I figured out the problem last night. The AuthProvider has to be added to the AuthManager. It is not easy to find in the midst of 100 pages document.
I have successfully integrated Roller 3.0 with LDAP. During my troubleshooting, I also tried JAAS Provider and get very close to making it work. Thanks, Steve Lihn -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lihn, Steve Sent: Thursday, September 14, 2006 3:41 PM To: '[email protected]'; '[email protected]' Subject: [Acegisecurity-developer] Need help on LDAP integration with Roller / Acegi Hi, I am trying to integrate Roller / Acegi into our enterprise LDAP. It does not seem to work. The log does not say anything. Does anybody know how to: 1. Turn on acegi or roller log level such that I can see the detail of authentication requests. I am not even sure whether Roller hits LDAP or not. 2. Need help on security.xml and roller-custom.properties. The documentation is very little to guide me... You can see the config changes below. Let me explain how our LDAP works. First, the app has to bind the appid (I think it is managerDN) in order to do the intial search on a user. The search clause is (uid=<user_id>) so I put that in ldapUserSearch. The next step is to retrieve the DN of the user and bind DN with his password. What I could not specify here is the DN of the user. The way our LDAP works is different from described in the reference doc. The DN of a user is cn=<a unique string>,ou=Merck,ou=People,dc=iM-2,dc=com. Cn is machine-generated by combining the person's name and a random number to make it unique. It is not uid (unfortunately, due to historical reason, uid is not a unique identifier,therefore not used in DN). I would assume Acegi can use ldapUserSearch to find the DN, and then bind the DN (and user's password) to authenticate. But there seems to be some missing pieces... I made the following changes to roller-custom.properties: #---------------------------------- # Single-Sign-On users.sso.enabled=true # Set these properties for a custom LDAP schema (optional) users.sso.registry.ldap.attributes.name=mrkdisplayname1 users.sso.registry.ldap.attributes.email=mail #users.sso.registry.ldap.attributes.locale=locale #users.sso.registry.ldap.attributes.timezone=timezone #---------------------------------- Since we don't have locale and timezone, I comment them out. And added the following to security.xml: <!-- Sample LDAP/RollerDB hybrid security configuration --> <bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> <constructor-arg value="ldaps://dsdvm01:636/ou=People,dc=iM-2,dc=com"/> <property name="managerDn"><value>cn=mrkwiki,ou=Applications,ou=Merck,ou=Services,dc=i M-2,dc=com</value></property> <property name="managerPassword"><value>***</value></property> <property name="extraEnvVars"> <map> <entry> <key> <value>java.naming.referral</value> </key> <value>follow</value> </entry> </map> </property> </bean> <bean id="ldapUserSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch"> <constructor-arg index="0"> <value></value> </constructor-arg> <constructor-arg index="1"> <value>(uid={0})</value> </constructor-arg> <constructor-arg index="2"> <ref local="initialDirContextFactory" /> </constructor-arg> <property name="searchSubtree"> <value>true</value> </property> </bean> <bean id="ldapAuthProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> <property name="userSearch"><ref bean="ldapUserSearch"/></property> </bean> </constructor-arg> <constructor-arg><ref local="jdbcAuthoritiesPopulator"/></constructor-arg> <property name="userCache" ref="userCache"/> </bean> <bean id="jdbcAuthoritiesPopulator" class="org.apache.roller.ui.core.security.AuthoritiesPopulator"> <property name="dataSource"> <bean class="org.springframework.jndi.JndiObjectFactoryBean"> <property name="jndiName" value="java:comp/env/jdbc/rollerdb"/> </bean> </property> <property name="authoritiesByUsernameQuery"> <value>SELECT username,rolename FROM userrole WHERE username = ?</value> </property> <property name="defaultRole"><value>register</value></property> </bean> <!-- end of LDAP section --> Steve Lihn, Enterprise Web Infrastructure, Merck & Co., Inc., Tel: (908) 423 - 4441 ---------------------------------------------------------------------------- -- Notice: This e-mail message, together with any attachments, contains information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station, New Jersey, USA 08889), and/or its affiliates (which may be known outside the United States as Merck Frosst, Merck Sharp & Dohme or MSD and in Japan, as Banyu - direct contact information for affiliates is available at http://www.merck.com/contact/contacts.html) that may be confidential, proprietary copyrighted and/or legally privileged. It is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please notify us immediately by reply e-mail and then delete it from your system. ---------------------------------------------------------------------------- -- ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer ---------------------------------------------------------------------------- -- Notice: This e-mail message, together with any attachments, contains information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station, New Jersey, USA 08889), and/or its affiliates (which may be known outside the United States as Merck Frosst, Merck Sharp & Dohme or MSD and in Japan, as Banyu - direct contact information for affiliates is available at http://www.merck.com/contact/contacts.html) that may be confidential, proprietary copyrighted and/or legally privileged. It is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please notify us immediately by reply e-mail and then delete it from your system. ---------------------------------------------------------------------------- -- ------------------------------------------------------------------------------ Notice: This e-mail message, together with any attachments, contains information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station, New Jersey, USA 08889), and/or its affiliates (which may be known outside the United States as Merck Frosst, Merck Sharp & Dohme or MSD and in Japan, as Banyu - direct contact information for affiliates is available at http://www.merck.com/contact/contacts.html) that may be confidential, proprietary copyrighted and/or legally privileged. It is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please notify us immediately by reply e-mail and then delete it from your system. ------------------------------------------------------------------------------ ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
