[ http://issues.apache.org/jira/browse/JS2-491?page=comments#action_12428928 ] Davy De Waele commented on JS2-491: -----------------------------------
I think we need the following properties in jetspeed if we want to allow for a flexible LDAP integration approach. The following properties will allow jetspeed to interact with a number of different LDAP schemas, as the user can now decide what filters to use, where groups/users/roles are stored, how group & role membership should be handled , what objectClasses to use for users/groups/roles.... Let me know if somebody is interested in a security patch that takes these properties into account, and removes the dependency with custom objectClasses & attributes. # Ldap Configuration. org.apache.jetspeed.ldap.initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory org.apache.jetspeed.ldap.ldapServerName=localhost org.apache.jetspeed.ldap.ldapServerPort=389 org.apache.jetspeed.ldap.rootDn=cn=Directory Manager org.apache.jetspeed.ldap.rootPassword=adminadmin org.apache.jetspeed.ldap.rootContext=o\=Company3 # define the filters needed to search for roles/groups/users org.apache.jetspeed.ldap.RoleFilter=(&(objectclass=ldapsubentry) (objectclass=nsroledefinition)) org.apache.jetspeed.ldap.GroupFilter=(objectclass=groupOfUniqueNames) org.apache.jetspeed.ldap.UserFilter=(&(objectclass=inetorgperson)(objectclass=organizationalPerson)) org.apache.jetspeed.ldap.UserAuthenticationFiler=(&(uid=%u)(objectclass=inetorgperson)) # define the way role membership occurs # if RoleMembershipAttributes is used, membership attr will be stored on role # if UserRoleMembershipAttributes is used, membership attr will be stored on user org.apache.jetspeed.ldap.RoleMembershipAttributes= org.apache.jetspeed.ldap.UserRoleMembershipAttributes=nsroledn # define the way group membership occurs # if GroupMembershipAttributes is used, membership attr will be stored on group # if UserGroupMembershipAttributes is used, membership attr will be stored on user org.apache.jetspeed.ldap.GroupMembershipAttributes=uniqueMember org.apache.jetspeed.ldap.UserGroupMembershipAttributes= # define the path to roles,groups and users # needs to be defined without the defaultsearchbase org.apache.jetspeed.ldap.RoleFilterBase= org.apache.jetspeed.ldap.GroupFilterBase= org.apache.jetspeed.ldap.UserFilterBase=ou\=People\,ou\=OrgUnit1 # objectClasses used for role/group/user entries org.apache.jetspeed.ldap.RoleObjectClasses=top\,ldapsubentry\,nsroledefinition\,nssimpleroledefinition\,nsmanagedroledefinition org.apache.jetspeed.ldap.GroupObjectClasses=top\,groupofuniquenames org.apache.jetspeed.ldap.UserObjectClasses=top\,person\,organizationalPerson\,inetorgperson # define the ID attribute used to define roles/groups/users org.apache.jetspeed.ldap.RoleIdAttribute=cn org.apache.jetspeed.ldap.GroupIdAttribute=cn org.apache.jetspeed.ldap.UserIdAttribute=uid > Enhance J2 LDAP Security Documentation > -------------------------------------- > > Key: JS2-491 > URL: http://issues.apache.org/jira/browse/JS2-491 > Project: Jetspeed 2 > Issue Type: Improvement > Components: Security > Affects Versions: 2.1-dev > Reporter: David Le Strat > Fix For: 2.1-dev > > > From Davy De Waele email to the list: > Judging from the recent activity on the mailing list I noticed some > interest in using LDAP & Jetspeed > Some thoughts come to mind: > 1. The instructions located at > http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/ldap > .html are really only applicable for people who are building jetspeed > from source. > Due to the fact that the security-spi-ldap*.xml files shown there are > coming from SVN (interface changes, additional objects in the > configuration files that are not in the 2.0 binary release), users who > have installed jetspeed2 via the installer attempting to follow these > instructions will run into configuration issues. > What would be the best way to address this? > I think we should make a difference between users who are familiar with > Maven, SVN, compiling/building/deploying, and users who just want to > get > the thing up & running using the installer. > Shouldn't we put this information into perspective by: > a) Clearly indicating that this is only intended for people building > from source > b) Provide an additional manual on what needs to be done starting from > a > binary release (2.0 version) > > The user would have to > * copy the security-spi-ldap*.xml files (we provide > downloadable spring XML files acting as examples) > * remove their default security-spi-atn.xml > * restart tomcat > * preparing their LDAP server > As far as LDAP support goes, we should provide instructions on how > existing LDAP servers can be used with jetspeed. We can also provide > downloadable schema files & LDIF sample data for all major vendors + > documentation) > I could provide such manuals for OpenLDAP,SunDS and ApacheDS. > 2. The major problem that users will be facing today is that encrypted > passwords are not supported in the jetspeed2.0 release. Given that this > functionality has been committed to the codebase, how do you feel > towards providing a downloadable JAR file to users that would act as a > replacement for their current jetspeed-security-2.0.jar - doesn't have > to be anything official, could be included as a link in the > documentation) > The user would have to > * replace his jetspeed-security-2.0.jar > * restart tomcat > The user would have support for encrypted passwords and group/role > membership via LDAP. > 3. OpenLDAP schema file > I had to add groupOfUniqueNames as a parent to the jetspeed-2-group and > jetspeed-2-role objectClasses in order for the group/role assignment to > work in OpenLDAP. > ApacheDS doesn't really care when objects are created in the LDAP tree > containing attributes that aren't defined in the LDAP schema. OpenLDAP > does :) I've attached the new jetspeed.schema file. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
