Hello,
I think I'm trying to get a similar configuration:
Users from LDAP (read only), some local (SQL) users for
demo/administration purposes ;
Groups from LDAP (read only), some local (SQL) groups for
demo/administration (mainly rights management) purposes ;
I've previously tested users and groups from LDAP, with membership.
In order to use some local users and groups, I've added a fourth
configuration file to use MultiDirectories,
"default-users-directory-bundle.xml".
But, whenever I try to create a group, the following exception is thrown
(despite these lines :
<directory name="ldapUserDirectory">
...
<querySizeLimit>8</querySizeLimit>
**
14:09:55,620 ERROR [STDERR] Jun 23, 2008 2:09:55 PM
com.sun.faces.lifecycle.LifecycleImpl phase
WARNING: executePhase(RENDER_RESPONSE
6,[EMAIL PROTECTED])
threw exception
javax.faces.FacesException: javax.el.ELException: /create_group.xhtml
@83,68 value="#{groupManagerActions.availableGroups}":
org.nuxeo.ecm.directory.DirectoryException: Could not create
DocumentModelList
...
Caused by: javax.el.ELException: /create_group.xhtml @83,68
value="#{groupManagerActions.availableGroups}":
org.nuxeo.ecm.directory.DirectoryException: Could not create
DocumentModelList
at
com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:76)
at
javax.faces.component.UISelectItems.getValue(UISelectItems.java:130)
... 75 more
Caused by: org.nuxeo.ecm.directory.DirectoryException: Could not create
DocumentModelList
... 76 more
Caused by: org.nuxeo.ecm.core.api.WrappedException: Exception:
javax.naming.SizeLimitExceededException. message: [LDAP: error code 4 -
Sizelimit Exceeded]
**
Am I going the wrong way?
Thx.
Olivier Grisel a écrit :
[EMAIL PROTECTED] a écrit :
Thx !
Unfortunately, there's no more explanation of this topics in the Nuxeo Book
(exept 2 paragraphs). I need local
user for Nuxeo : I don't want to create new LDAP user though the Nuxeo
interface.
Then you should use the Nuxeo MultiDirectory feature to combine users coming
from your LDAP server with nuxeo specific users stored in a dedicated RDBMS
compatible with the SQL protocol.
http://doc.nuxeo.org/5.1/components/org.nuxeo.ecm.directory.multi.MultiDirectoryFactory.html#extension_point_directories
Where should i but this
readonly properties if it is correct ?
This is not what you want (see above) but should you want to make it possible to
edit/create/delete user entries in your LDAP server, you should put
<readOnly>false</readOnly> anywhere right under the <directory
name="userDirectory"> tag.
--
Xavier Pétard
Centre de Ressources Informatiques
Université de La Rochelle
<?xml version="1.0"?>
<component name="org.nuxeo.ecm.directory.ldap.storage.users">
<implementation class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor" />
<implementation class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor" />
<require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>
<!-- the groups SQL directories are required to make this bundle work -->
<require>org.nuxeo.ecm.directory.sql.storage</require>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory"
point="servers">
<!-- Configuration of a server connection
A single server declaration can point to a cluster of replicated
servers (using OpenLDAP's slapd + sluprd for instance). To leverage
such a cluster and improve availibility, please provide one
<ldapUrl/> tag for each replica of the cluster.
-->
<server name="default">
<ldapUrl>***</ldapUrl>
<!-- Optional servers from the same cluster for failover
and load balancing:
<ldapUrl>ldap://server2:389</ldapUrl>
<ldapUrl>ldaps://server3:389</ldapUrl>
"ldaps" means TLS/SSL connection.
-->
<bindDn>***</bindDn>
<bindPassword></bindPassword>
</server>
</extension>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory"
point="directories">
<directory name="ldapUserDirectory">
<server>default</server>
<schema>user</schema>
<idField>username</idField>
<passwordField>password</passwordField>
<querySizeLimit>8</querySizeLimit>
<searchBaseDn>***</searchBaseDn>
<searchClass>person</searchClass>
<!-- To additionally restricte entries you can add an
arbitrary search filter such as the following:
<searchFilter>(&(sn=toto*)(myCustomAttribute=somevalue))</searchFilter>
Beware that "&" writes "&" in XML.
-->
<!-- use subtree if the people branch is nested -->
<searchScope>onelevel</searchScope>
<!-- using 'subany', search will match *toto*. use 'subfinal' to
match *toto and 'subinitial' to match toto*. subinitial is the
default behaviour-->
<substringMatchType>subany</substringMatchType>
<readOnly>false</readOnly>
<!-- comment <cache* /> tags to disable the cache -->
<!-- cache timeout in seconds -->
<cacheTimeout>3600</cacheTimeout>
<!-- maximum number of cached entries before global invalidation -->
<cacheMaxSize>1000</cacheMaxSize>
<creationBaseDn>***</creationBaseDn>
<creationClass>top</creationClass>
<creationClass>person</creationClass>
<creationClass>organizationalPerson</creationClass>
<creationClass>inetOrgPerson</creationClass>
<rdnAttribute>uid</rdnAttribute>
<fieldMapping name="username">uid</fieldMapping>
<fieldMapping name="password">userPassword</fieldMapping>
<fieldMapping name="firstName">givenName</fieldMapping>
<fieldMapping name="lastName">sn</fieldMapping>
<fieldMapping name="company">o</fieldMapping>
<fieldMapping name="email">mail</fieldMapping>
<references>
<inverseReference field="groups" directory="ldapGroupDirectory"
dualReferenceField="members" />
</references>
</directory>
</extension>
</component>
<?xml version="1.0"?>
<component name="org.nuxeo.ecm.directory.ldap.storage.groups">
<implementation
class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor" />
<implementation
class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor" />
<require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>
<!-- the groups LDAP directory for users is required to make this bundle work -->
<require>org.nuxeo.ecm.directory.ldap.storage.users</require>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory"
point="servers">
<!-- Configuration of a server connection
A single server declaration can point to a cluster of replicated
servers (using OpenLDAP's slapd + sluprd for instance). To leverage
such a cluster and improve availibility, please provide one
<ldapUrl/> tag for each replica of the cluster.
