Hi,
I was able to make some small progress. I found almost an example from
the test case, and adapted it to my situation. Unfortunatly, I'm still
unable to authenticate / connect with this configuration (see attached
file).
Could someone take a look and tell me what I'm doing wrong? From what I
gather, it should work, but it doesn't.
Thanks,
Patrick
On 10-02-15 10:10 AM, Patrick Turcotte wrote:
> Hi,
>
> I had a look at the link you sent me. Unfortunatly, I don't see how to
> make it into a final working solution.
>
> I'm using the default-ldap-users-directory-bundle.xml and
> default-ldap-groups-directory-bundle.xml files (adapted to my context).
>
> How do I use the org.nuxeo.ecm.directory.multi.config component? Is it
> a replacement for the org.nuxeo.directory.ldap.storage.users component?
>
> What do I put into to replace the "..." in the source element? The
> configurations I now have in <directory name="userDirectory"> element ?
>
> Thanks for any pointers.
>
> Patrick
>
> On 10-02-13 08:55 AM, Thierry Martins wrote:
>> Hello,
>>
>> the multi directory may be a solution to define a main directory
>> combining 2 sources with differents structures.
>> You can have a look at
>> http://doc.nuxeo.org/5.2/books/nuxeo-book/html/chapter-directories.html#multi-directories
>>
>> Thierry
>>
>> 2010/2/13 Patrick Turcotte <[email protected]
>> <mailto:[email protected]>>
>>
>> Hi,
>>
>> Trying to configure Nuxeo to have 2 ldap directory
>> 1) for internal users
>> 2) for client
>> differents servers, different base dn.
>>
>> Can't seem to wrap my head around the idea.
>>
>> Do I have to define 2 directories for extension
>> target="org.nuxeo.ecm.platform.usermanager.UserService"
>> point="userManager" /userManager / users?
>> (found in
>> http://doc.nuxeo.org/5.2/books/nuxeo-book/html/auth-users-groups.html)
>> and the corresponding directories entries?
>>
>> How do I set "priorities" in looking up / binding?
>>
>> Could you point me to the right place in the doc or an example
>> somewhere?
>>
>> Thanks,
>>
>> Patrick
>> Java Architect
>> Revolution Linux
>> _______________________________________________
>> ECM mailing list
>> [email protected] <mailto:[email protected]>
>> http://lists.nuxeo.com/mailman/listinfo/ecm
>> To unsubscribe, go to http://lists.nuxeo.com/mailman/options/ecm
>>
>>
>
>
> _______________________________________________
> ECM mailing list
> [email protected]
> http://lists.nuxeo.com/mailman/listinfo/ecm
> To unsubscribe, go to http://lists.nuxeo.com/mailman/options/ecm
>
<?xml version="1.0" encoding="UTF-8"?>
<component name="org.nuxeo.ecm.directory.ldap.storage.users">
<implementation class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor"/>
<implementation class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor"/>
<require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>
<require>org.nuxeo.ecm.platform.usermanager.UserManagerImpl</require>
<extension target="org.nuxeo.ecm.platform.usermanager.UserService" point="userManager">
<userManager>
<users>
<directory>userMultiLdapDirectory</directory>
</users>
<groups>
<directory>groupMultiLdapDirectory</directory>
</groups>
</userManager>
</extension>
<require>org.nuxeo.ecm.directory.multi.MultiDirectoryFactory</require>
<extension target="org.nuxeo.ecm.directory.multi.MultiDirectoryFactory" point="directories">
<directory name="userMultiLdapDirectory">
<schema>user</schema>
<idField>username</idField>
<passwordField>password</passwordField><!-- non authenticating if absent -->
<source name="internal" creation="true">
<subDirectory name="userLdapInternalDirectory"/>
</source>
<source name="clients" creation="false">
<subDirectory name="userLdapClientDirectory"/>
<optional>true</optional>
</source>
</directory>
<directory name="groupMultiLdapDirectory">
<schema>group</schema>
<idField>groupname</idField>
<source name="ldapInternal" creation="false">
<subDirectory name="groupLdapInternalDirectory"/>
</source>
<source name="ldapClients" creation="false">
<subDirectory name="groupLdapClientDirectory"/>
</source>
</directory>
</extension>
<!-- the groups SQL directories are required to make this bundle work -->
<require>org.nuxeo.ecm.directory.sql.storage</require>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="servers">
<!-- Configuration of a server connection
A single server declaration can point to a cluster of replicated
servers (using OpenLDAP's slapd + sluprd for instance). To leverage
such a cluster and improve availibility, please provide one
<ldapUrl/> tag for each replica of the cluster.
-->
<server name="default-internal">
<ldapUrl>ldap://ldapm01.example.com:389</ldapUrl>
<!-- Optional servers from the same cluster for failover
and load balancing:
<ldapUrl>ldap://server2:389</ldapUrl>
<ldapUrl>ldaps://server3:389</ldapUrl>
"ldaps" means TLS/SSL connection.
-->
<!-- Credentials used by Nuxeo5 to browse the directory, create
and modify entries.
Only the authentication of users (bind) use the credentials entered
through the login form if any.
-->
<bindDn>uid=nuxeoadmin,ou=People,ou=nuxeo,dc=example,dc=com</bindDn>
<bindPassword>modified</bindPassword>
</server>
<!-- Client ldap -->
<server name="default-client">
<ldapUrl>ldap://ldap-pturcotte.example.com:389</ldapUrl>
<bindDn>cn=manager,dc=example,dc=com</bindDn>
<bindPassword>changed</bindPassword>
</server>
</extension>
<extension target="org.nuxeo.ecm.directory.multi.MultiDirectoryFactory" point="directories">
<directory name="userLdapInternalDirectory">
<server>default-prod</server>
<schema>user</schema>
<idField>username</idField>
<passwordField>password</passwordField>
<searchBaseDn>ou=People,dc=example,dc=com</searchBaseDn>
<searchClass>person</searchClass>
<!-- To additionally restricte entries you can add an
arbitrary search filter such as the following:
<searchFilter>(&(sn=toto*)(myCustomAttribute=somevalue))</searchFilter>
Beware that "&" writes "&" in XML.
<searchFilter>(&(memberUID={0})(cn=employes)(objectClass=posixGroup))</searchFilter>
-->
<!-- use subtree if the people branch is nested -->
<searchScope>onelevel</searchScope>
<!-- using 'subany', search will match *toto*. use 'subfinal' to
match *toto and 'subinitial' to match toto*. subinitial is the
default behaviour-->
<substringMatchType>subany</substringMatchType>
<readOnly>false</readOnly>
<!-- comment <cache* /> tags to disable the cache -->
<!-- cache timeout in seconds -->
<cacheTimeout>3600</cacheTimeout>
<!-- maximum number of cached entries before global invalidation -->
<cacheMaxSize>1000</cacheMaxSize>
<!--
If the id field is not returned by the search, we set it with the searched entry, probably the login.
Before setting it, you can change its case. Accepted values are 'lower' and 'upper',
anything else will not change the case.
