Hi,
Following Thierry's suggestions, I was able to make it work. I've
attached the final result (edited for password and company names) to
this mail.
The objective was to configure 2 authenticating ldap server, one with
users internal to the company, and one with clients credentials.
I've divided the configuration into five files, which was a little bit
more challenging, but also made things clearer for me.
1) internal-ldap-users-bundle and internal-ldap-groups-bundle files
Define an ldap users and ldap groups directories. Notice the component
name at the top of each files
2) client-ldap-users-bundle and client-ldap-groups-bundle files
Same as above, but for client ldap
3) multi-ldap-directory-bundle
This file define the default
"org.nuxeo.ecm.directory.ldap.storage.users" component. It requires the
components defined into the 4 files above. It then extends the
userManager to specify the user and group directories. Finally, it
defines a MultiDirectoryFactory to link with the directories defined in
our other components. Notice the passwordField element, which is
mandatory to make the directory a authenticating one.
Hope this helps someone,
Patrick
Java Architect
Revolution Linux
On 10-02-16 05:09 PM, Patrick Turcotte wrote:
> Hi,
>
> I'll look into your suggestions tomorrow.
>
> Yes, I was able to make it work for mono directory.
>
> I'll keep you posted.
>
> Patrick
>
> On 10-02-16 04:52 PM, Thierry Martins wrote:
>> Hello,
>>
>> yes, it seems almost good.
>> I noticed two problems:
>> - the directory userLdapInternalDirectory is defined with server
>> called default-prod whereas you didn't define it above, there is only
>> default-internal and default-clients.
>> - Moreover in both user directories, you didn't define the search
>> baseDn : there is still
>> <searchBaseDn>ou=People,dc=example,dc=com</searchBaseDn>
>> You need to change this.
>>
>> My advice would be to proceed step by step : first configure only
>> user directory, then group directory.
>>
>> Did you manage to define a mono directory contribution that works ?
>>
>> Thierry
>>
>> 2010/2/16 Patrick Turcotte <[email protected]
>> <mailto:[email protected]>>
>>
>> Hi,
>>
>> I was able to make some small progress. I found almost an example
>> from the test case, and adapted it to my situation. Unfortunatly,
>> I'm still unable to authenticate / connect with this
>> configuration (see attached file).
>>
>> Could someone take a look and tell me what I'm doing wrong? From
>> what I gather, it should work, but it doesn't.
>>
>> Thanks,
>>
>> Patrick
>>
>>
>> On 10-02-15 10:10 AM, Patrick Turcotte wrote:
>>> Hi,
>>>
>>> I had a look at the link you sent me. Unfortunatly, I don't see
>>> how to make it into a final working solution.
>>>
>>> I'm using the default-ldap-users-directory-bundle.xml and
>>> default-ldap-groups-directory-bundle.xml files (adapted to my
>>> context).
>>>
>>> How do I use the org.nuxeo.ecm.directory.multi.config component?
>>> Is it a replacement for the
>>> org.nuxeo.directory.ldap.storage.users component?
>>>
>>> What do I put into to replace the "..." in the source element?
>>> The configurations I now have in <directory
>>> name="userDirectory"> element ?
>>>
>>> Thanks for any pointers.
>>>
>>> Patrick
>>>
>>> On 10-02-13 08:55 AM, Thierry Martins wrote:
>>>> Hello,
>>>>
>>>> the multi directory may be a solution to define a main
>>>> directory combining 2 sources with differents structures.
>>>> You can have a look at
>>>>
>>>> http://doc.nuxeo.org/5.2/books/nuxeo-book/html/chapter-directories.html#multi-directories
>>>>
>>>> Thierry
>>>>
>>>> 2010/2/13 Patrick Turcotte <[email protected]
>>>> <mailto:[email protected]>>
>>>>
>>>> Hi,
>>>>
>>>> Trying to configure Nuxeo to have 2 ldap directory
>>>> 1) for internal users
>>>> 2) for client
>>>> differents servers, different base dn.
>>>>
>>>> Can't seem to wrap my head around the idea.
>>>>
>>>> Do I have to define 2 directories for extension
>>>> target="org.nuxeo.ecm.platform.usermanager.UserService"
>>>> point="userManager" /userManager / users?
>>>> (found in
>>>>
>>>> http://doc.nuxeo.org/5.2/books/nuxeo-book/html/auth-users-groups.html)
>>>> and the corresponding directories entries?
>>>>
>>>> How do I set "priorities" in looking up / binding?
>>>>
>>>> Could you point me to the right place in the doc or an
>>>> example somewhere?
>>>>
>>>> Thanks,
>>>>
>>>> Patrick
>>>> Java Architect
>>>> Revolution Linux
>>>> _______________________________________________
>>>> ECM mailing list
>>>> [email protected] <mailto:[email protected]>
>>>> http://lists.nuxeo.com/mailman/listinfo/ecm
>>>> To unsubscribe, go to
>>>> http://lists.nuxeo.com/mailman/options/ecm
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> ECM mailing list
>>> [email protected] <mailto:[email protected]>
>>> http://lists.nuxeo.com/mailman/listinfo/ecm
>>> To unsubscribe, go to http://lists.nuxeo.com/mailman/options/ecm
>>>
>>
>>
>
>
> _______________________________________________
> ECM mailing list
> [email protected]
> http://lists.nuxeo.com/mailman/listinfo/ecm
> To unsubscribe, go to http://lists.nuxeo.com/mailman/options/ecm
>
<?xml version="1.0"?>
<component name="com.yourcorp.directory.ldap.storage.groups.client">
<implementation
class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor" />
<implementation
class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor" />
<require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>
<!-- the groups LDAP directory for users is required to make this bundle work -->
<require>com.yourcorp.directory.ldap.storage.users.client</require>
<!-- <require>org.nuxeo.ecm.directory.ldap.storage.users</require> -->
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="directories">
<directory name="clientGroupDirectory">
<!-- Reuse the default server configuration defined for userDirectory -->
<server>default-client</server>
<schema>group</schema>
<idField>groupname</idField>
<searchBaseDn>dc=yourcorp,dc=com</searchBaseDn>
<!--
<searchFilter></searchFilter>
<searchFilter>(|(objectClass=posixGroup)(objectClass=gosaGroupOfNames))</searchFilter>
-->
<searchFilter>(& (|(objectClass=posixGroup)(objectClass=gosaGroupOfNames)) (!(sambaGroupType=2)))</searchFilter>
<searchScope>subtree</searchScope>
<readOnly>false</readOnly>
<!-- comment <cache* /> tags to disable the cache -->
<!-- cache timeout in seconds -->
<cacheTimeout>3600</cacheTimeout>
<!-- maximum number of cached entries before global invalidation -->
<cacheMaxSize>1000</cacheMaxSize>
<creationBaseDn>ou=Group,ou=nuxeo,dc=yourcorp,dc=com</creationBaseDn>
<creationClass>top</creationClass>
<!--
<creationClass>groupOfUniqueNames</creationClass>
-->
<creationClass>gosaGroupOfNames</creationClass>
<attributesWithValues name="gosaGroupObjects">[U]</attributesWithValues>
<!-- Maximum number of entries returned by the search -->
<querySizeLimit>200</querySizeLimit>
<!-- Time to wait for a search to finish. 0 to wait indefinitely -->
<queryTimeLimit>0</queryTimeLimit>
<rdnAttribute>cn</rdnAttribute>
<fieldMapping name="groupname">cn</fieldMapping>
<references>
<!-- LDAP reference resolve DNs embedded in uniqueMember attributes
If the target directory has no specific filtering policy, it is most
of the time not necessary to enable the 'forceDnConsistencyCheck' policy.
Enabling this option will fetch each reference entry to ensure its
existence in the target directory.
