Bonjour à tous
j'ai bien le wiki chapter35 nuxeo admin,et j'ai essaié de connecter ma
nuxeo qui est sous linux avec Active Directory sous win server2003,et je l'ai
fait comme il est indiqué,mais j'arrive pas à me loguer.
voila les modif que j'ai fait sur les fichiers suivant:
default-ldap-users-directory-bundle.xml
<?xml version="1.0"?>
<component name="org.nuxeo.ecm.directory.ldap.storage.users">
<implementation
class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor" />
<implementation
class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor" />
<require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>
<!-- the groups SQL directories are required to make this bundle work
-->
<require>org.nuxeo.ecm.directory.sql.storage</require>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory"
point="servers">
<!-- Configuration of a server connection
A single server declaration can point to a cluster of replicated
servers (using OpenLDAP's slapd + sluprd for instance). To leverage
such a cluster and improve availibility, please provide one
<ldapUrl/> tag for each replica of the cluster.
-->
<server name="default">
<ldapUrl>ldap://192.168.30.210:3268</ldapUrl>
<!-- Optional servers from the same cluster for failover
and load balancing:
<ldapUrl>ldap://server2:389</ldapUrl>
<ldapUrl>ldaps://server3:389</ldapUrl>
"ldaps" means TLS/SSL connection.
-->
<!-- Credentials used by Nuxeo5 to browse the directory, create
and modify entries.
Only the authentication of users (bind) use the credentials entered
through the login form if any.
-->
<bindDn>cn=Administrator,ou=Administrators,dc=virtualix,dc=local</bindDn>
<bindPassword>changeme</bindPassword>
</server>
</extension>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory"
point="directories">
<directory name="userDirectory">
<server>default</server>
<schema>user</schema>
<idField>username</idField>
<passwordField>password</passwordField>
<searchBaseDn>ou=Administrators,dc=virtualix,dc=local</searchBaseDn>
<searchClass>person</searchClass>
<!-- To additionally restricte entries you can add an
arbitrary search filter such as the following:
<searchFilter>(&(sn=toto*)(myCustomAttribute=somevalue))</searchFilter>
Beware that "&" writes "&" in XML.
-->
<!-- use subtree if the people branch is nested -->
<searchScope>subtree</searchScope>
<!-- using 'subany', search will match *toto*. use 'subfinal' to
match *toto and 'subinitial' to match toto*. subinitial is the
default behaviour-->
<substringMatchType>subany</substringMatchType>
<readOnly>false</readOnly>
<!-- comment <cache* /> tags to disable the cache -->
<!-- cache timeout in seconds -->
<cacheTimeout>3600</cacheTimeout>
<!-- maximum number of cached entries before global invalidation
-->
<cacheMaxSize>1000</cacheMaxSize>
<creationBaseDn>ou=Administrators,dc=virtualix,dc=local</creationBaseDn>
<creationClass>top</creationClass>
<creationClass>person</creationClass>
<creationClass>organizationalPerson</creationClass>
<creationClass>inetOrgPerson</creationClass>
<rdnAttribute>uid</rdnAttribute>
<fieldMapping name="username">uid</fieldMapping>
<fieldMapping name="password">userPassword</fieldMapping>
<fieldMapping name="firstName">givenName</fieldMapping>
<fieldMapping name="lastName">sn</fieldMapping>
<fieldMapping name="company">o</fieldMapping>
<fieldMapping name="email">mail</fieldMapping>
<references>
<inverseReference field="groups" directory="groupDirectory"
dualReferenceField="members" />
</references>
</directory>
</extension>
</component>
///////////////////////////////////////////////////
default-ldap-groups-directory-bundle.xml
<?xml version="1.0"?>
<component name="org.nuxeo.ecm.directory.ldap.storage.groups">
<implementation
class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor" />
<implementation
class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor" />
<require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>
<!-- the groups LDAP directory for users is required to make this
bundle work -->
<require>org.nuxeo.ecm.directory.ldap.storage.users</require>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory"
point="directories">
<directory name="groupDirectory">
<!-- Reuse the default server configuration defined for
userDirectory -->
<server>default</server>
<schema>group</schema>
<idField>groupname</idField>
<searchBaseDn>ou=groups,dc=example,dc=com</searchBaseDn>
<searchFilter>(|(objectClass=groupOfUniqueNames)(objectClass=groupOfURLs))</searchFilter>
<searchScope>subtree</searchScope>
<readOnly>false</readOnly>
<!-- comment <cache* /> tags to disable the cache -->
<!-- cache timeout in seconds -->
<cacheTimeout>3600</cacheTimeout>
<!-- maximum number of cached entries before global invalidation
-->
<cacheMaxSize>1000</cacheMaxSize>
<creationBaseDn>ou=groups,dc=example,dc=com</creationBaseDn>
<creationClass>top</creationClass>
<creationClass>groupOfUniqueNames</creationClass>
<rdnAttribute>cn</rdnAttribute>
<fieldMapping name="groupname">cn</fieldMapping>
<references>
<!-- LDAP reference resolve DNs embedded in uniqueMember
attributes
If the target directory has no specific filtering policy, it is
most
of the time not necessary to enable the
'forceDnConsistencyCheck' policy.
Enabling this option will fetch each reference entry to ensure
its
existence in the target directory.
-->
<ldapReference field="members" directory="userDirectory"
forceDnConsistencyCheck="false"
staticAttributeId="uniqueMember"
dynamicAttributeId="memberURL" />
<ldapReference field="subGroups" directory="groupDirectory"
forceDnConsistencyCheck="false"
staticAttributeId="uniqueMember"
dynamicAttributeId="memberURL" />
<inverseReference field="parentGroups"
directory="groupDirectory" dualReferenceField="subGroups" />
</references>
</directory>
</extension>
</component>
/////////////////////////////////////////////////////////
LDAPDirectoryFactory.xml
<?xml version="1.0"?>
<component name="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory">
<documentation>
The LDAPDirectoryFactory component provides implementation of the
Directory API using an external LDAP server as storage backend,
typically to fetch users and groups data check password based
authentication.
@author Olivier Grisel ([EMAIL PROTECTED])
</documentation>
<implementation
class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" />
<require>org.nuxeo.ecm.directory.DirectoryServiceImpl</require>
<extension target="org.nuxeo.ecm.directory.DirectoryServiceImpl"
point="factoryDescriptor">
<factoryDescriptor
component="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" />
</extension>
<extension-point name="servers">
<documentation>
The servers extension point is used to register network connection
parameters to a pool of LDAP servers.
Examples:
<code>
<server name="default">
<ldapUrl>ldap://192.168.30.210:3268</ldapUrl>
<ldapUrl>ldap://server2:389</ldapUrl>
<ldapUrl>ldaps://server3:389</ldapUrl>
<bindDn>cn=Administrator,ou=Administrators,dc=virtualix,dc=local</bindDn>
<bindPassword>changeme</bindPassword>
</server>
</code>
The ldapUrl tags point to server (IP address or DNS name) and
ports. If more than one is provided, the Nuxeo EP will use a pool
of load balanced connections to each server. They are assumed to
be replicated versions of a master server that should belong to
the list.
The bindDn and bindPassword credentials are used by Nuxeo EP to
access the content of the LDAP servers. It should have the read
permission to any entry that is to be used by Nuxeo EP and write
right to branches were Nuxeo EP is supposed to create or edit
entries.
For instance, in OpenLDAP you should have ACLs such as:
<code>
access to attrs="userPassword"
by dn="cn=ldapadmin,dc=example,dc=com" write
by dn="cn=nuxeo5,ou=applications,dc=example,dc=com" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
# nuxeo5 can manage the ou=people branch
access to dn.subtree="ou=people,dc=example,dc=com"
by dn="cn=nuxeo5,ou=applications,dc=example,dc=com" write
by users read
by self write
by * none
access to dn.subtree="ou=groups,dc=example,dc=com"
by dn="cn=nuxeo5,ou=applications,dc=example,dc=com" write
by users read
by self write
by * none
# The admin dn has full write access
# other
access to *
by dn="cn=ldapadmin,dc=example,dc=com" write
by users read
by * none
</code>
User authentication is done using a bind method against the user
provided login and password from the login form and not the bindDn
/ bindPassword credentials.