-->
<server name="personnels">
<ldapUrl>***</ldapUrl>
<bindDn>***</bindDn>
<bindPassword></bindPassword>
</server>
</extension>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory"
point="directories">
<directory name="ldapGroupDirectory">
<!-- NOT Reuse the default server configuration defined for userDirectory -> ne contient pas les infos de groupes -->
<server>personnels</server>
<schema>group</schema>
<idField>groupname</idField>
<querySizeLimit>8</querySizeLimit>
<searchBaseDn>***</searchBaseDn>
<searchFilter>(|(objectClass=groupOfNames)(objectClass=groupOfURLs))</searchFilter>
<searchScope>subtree</searchScope>
<readOnly>true</readOnly>
<!-- comment <cache* /> tags to disable the cache -->
<!-- cache timeout in seconds -->
<cacheTimeout>3600</cacheTimeout>
<!-- maximum number of cached entries before global invalidation -->
<cacheMaxSize>1000</cacheMaxSize>
<creationBaseDn>ou=groups,dc=example,dc=com</creationBaseDn>
<creationClass>top</creationClass>
<creationClass>groupOfUniqueNames</creationClass>
<rdnAttribute>cn</rdnAttribute>
<fieldMapping name="groupname">cn</fieldMapping>
<references>
<!-- LDAP reference resolve DNs embedded in uniqueMember attributes
If the target directory has no specific filtering policy, it is most
of the time not necessary to enable the 'forceDnConsistencyCheck' policy.
Enabling this option will fetch each reference entry to ensure its
existence in the target directory.
-->
<ldapReference field="members" directory="ldapUserDirectory"
forceDnConsistencyCheck="false"
staticAttributeId="member"
dynamicAttributeId="memberURL" />
<!--Pas de hierarchie dans les groupes LDAP
<ldapReference field="subGroups" directory="ldapGroupDirectory"
forceDnConsistencyCheck="false"
staticAttributeId="uniqueMember"
dynamicAttributeId="memberURL" />
<inverseReference field="parentGroups"
directory="ldapGroupDirectory" dualReferenceField="subGroups" />
-->
</references>
</directory>
</extension>
</component>
<?xml version="1.0"?>
<component name="org.nuxeo.ecm.directory.sql.storage">
<implementation class="org.nuxeo.ecm.directory.sql.SQLDirectoryDescriptor" />
<require>org.nuxeo.ecm.directory.sql.SQLDirectoryFactory</require>
<extension target="org.nuxeo.ecm.directory.sql.SQLDirectoryFactory"
point="directories">
<directory name="sqlUserDirectory">
<schema>user</schema>
<dataSource>java:/nxsqldirectory</dataSource>
<table>users</table>
<idField>username</idField>
<passwordField>password</passwordField>
<autoincrementIdField>false</autoincrementIdField>
<dataFile>users.csv</dataFile>
<createTablePolicy>on_missing_columns</createTablePolicy>
<querySizeLimit>15</querySizeLimit>
<references>
<inverseReference field="groups" directory="groupDirectory"
dualReferenceField="members" />
</references>
</directory>
<directory name="sqlGroupDirectory">
<schema>group</schema>
<dataSource>java:/nxsqldirectory</dataSource>
<table>groups</table>
<idField>groupname</idField>
<dataFile>groups.csv</dataFile>
<createTablePolicy>on_missing_columns</createTablePolicy>
<autoincrementIdField>false</autoincrementIdField>
<references>
<tableReference field="members" directory="sqlUserDirectory"
table="user2group" sourceColumn="groupId" targetColumn="userId" schema="user2group"
dataFile="user2group.csv" />
<tableReference field="subGroups" directory="sqlGroupDirectory"
table="group2group" sourceColumn="childGroupId"
targetColumn="parentGroupId" schema="group2group" />
<inverseReference field="parentGroups" directory="sqlGroupDirectory"
dualReferenceField="subGroups" />
</references>
</directory>
</extension>
</component>
<?xml version="1.0"?>
<component name="org.nuxeo.ecm.directory.multi.users.storage">
<implementation
class="org.nuxeo.ecm.directory.multi.MultiDirectoryDescriptor" />
<implementation
class="org.nuxeo.ecm.directory.multi.SourceDescriptor" />
<implementation
class="org.nuxeo.ecm.directory.multi.SubDirectoryDescriptor" />
<require>org.nuxeo.ecm.directory.multi.MultiDirectoryFactory</require>
<extension target="org.nuxeo.ecm.directory.multi.MultiDirectoryFactory" point="directories">
<directory name="userDirectory">
<schema>user</schema>
<idField>username</idField>
<passwordField>password</passwordField>
<querySizeLimit>8</querySizeLimit>
<source name="ldapusers">
<subDirectory name="ldapUserDirectory"/>
</source>
<source name="sqlusers" creation="true">
<subDirectory name="sqlUserDirectory" />
</source>
</directory>
<directory name="groupDirectory">
<schema>group</schema>
<idField>groupname</idField>
<source name="ldapgroups">
<subDirectory name="ldapGroupDirectory"/>
</source>
<source name="sqlgroups" creation="true">
<subDirectory name="sqlGroupDirectory" />
</source>
</directory>
</extension>
</component>
_______________________________________________
ECM mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm
