > > > > userPattern="uid={0},ou=people,dc=mydomain,dc=com" > > > > > > > > Are your users named by uid or cn? > > > > You show roles as named by cn and since you show dc=,dc= I would > guess > > > this > > > > is AD > > > > > > > > Also, try using LDAP vs LDAPS to help troubleshoot. > > > > > > > > -jim > > > > > > > > -- > > > > -jim > > > > Jim Willeke > > > > > > > > > > > > On Mon, Aug 26, 2013 at 10:47 AM, John Pimentel > > > > <jpimen...@ra.rockwell.com>wrote: > > > > > > > > > > > > > > Greetings, > > > > > > > > > > I am having difficulties getting LDAPS authentication to work and I > > > think > > > > I > > > > > must be missing some fundamental configuration. > > > > > > > > > > My current state is that the Site loads and displays content > > properly, > > > > but > > > > > when I go to edit content or I select the log in page directly, my > > LDAP > > > > > credentials do not authenticate, and I am repeatedly presented > with a > > > > login > > > > > page. > > > > > > > > > > I used the follwing information as my "How To" for this effort. > > > > > > http://www.ecyrd.com/JSPWiki/wiki/WebContainerAuthenticationViaLDAP > > > > > > > > > > This article is very good but appears to be incomplete. > > > > > > > > > > I have done the following configuration to get ldaps to work: > > > > > > > > > > 1. I have a previously configured LDAP Server and I stored /trusted > > the > > > > > cert for this Sun LDAP server into the central java keystore using > > this > > > > > command: > > > > > /usr/lib64/jvm/jre/bin/keytool -import -alias sunldap > > > > > -file /web1/sst/dysc/content/CA-RA-v3.crt > > > > > -keystore /usr/lib64/jvm/jre/lib/security/cacerts > > > > > > > > > > 2. I have configured the realm and sorted out all the log errors > > using > > > > the > > > > > following realm in the server.xml file. I believe tomcat is > > > successfully > > > > > connecting to my LDAP server. > > > > > > > > > > <Realm className="org.apache.catalina.realm.JNDIRealm" > > > > > connectionURL="ldaps://mkedsintp.ds.mydomain.com:636" > > > > > connectionName="uid=[bind User > > > > > UID],ou=admin,dc=rmydomain,dc=com" > > > > > connectionPassword="[Password]" > > > > > userPattern="uid={0},ou=people,dc=mydomain,dc=com" > > > > > roleBase="ou=Control-M,ou=group,dc=mydomain,dc=com" > > > > > roleSubtree="true" > > > > > roleName="cn" > > > > > roleSearch="(uniqueMember={0})" > > > > > /> > > > > > > > > > > 3. I uncommented the "CONTAINER-MANAGED AUTH" section > > > > > from /web1/dyscq/webapps/apps/wiki/WEB-INF/web.xml > > > > > > > > > > There is a section at the bottom that says "Update JSPWiki security > > > > policy" > > > > > If you would like to set permissions to LDAP groups, you can simply > > add > > > > > policy entries on authorize.Role. The following is an entry for > > > > wiki-admin > > > > > group (from LDAP). > > > > > grant principal com.ecyrd.jspwiki.auth.authorize.Role "wiki-admin" > { > > > > > permission com.ecyrd.jspwiki.auth.permissions.AllPermission > "*"; > > > > > }; > > > > > > > > > > I'm thinking it might go into web.xml, but I am not sure of that.. > > > > > > > > > > this section of the xml looks like this: > > > > > > > > > > <security-constraint> > > > > > <web-resource-collection> > > > > > <web-resource-name>Authenticated > area</web-resource-name> > > > > > <url-pattern>/Edit.jsp</url-pattern> > > > > > <url-pattern>/Comment.jsp</url-pattern> > > > > > <url-pattern>/Login.jsp</url-pattern> > > > > > <url-pattern>/NewGroup.jsp</url-pattern> > > > > > <url-pattern>/Rename.jsp</url-pattern> > > > > > <url-pattern>/Upload.jsp</url-pattern> > > > > > <http-method>DELETE</http-method> > > > > > <http-method>GET</http-method> > > > > > <http-method>HEAD</http-method> > > > > > <http-method>POST</http-method> > > > > > <http-method>PUT</http-method> > > > > > </web-resource-collection> > > > > > > > > > > <web-resource-collection> > > > > > <web-resource-name>Read-only Area</web-resource-name> > > > > > <url-pattern>/attach</url-pattern> > > > > > <http-method>DELETE</http-method> > > > > > <http-method>POST</http-method> > > > > > <http-method>PUT</http-method> > > > > > </web-resource-collection> > > > > > > > > > > <auth-constraint> > > > > > <role-name>Admin</role-name> > > > > > <role-name>Authenticated</role-name> > > > > > </auth-constraint> > > > > > <!-- > > <user-data-constraint> > > > > > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > > > > > </user-data-constraint> > > > > > --> > > > > > > > > > > </security-constraint> > > > > > > > > > > <login-config> > > > > > <auth-method>FORM</auth-method> > > > > > <form-login-config> > > > > > <form-login-page>/LoginForm.jsp</form-login-page> > > > > > <form-error-page>/LoginForm.jsp</form-error-page> > > > > > </form-login-config> > > > > > </login-config> > > > > > > > > > > <security-role> > > > > > <description> > > > > > This logical role includes all authenticated users > > > > > </description> > > > > > <role-name>Authenticated</role-name> > > > > > </security-role> > > > > > > > > > > <security-role> > > > > > <description> > > > > > This logical role includes all administrative users > > > > > </description> > > > > > <role-name>Admin</role-name> > > > > > </security-role> > > > > > > > > > > > > > > > Regards, > > > > > John Pimentel > > > > > > > > > > (Embedded image moved to file: pic05844.gif)Description: > > Description: > > > > > ralogo_web > > > > > jpimen...@ra.rockwell.com > > > > > Office (414) 382-3354 > > > > > Mobile (262) 501-4785 > > > > > > > > > > > > > > > > > > > > > > > > > From: user-h...@jspwiki.apache.org > > > > > To: jpimen...@ra.rockwell.com > > > > > Date: 08/26/2013 08:16 AM > > > > > Subject: WELCOME to user@jspwiki.apache.org > > > > > > > > > > > > > > > > > > > > Hi! This is the ezmlm program. I'm managing the > > > > > user@jspwiki.apache.org mailing list. > > > > > > > > > > I'm working for my owner, who can be reached > > > > > at user-ow...@jspwiki.apache.org. > > > > > > > > > > Acknowledgment: I have added the address > > > > > > > > > > jpimen...@ra.rockwell.com > > > > > > > > > > to the user mailing list. > > > > > > > > > > Welcome to user@jspwiki.apache.org! > > > > > > > > > > Please save this message so that you know the address you are > > > > > subscribed under, in case you later want to unsubscribe or change > > your > > > > > subscription address. > > > > > > > > > > > > > > > --- Administrative commands for the user list --- > > > > > > > > > > I can handle administrative requests automatically. Please > > > > > do not send them to the list address! Instead, send > > > > > your message to the correct command address: > > > > > > > > > > To subscribe to the list, send a message to: > > > > > <user-subscr...@jspwiki.apache.org> > > > > > > > > > > To remove your address from the list, send a message to: > > > > > <user-unsubscr...@jspwiki.apache.org> > > > > > > > > > > Send mail to the following for info and FAQ for this list: > > > > > <user-i...@jspwiki.apache.org> > > > > > <user-...@jspwiki.apache.org> > > > > > > > > > > Similar addresses exist for the digest list: > > > > > <user-digest-subscr...@jspwiki.apache.org> > > > > > <user-digest-unsubscr...@jspwiki.apache.org> > > > > > > > > > > To get messages 123 through 145 (a maximum of 100 per request), > mail: > > > > > <user-get.123_...@jspwiki.apache.org> > > > > > > > > > > To get an index with subject and author for messages 123-456 , > mail: > > > > > <user-index.123_...@jspwiki.apache.org> > > > > > > > > > > They are always returned as sets of 100, max 2000 per request, > > > > > so you'll actually get 100-499. > > > > > > > > > > To receive all messages with the same subject as message 12345, > > > > > send a short message to: > > > > > <user-thread.12...@jspwiki.apache.org> > > > > > > > > > > The messages should contain one line or word of text to avoid being > > > > > treated as sp@m, but I will ignore their content. > > > > > Only the ADDRESS you send to is important. > > > > > > > > > > You can start a subscription for an alternate address, > > > > > for example "john@host.domain", just add a hyphen and your > > > > > address (with '=' instead of '@') after the command word: > > > > > <user-subscribe-john=host.dom...@jspwiki.apache.org> > > > > > > > > > > To stop subscription for this address, mail: > > > > > <user-unsubscribe-john=host.dom...@jspwiki.apache.org> > > > > > > > > > > In both cases, I'll send a confirmation message to that address. > When > > > > > you receive it, simply reply to it to complete your subscription. > > > > > > > > > > If despite following these instructions, you do not get the > > > > > desired results, please contact my owner at > > > > > user-ow...@jspwiki.apache.org. Please be patient, my owner is a > > > > > lot slower than I am ;-) > > > > > > > > > > --- Enclosed is a copy of the request I received. > > > > > > > > > > Return-Path: <jpimen...@ra.rockwell.com> > > > > > Received: (qmail 84748 invoked by uid 99); 26 Aug 2013 13:16:04 > -0000 > > > > > Received: from athena.apache.org (HELO athena.apache.org) > > > > (140.211.11.136) > > > > > by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013 > > 13:16:04 > > > > > +0000 > > > > > X-ASF-Spam-Status: No, hits=-0.0 required=5.0 > > > > > tests=SPF_PASS > > > > > X-Spam-Check-By: apache.org > > > > > Received-SPF: pass (athena.apache.org: local policy) > > > > > Received: from [205.175.240.251] (HELO > ramilwsmtp01.ra.rockwell.com) > > > > > (205.175.240.251) > > > > > by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013 > > 13:16:00 > > > > > +0000 > > > > > In-Reply-To: <1377522681.70768.ez...@jspwiki.apache.org> > > > > > References: <1377522681.70768.ez...@jspwiki.apache.org> > > > > > Subject: Re: confirm subscribe to user@jspwiki.apache.org > > > > > X-KeepSent: D7D57B0D:E2A05A18-86257BD3:0048D45A; > > > > > type=4; name=$KeepSent > > > > > To: > > > > > user-sc.1377522681.pagaldeamkeafdeakcap-jpimentel= > > > > > ra.rockwell....@jspwiki.apache.org > > > > > > > > > > X-Mailer: Lotus Notes Release 8.5.2FP2 March 23, 2011 > > > > > Message-ID: > > > > > > > > > < > > > > > > ofd7d57b0d.e2a05a18-on86257bd3.0048d45a-86257bd3.0048d...@ra.rockwell.com > > > > > > > > > > > From: John Pimentel <jpimen...@ra.rockwell.com> > > > > > Date: Mon, 26 Aug 2013 08:15:38 -0500 > > > > > X-MIMETrack: Serialize by Router on > > RAMilwSMTP01/Milwaukee/RA/Rockwell > > > at > > > > > 08/26/2013 08:15:59 > > > > > AM > > > > > MIME-Version: 1.0 > > > > > Content-type: multipart/mixed; > > > > > > > > > > Boundary="0__=09BBF140DFDB52CA8f9e8a93df938690918c09BBF140DFDB52CA" > > > > > Content-Disposition: inline > > > > > X-Virus-Checked: Checked by ClamAV on apache.org > > > > > > > > > > > > > > > > > > > > > > > > >