-->
<missingIdFieldCase>lower</missingIdFieldCase>
<!-- Maximum number of entries returned by the search -->
<querySizeLimit>200</querySizeLimit>
<!-- Time to wait for a search to finish. 0 to wait indefinitely -->
<queryTimeLimit>0</queryTimeLimit>
<creationBaseDn>ou=People,dc=example,dc=com</creationBaseDn>
<creationClass>top</creationClass>
<creationClass>person</creationClass>
<creationClass>organizationalPerson</creationClass>
<creationClass>inetOrgPerson</creationClass>
<rdnAttribute>uid</rdnAttribute>
<fieldMapping name="username">uid</fieldMapping>
<fieldMapping name="password">userPassword</fieldMapping>
<fieldMapping name="firstName">givenName</fieldMapping>
<fieldMapping name="lastName">sn</fieldMapping>
<fieldMapping name="company">o</fieldMapping>
<fieldMapping name="email">mail</fieldMapping>
<references>
<inverseReference field="groups" directory="groupDirectory" dualReferenceField="members"/>
</references>
</directory>
<directory name="userLdapClientDirectory">
<server>default-clients</server>
<schema>user</schema>
<idField>username</idField>
<passwordField>password</passwordField>
<searchBaseDn>ou=People,dc=example,dc=com</searchBaseDn>
<searchClass>person</searchClass>
<!-- To additionally restricte entries you can add an
arbitrary search filter such as the following:
<searchFilter>(&(sn=toto*)(myCustomAttribute=somevalue))</searchFilter>
Beware that "&" writes "&" in XML.
<searchFilter>(&(memberUID={0})(cn=employes)(objectClass=posixGroup))</searchFilter>
-->
<!-- use subtree if the people branch is nested -->
<searchScope>onelevel</searchScope>
<!-- using 'subany', search will match *toto*. use 'subfinal' to
match *toto and 'subinitial' to match toto*. subinitial is the
default behaviour-->
<substringMatchType>subany</substringMatchType>
<readOnly>false</readOnly>
<!-- comment <cache* /> tags to disable the cache -->
<!-- cache timeout in seconds -->
<cacheTimeout>3600</cacheTimeout>
<!-- maximum number of cached entries before global invalidation -->
<cacheMaxSize>1000</cacheMaxSize>
<!--
If the id field is not returned by the search, we set it with the searched entry, probably the login.
Before setting it, you can change its case. Accepted values are 'lower' and 'upper',
anything else will not change the case.
-->
<missingIdFieldCase>lower</missingIdFieldCase>
<!-- Maximum number of entries returned by the search -->
<querySizeLimit>200</querySizeLimit>
<!-- Time to wait for a search to finish. 0 to wait indefinitely -->
<queryTimeLimit>0</queryTimeLimit>
<creationBaseDn>ou=People,dc=example,dc=com</creationBaseDn>
<creationClass>top</creationClass>
<creationClass>person</creationClass>
<creationClass>organizationalPerson</creationClass>
<creationClass>inetOrgPerson</creationClass>
<rdnAttribute>uid</rdnAttribute>
<fieldMapping name="username">uid</fieldMapping>
<fieldMapping name="password">userPassword</fieldMapping>
<fieldMapping name="firstName">givenName</fieldMapping>
<fieldMapping name="lastName">sn</fieldMapping>
<fieldMapping name="company">o</fieldMapping>
<fieldMapping name="email">mail</fieldMapping>
<references>
<inverseReference field="groups" directory="groupDirectory" dualReferenceField="members"/>
</references>
</directory>
<directory name="groupLdapInternalDirectory">
<!-- Reuse the default server configuration defined for userDirectory -->
<server>default-internal</server>
<schema>group</schema>
<idField>groupname</idField>
<searchBaseDn>dc=example,dc=com</searchBaseDn>
<!--
<searchFilter></searchFilter>
<searchFilter>(|(objectClass=posixGroup)(objectClass=gosaGroupOfNames))</searchFilter>
-->
<searchFilter>(& (|(objectClass=posixGroup)(objectClass=gosaGroupOfNames)) (!(sambaGroupType=2)))</searchFilter>
<searchScope>subtree</searchScope>
<readOnly>false</readOnly>
<!-- comment <cache* /> tags to disable the cache -->
<!-- cache timeout in seconds -->
<cacheTimeout>3600</cacheTimeout>
<!-- maximum number of cached entries before global invalidation -->
<cacheMaxSize>1000</cacheMaxSize>
<creationBaseDn>ou=Group,ou=nuxeo,dc=example,dc=com</creationBaseDn>
<creationClass>top</creationClass>
<!--
<creationClass>groupOfUniqueNames</creationClass>
-->
<creationClass>gosaGroupOfNames</creationClass>
<attributesWithValues name="gosaGroupObjects">[U]</attributesWithValues>
<!-- Maximum number of entries returned by the search -->
<querySizeLimit>200</querySizeLimit>
<!-- Time to wait for a search to finish. 0 to wait indefinitely -->
<queryTimeLimit>0</queryTimeLimit>
<rdnAttribute>cn</rdnAttribute>
<fieldMapping name="groupname">cn</fieldMapping>
<references>
<!-- LDAP reference resolve DNs embedded in uniqueMember attributes
If the target directory has no specific filtering policy, it is most
of the time not necessary to enable the 'forceDnConsistencyCheck' policy.
Enabling this option will fetch each reference entry to ensure its
existence in the target directory.
-->
<ldapReference field="members" directory="userDirectory" forceDnConsistencyCheck="false" staticAttributeId="member" dynamicAttributeId="memberURL"/>
<ldapReference field="subGroups" directory="groupDirectory" forceDnConsistencyCheck="false" staticAttributeId="member" dynamicAttributeId="memberURL"/>
<inverseReference field="parentGroups" directory="groupDirectory" dualReferenceField="subGroups"/>
</references>
</directory>
<directory name="groupLdapClientDirectory">
<!-- Reuse the default server configuration defined for userDirectory -->
<server>default-clients</server>
<schema>group</schema>
<idField>groupname</idField>
<searchBaseDn>dc=example,dc=com</searchBaseDn>
<!--
<searchFilter></searchFilter>
<searchFilter>(|(objectClass=posixGroup)(objectClass=gosaGroupOfNames))</searchFilter>
-->
<searchFilter>(& (|(objectClass=posixGroup)(objectClass=gosaGroupOfNames)) (!(sambaGroupType=2)))</searchFilter>
<searchScope>subtree</searchScope>
<readOnly>true</readOnly>
<!-- comment <cache* /> tags to disable the cache -->
<!-- cache timeout in seconds -->
<cacheTimeout>3600</cacheTimeout>
<!-- maximum number of cached entries before global invalidation -->
<cacheMaxSize>1000</cacheMaxSize>
<creationBaseDn>ou=Group,ou=nuxeo,dc=example,dc=com</creationBaseDn>
<creationClass>top</creationClass>
<!--
<creationClass>groupOfUniqueNames</creationClass>
-->
<creationClass>gosaGroupOfNames</creationClass>
<attributesWithValues name="gosaGroupObjects">[U]</attributesWithValues>
<!-- Maximum number of entries returned by the search -->
<querySizeLimit>200</querySizeLimit>
<!-- Time to wait for a search to finish. 0 to wait indefinitely -->
<queryTimeLimit>0</queryTimeLimit>
<rdnAttribute>cn</rdnAttribute>
<fieldMapping name="groupname">cn</fieldMapping>
<references>
<!-- LDAP reference resolve DNs embedded in uniqueMember attributes
If the target directory has no specific filtering policy, it is most
of the time not necessary to enable the 'forceDnConsistencyCheck' policy.
Enabling this option will fetch each reference entry to ensure its
existence in the target directory.
-->
<ldapReference field="members" directory="userDirectory" forceDnConsistencyCheck="false" staticAttributeId="member" dynamicAttributeId="memberURL"/>
<ldapReference field="subGroups" directory="groupDirectory" forceDnConsistencyCheck="false" staticAttributeId="member" dynamicAttributeId="memberURL"/>
<inverseReference field="parentGroups" directory="groupDirectory" dualReferenceField="subGroups"/>
</references>
</directory>
</extension>
</component>
_______________________________________________
ECM mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm
To unsubscribe, go to http://lists.nuxeo.com/mailman/options/ecm