-->
<ldapReference field="members" directory="clientUserDirectory"
forceDnConsistencyCheck="false"
staticAttributeId="member"
dynamicAttributeId="memberURL" />
<ldapReference field="subGroups" directory="clientGroupDirectory"
forceDnConsistencyCheck="false"
staticAttributeId="member"
dynamicAttributeId="memberURL" />
<inverseReference field="parentGroups"
directory="clientGroupDirectory" dualReferenceField="subGroups" />
</references>
</directory>
</extension>
</component>
<?xml version="1.0" encoding="UTF-8"?>
<component name="com.yourcorp.directory.ldap.storage.users.client">
<implementation class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor"/>
<implementation class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor"/>
<require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>
<!-- the groups SQL directories are required to make this bundle work -->
<require>org.nuxeo.ecm.directory.sql.storage</require>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="servers">
<!-- Configuration of a server connection
A single server declaration can point to a cluster of replicated
servers (using OpenLDAP's slapd + sluprd for instance). To leverage
such a cluster and improve availibility, please provide one
<ldapUrl/> tag for each replica of the cluster.
-->
<server name="default-client">
<ldapUrl>ldap://ldapClient.yourcorp.com:389</ldapUrl>
<bindDn>cn=manager,dc=yourcorp,dc=com</bindDn>
<bindPassword>apassword</bindPassword>
</server>
</extension>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="directories">
<directory name="clientUserDirectory">
<server>default-client</server>
<schema>user</schema>
<idField>username</idField>
<passwordField>password</passwordField>
<searchBaseDn>ou=People,dc=yourcorp,dc=com</searchBaseDn>
<searchClass>person</searchClass>
<!-- To additionally restricte entries you can add an
arbitrary search filter such as the following:
<searchFilter>(&(sn=toto*)(myCustomAttribute=somevalue))</searchFilter>
Beware that "&" writes "&" in XML.
<searchFilter>(&(memberUID={0})(cn=employes)(objectClass=posixGroup))</searchFilter>
-->
<!-- use subtree if the people branch is nested -->
<searchScope>onelevel</searchScope>
<!-- using 'subany', search will match *toto*. use 'subfinal' to
match *toto and 'subinitial' to match toto*. subinitial is the
default behaviour-->
<substringMatchType>subany</substringMatchType>
<readOnly>false</readOnly>
<!-- comment <cache* /> tags to disable the cache -->
<!-- cache timeout in seconds -->
<cacheTimeout>3600</cacheTimeout>
<!-- maximum number of cached entries before global invalidation -->
<cacheMaxSize>1000</cacheMaxSize>
<!--
If the id field is not returned by the search, we set it with the searched entry, probably the login.
Before setting it, you can change its case. Accepted values are 'lower' and 'upper',
anything else will not change the case.
-->
<missingIdFieldCase>lower</missingIdFieldCase>
<!-- Maximum number of entries returned by the search -->
<querySizeLimit>200</querySizeLimit>
<!-- Time to wait for a search to finish. 0 to wait indefinitely -->
<queryTimeLimit>0</queryTimeLimit>
<creationBaseDn>ou=People,dc=yourcorp,dc=com</creationBaseDn>
<creationClass>top</creationClass>
<creationClass>person</creationClass>
<creationClass>organizationalPerson</creationClass>
<creationClass>inetOrgPerson</creationClass>
<rdnAttribute>uid</rdnAttribute>
<fieldMapping name="username">uid</fieldMapping>
<fieldMapping name="password">userPassword</fieldMapping>
<fieldMapping name="firstName">givenName</fieldMapping>
<fieldMapping name="lastName">sn</fieldMapping>
<fieldMapping name="company">o</fieldMapping>
<fieldMapping name="email">mail</fieldMapping>
<references>
<inverseReference field="groups" directory="clientGroupDirectory" dualReferenceField="members"/>
</references>
</directory>
</extension>
</component>
<?xml version="1.0"?>
<component name="com.yourcorp.directory.ldap.storage.groups.internal">
<implementation class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor" />
<implementation class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor" />
<require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>
<!-- the groups LDAP directory for users is required to make this bundle work -->
<require>com.yourcorp.directory.ldap.storage.users.internal</require>
<!-- <require>org.nuxeo.ecm.directory.ldap.storage.users</require> -->
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="directories">
<directory name="internalGroupDirectory">
<!-- Reuse the default server configuration defined for userDirectory -->
<server>default-internal</server>
<schema>group</schema>
<idField>groupname</idField>
<searchBaseDn>dc=yourcorp,dc=com</searchBaseDn>
<!--
<searchFilter></searchFilter>
<searchFilter>(|(objectClass=posixGroup)(objectClass=gosaGroupOfNames))</searchFilter>
-->
<searchFilter>(& (|(objectClass=posixGroup)(objectClass=gosaGroupOfNames)) (!(sambaGroupType=2)))</searchFilter>
<searchScope>subtree</searchScope>
<readOnly>false</readOnly>
<!-- comment <cache* /> tags to disable the cache -->
<!-- cache timeout in seconds -->
<cacheTimeout>3600</cacheTimeout>
<!-- maximum number of cached entries before global invalidation -->
<cacheMaxSize>1000</cacheMaxSize>
<creationBaseDn>ou=Group,ou=nuxeo,dc=yourcorp,dc=com</creationBaseDn>
<creationClass>top</creationClass>
<!--
<creationClass>groupOfUniqueNames</creationClass>
-->
<creationClass>gosaGroupOfNames</creationClass>
<attributesWithValues name="gosaGroupObjects">[U]</attributesWithValues>
<!-- Maximum number of entries returned by the search -->
<querySizeLimit>200</querySizeLimit>
<!-- Time to wait for a search to finish. 0 to wait indefinitely -->
<queryTimeLimit>0</queryTimeLimit>
<rdnAttribute>cn</rdnAttribute>
<fieldMapping name="groupname">cn</fieldMapping>
<references>
<!-- LDAP reference resolve DNs embedded in uniqueMember attributes
If the target directory has no specific filtering policy, it is most
of the time not necessary to enable the 'forceDnConsistencyCheck' policy.
Enabling this option will fetch each reference entry to ensure its
existence in the target directory.
-->
<ldapReference field="members" directory="internalUserDirectory"
forceDnConsistencyCheck="false"
staticAttributeId="member"
dynamicAttributeId="memberURL" />
<ldapReference field="subGroups" directory="internalGroupDirectory"
forceDnConsistencyCheck="false"
staticAttributeId="member"
dynamicAttributeId="memberURL" />
<inverseReference field="parentGroups"
directory="internalGroupDirectory" dualReferenceField="subGroups" />
</references>
</directory>
</extension>
</component>
<?xml version="1.0" encoding="UTF-8"?>
<component name="com.yourcorp.directory.ldap.storage.users.internal">
<implementation class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor"/>
<implementation class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor"/>
<require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>
<!-- the groups SQL directories are required to make this bundle work -->
<require>org.nuxeo.ecm.directory.sql.storage</require>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="servers">
<!-- Configuration of a server connection
A single server declaration can point to a cluster of replicated
servers (using OpenLDAP's slapd + sluprd for instance). To leverage
such a cluster and improve availibility, please provide one
<ldapUrl/> tag for each replica of the cluster.
-->
<server name="default-internal">
<ldapUrl>ldap://ldapInternal.yourcorp.com:389</ldapUrl>
<!-- Optional servers from the same cluster for failover
and load balancing:
<ldapUrl>ldap://server2:389</ldapUrl>
<ldapUrl>ldaps://server3:389</ldapUrl>
"ldaps" means TLS/SSL connection.
-->
<!-- Credentials used by Nuxeo5 to browse the directory, create
and modify entries.
Only the authentication of users (bind) use the credentials entered
through the login form if any.
-->
<bindDn>uid=nuxeoadmin,ou=People,ou=nuxeo,dc=yourcorp,dc=com</bindDn>
<bindPassword>thepassword</bindPassword>
</server>
</extension>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="directories">
<directory name="internalUserDirectory">
<server>default-internal</server>
<schema>user</schema>
<idField>username</idField>
<passwordField>password</passwordField>
<searchBaseDn>ou=People,dc=yourcorp,dc=com</searchBaseDn>
<searchClass>person</searchClass>
<!-- To additionally restricte entries you can add an
arbitrary search filter such as the following:
<searchFilter>(&(sn=toto*)(myCustomAttribute=somevalue))</searchFilter>
Beware that "&" writes "&" in XML.
<searchFilter>(&(memberUID={0})(cn=employes)(objectClass=posixGroup))</searchFilter>
-->
<!-- use subtree if the people branch is nested -->
<searchScope>onelevel</searchScope>
<!-- using 'subany', search will match *toto*. use 'subfinal' to
match *toto and 'subinitial' to match toto*. subinitial is the
default behaviour-->
<substringMatchType>subany</substringMatchType>
<readOnly>false</readOnly>
<!-- comment <cache* /> tags to disable the cache -->
<!-- cache timeout in seconds -->
<cacheTimeout>3600</cacheTimeout>
<!-- maximum number of cached entries before global invalidation -->
<cacheMaxSize>1000</cacheMaxSize>
<!--
If the id field is not returned by the search, we set it with the searched entry, probably the login.
Before setting it, you can change its case. Accepted values are 'lower' and 'upper',
anything else will not change the case.
-->
<missingIdFieldCase>lower</missingIdFieldCase>
<!-- Maximum number of entries returned by the search -->
<querySizeLimit>200</querySizeLimit>
<!-- Time to wait for a search to finish. 0 to wait indefinitely -->
<queryTimeLimit>0</queryTimeLimit>
<creationBaseDn>ou=People,dc=yourcorp,dc=com</creationBaseDn>
<creationClass>top</creationClass>
<creationClass>person</creationClass>
<creationClass>organizationalPerson</creationClass>
<creationClass>inetOrgPerson</creationClass>
<rdnAttribute>uid</rdnAttribute>
<fieldMapping name="username">uid</fieldMapping>
<fieldMapping name="password">userPassword</fieldMapping>
<fieldMapping name="firstName">givenName</fieldMapping>
<fieldMapping name="lastName">sn</fieldMapping>
<fieldMapping name="company">o</fieldMapping>
<fieldMapping name="email">mail</fieldMapping>
<references>
<inverseReference field="groups" directory="internalGroupDirectory" dualReferenceField="members"/>
</references>
</directory>
</extension>
</component><?xml version="1.0" encoding="UTF-8"?>
<component name="org.nuxeo.ecm.directory.ldap.storage.users">
<implementation class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor"/>
<implementation class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor"/>
<require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>
<require>org.nuxeo.ecm.platform.usermanager.UserManagerImpl</require>
<!-- custom config -->
<!-- require other components -->
<require>com.yourcorp.directory.ldap.storage.users.internal</require><!-- defined in internal-ldap-users-directory-bundle.xml -->
<require>com.yourcorp.directory.ldap.storage.groups.internal</require><!-- defined in internal-ldap-groups-directory-bundle.xml -->
<require>com.yourcorp.directory.ldap.storage.users.client</require><!-- defined in client-ldap-users-directory-bundle.xml -->
<require>com.yourcorp.directory.ldap.storage.groups.client</require><!-- defined in client-ldap-groups-directory-bundle.xml -->
<extension target="org.nuxeo.ecm.platform.usermanager.UserService" point="userManager">
<!-- define your directory for your users and groups -->
<userManager>
<users>
<directory>userMultiLdapDirectory</directory>
</users>
<groups>
<directory>groupMultiLdapDirectory</directory>
</groups>
</userManager>
</extension>
<require>org.nuxeo.ecm.directory.multi.MultiDirectoryFactory</require>
<extension target="org.nuxeo.ecm.directory.multi.MultiDirectoryFactory" point="directories">
<directory name="userMultiLdapDirectory">
<schema>user</schema>
<idField>username</idField>
<passwordField>password</passwordField><!-- Needed to be an authenticating directory -->
<!-- List your source user directory -->
<source name="internal" creation="true">
<subDirectory name="internalUserDirectory"/>
</source>
<source name="clients" creation="false">
<subDirectory name="clientUserDirectory"/>
<optional>true</optional>
</source>
</directory>
<directory name="groupMultiLdapDirectory">
<schema>group</schema>
<idField>groupname</idField>
<!-- List your source group directory -->
<source name="ldapInternal" creation="false">
<subDirectory name="internalGroupDirectory"/>
</source>
<source name="ldapClients" creation="false">
<subDirectory name="clientGroupDirectory"/>
</source>
</directory>
</extension>
</component>
_______________________________________________
ECM mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm
To unsubscribe, go to http://lists.nuxeo.com/mailman/options/ecm
