Thanks Chi, I've successfully tested this with the following steps against OpenLDAP on Ubuntu:
1) installed from fedora trunk with FeSL off, legacy XACML on 2) modified jaas.conf to use cascading authN (ldap direct bind sufficient, xml user file sufficient) 3) modified web.xml as instructed in the doc, to authenticate for everything for simplicity Going against UserServlet (great idea for sanity checking btw), I was able to authenticate and see the attributes of the fedoraAdmin user (defined in the xml user file), and my other test user (defined only in LDAP). I also verified that fedoraAdmin was allowed to do admin things, and my other test user was not (via legacy XACML enforcement). Reading the docs and looking at AuthFilterJAAS, it looks like the multi-valued "fedoraRole" attribute is the only one that's passed down the chain via FEDORA_AUX_SUBJECT_ATTRIBUTES. While it is possible via AuthFilterJAAS's configuration to map other LDAP attributes to fedoraRole (and thus have their *values* passed down the chain, it is not possible to pass the original, LDAP-defined name-value pairs down. Is this correct? If so, why? It seems simple enough to provide all the attribute name-value pairs here (so they could be used as subject attributes during AuthZ), so I think I must be missing something. Thanks, Chris On Wed, Mar 10, 2010 at 6:42 PM, Chi Nguyen <[email protected]> wrote: > That is certainly possible (and I think would be most useful), though you > would need to install the jaas-module after installing Fedora without > enabling the FeSL module. Unfortunately, there's no option at the moment > with the Fedora install to install just the AuthN bit without the Authz, so > I'm attaching the doc written by Nish for getting the AuthN module support > over a vanilla Fedora install. > -chi > > > On Thu, Mar 11, 2010 at 5:30 AM, Chris Wilper <[email protected]> wrote: >> >> Are we in a position to be able to do this for 3.4? I know there's >> some work to be done on the AuthZ side before we can fully replace the >> old Authorization module, but I'm less clear on the AuthN side of >> things. >> >> http://fedora-commons.org/confluence/display/FCR30/FeSL+Authentication >> >> The old AuthN's Xml user file-based AuthN is working fine out of the >> box today, but it seems like people are constantly running into >> trouble getting LDAP authentication to work with it. >> >> So, actually, a couple questions: >> >> 1) What potential gotchas would there be to swapping in FESL's AuthN >> for 3.4 in place of the old AuthN code? >> >> 2) In the meantime, what can we tell people like Jens (below) who are >> struggling with LDAP integration today? (Is it possible to use FESL's >> AuthN without it's AuthZ, and what's the set of instructions to do >> that for 3.3?) >> >> - Chris >> >> ---------- Forwarded message ---------- >> From: Jens Pelzetter <[email protected]> >> Date: 2010/3/10 >> Subject: [Fedora-commons-users] Need help with LDAP setup >> To: Fedora Mailing List <[email protected]> >> >> >> Hello everybody, >> >> I need help setting up Fedora 3.3 to use an LDAP repository for >> authentication and authorization. >> >> My problem is: It looks like the user is correctly found in LDAP >> repository. The groups also read successfully from the LDAP, as far as I >> can tell from the logs. But after this, there is an error in the log: >> >> ERROR 2010-03-10 14:09:23.838 [http-8080-1] (BaseCaching) general >> authenticate() failure >> authenticate() failure >> ERROR 2010-03-10 14:09:23.838 [http-8080-1] (BaseCaching) >> java.lang.Exception >> ERROR 2010-03-10 14:09:23.839 [http-8080-1] (BaseCaching) >> >> Also, I found an exception in the logs of the Tomcat which is running >> our Fedora installation: >> >> >> java.lang.Exception >> at >> >> fedora.server.security.servletfilters.ExtendedHttpServletRequestWrapper.setAuthenticated(ExtendedHttpServletRequestWrapper.java:79) >> at >> >> fedora.server.security.servletfilters.BaseCaching.authenticate(BaseCaching.java:274) >> at >> >> fedora.server.security.servletfilters.BaseContributing.doThisSubclass(BaseContributing.java:224) >> at >> >> fedora.server.security.servletfilters.FilterSetup.doFilter(FilterSetup.java:211) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> >> fedora.server.security.servletfilters.FilterSetup.doFilter(FilterSetup.java:234) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> >> fedora.server.security.servletfilters.FilterSetup.doFilter(FilterSetup.java:234) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> >> fedora.server.security.servletfilters.FilterSetup.doFilter(FilterSetup.java:234) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >> at >> >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) >> at >> >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525) >> at >> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >> at >> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >> at >> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >> at >> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) >> at >> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849) >> at org.apache.coyote.http11.Http11Protocol >> $Http11ConnectionHandler.process(Http11Protocol.java:583) >> at org.apache.tomcat.util.net.JIoEndpoint >> $Worker.run(JIoEndpoint.java:454) >> at java.lang.Thread.run(Thread.java:619) >> >> Has anybody an idea the problem is here, and how to fix it? >> >> Thanks in advance. >> >> Jens Pelzetter >> >> >> >> ------------------------------------------------------------------------------ >> Download Intel® Parallel Studio Eval >> Try the new software tools for yourself. Speed compiling, find bugs >> proactively, and fine-tune applications for parallel performance. >> See why Intel Parallel Studio got high marks during beta. >> http://p.sf.net/sfu/intel-sw-dev >> _______________________________________________ >> Fedora-commons-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> >> >> ------------------------------------------------------------------------------ >> Download Intel® Parallel Studio Eval >> Try the new software tools for yourself. Speed compiling, find bugs >> proactively, and fine-tune applications for parallel performance. >> See why Intel Parallel Studio got high marks during beta. >> http://p.sf.net/sfu/intel-sw-dev >> _______________________________________________ >> Fedora-commons-developers mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers > > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Fedora-commons-developers mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers > > ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Fedora-commons-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