</documentation>
<object class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor" />
</extension-point>
<extension-point name="directories">
<documentation>
The directories extension point is used to register LDAP filtering
parameters to identify which part of the LDAP branches are actually
used by Nuxeo EP to fetch its entries.
Examples:
<code>
<directory name="userDirectory">
<server>default</server>
<schema>user</schema>
<idField>username</idField>
<passwordField>password</passwordField>
<searchBaseDn>ou=Administrators,dc=virtualix,dc=local</searchBaseDn>
<searchClass>person</searchClass>
<!--
<searchFilter>(&(sn=toto*)(myCustomAttribute=somevalue))</searchFilter>
-->
<searchScope>subtree</searchScope>
<readOnly>false</readOnly>
<cacheTimeout>3600</cacheTimeout>
<cacheMaxSize>1000</cacheMaxSize>
<creationBaseDn>ou=Administrators,dc=virtualix,dc=local</creationBaseDn>
<creationClass>top</creationClass>
<creationClass>person</creationClass>
<creationClass>organizationalPerson</creationClass>
<creationClass>inetOrgPerson</creationClass>
<rdnAttribute>uid</rdnAttribute>
<fieldMapping name="username">uid</fieldMapping>
<fieldMapping name="password">userPassword</fieldMapping>
<fieldMapping name="firstName">givenName</fieldMapping>
<fieldMapping name="lastName">sn</fieldMapping>
<fieldMapping name="company">o</fieldMapping>
<fieldMapping name="email">mail</fieldMapping>
<references>
<inverseReference field="groups" directory="groupDirectory"
dualReferenceField="members" />
</references>
</directory>
<directory name="groupDirectory">
<server>default</server>
<schema>group</schema>
<idField>groupname</idField>
<searchBaseDn>ou=Administrators,dc=virtualix,dc=local</searchBaseDn>
<!--
<searchFilter>(|(objectClass=groupOfUniqueNames)(objectClass=groupOfURLs))</searchFilter>
-->
<searchScope>subtree</searchScope>
<readOnly>false</readOnly>
<cacheTimeout>3600</cacheTimeout>
<cacheMaxSize>1000</cacheMaxSize>
<creationBaseDn>ou=Administrators,dc=virtualix,dc=local</creationBaseDn>
<creationClass>top</creationClass>
<creationClass>groupOfUniqueNames</creationClass>
<rdnAttribute>cn</rdnAttribute>
<fieldMapping name="groupname">cn</fieldMapping>
<references>
<!-- LDAP reference resolve DNs embedded in uniqueMember
attributes
If the target directory has no specific filtering policy, it is
most
of the time not necessary to enable the 'forceDnConsistencyCheck'
policy.
Enabling this option will fetch each reference entry to ensure its
existence in the target directory.
-->
<ldapReference field="members" directory="userDirectory"
forceDnConsistencyCheck="false"
staticAttributeId="uniqueMember"
dynamicAttributeId="memberURL" />
<ldapReference field="subGroups" directory="groupDirectory"
forceDnConsistencyCheck="false"
staticAttributeId="uniqueMember"
dynamicAttributeId="memberURL" />
<inverseReference field="parentGroups"
directory="groupDirectory" dualReferenceField="subGroups" />
</references>
</directory>
</code>
In the previous examples we configured two directories one for the
users and one for the groups of users. Each directory uses a
single schema which is to be registered as any core document
schema and that will be used to build a DocumentModel for each
matching entry of the directory.
The references tags are used to dynamically build nxs:stringList
fields of that schema that are to compute membership relationships
between users and groups or between parent groups and sub groups.
Nuxeo EP provides group resolution for statically dn-referenced
entries (in read and write mode) and for dynamically ldapUrl
matched entries (readonly).
When using dynamic references, caching is advised since dynamic
group resolution can be expensive.
</documentation>
<object
class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor" />
</extension-point>
</component>
/////////////////////////////////////
_______________________________________________
ECM mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm
