[Fedora-commons-developers] LDAP authentication on fedora3.1

Fri, 14 Nov 2008 08:20:07 -0800 

Hi all,
I'm trying to use an LDAP serveur to authenticate the users. I have read many documents: - https://fedora-commons.org/confluence/display/FCR30/Securing+Your+Fedora+Repository - https://fedora-commons.org/confluence/display/FCR30/Fedora+Authorization+with+XACML+Policy+Enforcement - https://fedora-commons.org/confluence/display/FCR30/Fedora+XACML+Policy+Writing+Guide 


but I always not succeed... and I don't see which configuration is 
missing. In fact, the fedora server never try to access to the LDAP 
server to verify the identity of the user. He just verify the 
fedora-users.xml... WHY!!
Is anybody has a suggestion?... another document to look at?... 
something else...


thanks
Pierre-Yves

Here are my configurations files:


/repository-policies/perso/_*permit-apim-by-ldap-group.xml*_ (like here: 
https://fedora-commons.org/confluence/download/attachments/4981197/permit-apim-by-ldap-group.xml?version=1):

<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"

       
xmlns:xsi="http://www.fedora.info/definitions/1/0/api/cs-xacml-schema-policy-01.xsd";

       PolicyId="permit-apim-by-ldap-group"

       
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">


       <Description> </Description>

       <!-- Scope of Policy:  This policy applies only to the Fedora 
API-M Interface -->

       <Target>
               <Subjects>
                       <AnySubject/>
               </Subjects>
               <Resources>
                       <AnyResource/>
               </Resources>
               <Actions>
                       <Action>

                               <ActionMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                                       <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:api-m</AttributeValue>
                                       <ActionAttributeDesignator 
DataType="http://www.w3.org/2001/XMLSchema#string"; 
AttributeId="urn:fedora:names:fedora:2.1:action:api"/>

                               </ActionMatch>
                       </Action>
               </Actions>
       </Target>
       <!-- Rule for how API-M can be accessed. -->
       <Rule RuleId="1" Effect="Permit">

               <!-- Permit access if the requestor is a member of one 
of the specified groups (defined by the LDAP 'ou' attribute).  -->
               <Condition 
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                       <SubjectAttributeDesignator 
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="ou"/>
                       <Apply 
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                               <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>fedora - 
admin</AttributeValue>
                               <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>fedora - 
master</AttributeValue>

                       </Apply>
               </Condition>
       </Rule>
</Policy>


tomcat/webapps/fedora/WEB-INF/_*web.xml*_:
   <filter>
     <filter-name>XmlUserfileFilter</filter-name>

     
<filter-class>fedora.server.security.servletfilters.xmluserfile.FilterXmlUserfile</filter-class>

   </filter>
   <filter>
     <filter-name>LdapFilterForAttributes</filter-name>

     
<filter-class>fedora.server.security.servletfilters.ldap.FilterLdap</filter-class>

     <init-param>
         <param-name>authenticate</param-name>
         <param-value>true</param-value>
     </init-param>
     <init-param>
         <param-name>url</param-name>
         <param-value>ldap://ldap.server.fr:389</param-value>
     </init-param>
     <init-param>
         <param-name>search-base</param-name>
         <param-value>ou=mylaboratory,dc=cnrs,dc=fr</param-value>
     </init-param>
     <init-param>
         <param-name>search-filter</param-name>
         <param-value>(objectClass=*)</param-value>
     </init-param>
     <init-param>
         <param-name>id-attribute</param-name>
         <param-value>uid</param-value>
     </init-param>
     <init-param>
         <param-name>attributes</param-name>
         <param-value>ou</param-value>
     </init-param>
   </filter>
   <filter>
     <filter-name>RestApiAuthnFilter</filter-name>

     
<filter-class>fedora.server.security.servletfilters.FilterRestApiAuthn</filter-class>

   </filter>

begin:vcard
fn:Pierre-Yves JALLUD
n:JALLUD;Pierre-Yves
email;internet:[EMAIL PROTECTED]
tel;work:04-72-69-52-79
url:http://cc.in2p3.fr
version:2.1
end:vcard


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Fedora-commons-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers














    











					Reply via email to