Re: Users and Roles definition with LDAP

Thu, 06 Dec 2007 03:37:33 -0800 

Well , great you got it working !
Btw, you shouldn't need to change the DN value of the j2-role attribute manually. The lookup of roles from the user attribute "j2-role" is not correctly implemented IMO. I'm not sure where the exact location of the bug is though, it depends on how you look at it: if you take a look at the RoleDetails portlet in j2-admin, it calls usermanager.getUsersInRole(rolename). The problem is that Jetspeed expects a full DN, but it gets the abbreviated version, e.g. "admin". 


On the other hand, the problem could also be fixed in the usermanager 
(and underlying classes) by accepting an abbreviated version of the role 
name ("admin"), and constructing a DN 
("cn=admin,ou=People,ou=rootOrg,o=sevenSeas") , based on the LDAP spring 
config. This can be done by concatenating the roleUidAttribute (CN) with 
the roleFilterBase and the root context:  "CN=<abbreviated rolename>" + 
"ou=Roles,ou=rootOrg" + "o=sevenseas".


I hope I have time to make a patch for this, if I have time ;)

Dennis


Alberto Troisi wrote:

Dennis,
thanks very much for your help! Now it works fine.

Let me say why I haven't changed the DN values first.

If I store roles as user attribute (the default mode for the jetspeed 
sample config file), the definition of a new role for a user (from the 
j2-admin interface) causes the creation of a new "j2-role" attribute 
for that user in LDAP, with a complete DN as value. The new role is 
present in the roles list associated to the user in the User 
Management page, but the user is not present in the users list for 
that role in the Role Management page. However, if I change manually 
the value of the defined "j2-role" attribute (using ApacheDS Studio) 
to the "cn" (e.g., from "cn=admin,ou=People,ou=rootOrg,o=sevenSeas" to 
"admin") also the Role Management page works fine.
So, I supposed the Jetspeed works in this way and I left this values 
in LDAP.


Thanks again,
Alberto

Dennis Dam ha scritto:

Alberto,


Some of the uniquemember values in your LDIF file are not correct 
LDAP Distinguished Name (DN) values, such as for the role 'manager':


dn: cn=manager,ou=Roles,ou=rootOrg,o=sevenSeas
objectClass: jetspeed-2-role
objectClass: groupOfUniqueNames
objectClass: top
cn: manager
j2-classname: manager
uid: manager
uniquemember: admin,jetspeed,manager,damiano


if you replace the last line with one line like this (per role 
member), it should work:


uniquemember: cn=admin,ou=People,ou=rootOrg,o=sevenSeas
uniquemember: cn=user,ou=People,ou=rootOrg,o=sevenSeas
...


empty your LDAP data, import the LDIF again, and now you have valid 
data!



OR (might be the quickest way): simply remove the invalid attributes 
on the role objects in your Ldap editor (I can recommend the Apache 
DS studio Eclipse plugin), and assign the roles to the users via the 
j2-admin interface.



I think it's just a question of wrong values in your initial LDIF you 
imported: the LDIF sample shown on the website documentation is not 
valid with respect to the uniquemember values. I wasn't even able to 
import it into my Ldap server (OpenLDAP). Maybe it can be imported 
into Apache  DS, I didn't try that.


Let me know if this works out for you,

regards,
Dennis




Alberto Troisi wrote:

Dennis,
I give you the answers to your questions:

Dennis Dam ha scritto:

Alberto,

 
in your first email you said that you defined the RoleMembership 
attribute. What attribute name did you use?

I only changed the RoleMembership value in the security ldap config 
file ( <constructor-arg index="9"> ). The previous value was 
"j2-role", now is "uniquemember", according to the attribute name 
used for Roles (cn=<rolename>,ou=Roles,ou=rootOrg,o=sevenSeas) in LDAP.




 And for which role do you get the null pointer exception? For all 
roles, are a specific one? 

I get the same exception for all roles.


Also, did you change the values of the RoleMembership attribute on 
the role objects in LDAP ?
  

No, I only inserted new "uniquename" attributes for new users 
belonging to an existing role. These insertions are made 
automatically by Jetspeed when I add a new user (to the user role) 
or I set a new role from the User Management page.



 
Dennis


________________________________

Van: Alberto Troisi [mailto:[EMAIL PROTECTED]
Verzonden: wo 5-12-2007 15:27
Aan: Jetspeed Users List
Onderwerp: Re: Users and Roles definition with LDAP



Dennis,

I modified my ldap configuration file by changing the UidAttribute 
(and

also userUidAttribute) value, but I have the same problem.
Sorry, but I don't understand the second point you mentioned.


Anyway, I would attach the ldap config file and an LDIF export: 
probably

these can be more useful for you.

Thanks!

Dennis Dam ha scritto:

 

Hey Alberto,


Somehow the user principal name is null, the first where it 
happens to break is the hashCode() function of the user principal 
class. There can be several reasons for this :



* a misconfiguration in your ldap config. Can you check this 
construction parameter in your spring LDAP config file:

<!-- The UidAttribute. -->

<constructor-arg index="25"><value>cn</value></constructor-arg>


Is this the correct value? For example, if your user DN looks 
like: o=sevenSeas,ou=foo,cn=admin  then the value should be "cn".



*  you have set an incorrect user DN value on the RoleMembership 
attribute. Jetspeed tries to resolve the user principal name from 
that DN, by looking up the part of after the uid attribute ( ... , 
cn=..).



Anyway, I think you  found a bug in one of the LDAP classes, I 
think principals with name null should never be created :)  I'm 
going to make a patch for this.


thanks,

Dennis




________________________________

Van: Alberto Troisi [mailto:[EMAIL PROTECTED]
Verzonden: wo 5-12-2007 12:06
Aan: Jetspeed Users List
Onderwerp: Re: Users and Roles definition with LDAP



Hi Dennis,
thanks for your answer and sorry for my delay. This is the exception
stacktrace:

2007-12-05 11:55:11,750 [http-8080-Processor23] ERROR
org.apache.portals.gems.browser.BrowserPortlet - Exception
java.lang.NullPointerException
    at

org.apache.jetspeed.security.impl.BasePrincipalImpl.hashCode(BasePrincipalImpl.java:75) 


    at java.util.HashMap.put(HashMap.java:418)
    at java.util.HashSet.add(HashSet.java:194)
    at

org.apache.jetspeed.security.spi.impl.LdapSecurityMappingHandler.getUserPrincipalsInRole(LdapSecurityMappingHandler.java:326) 


    at

org.apache.jetspeed.security.spi.impl.LdapSecurityMappingHandler.getUserPrincipalsInRole(LdapSecurityMappingHandler.java:252) 


    at

org.apache.jetspeed.security.impl.UserManagerImpl.getUsersInRole(UserManagerImpl.java:460) 


    at

org.apache.jetspeed.portlets.security.roles.RoleDetails.getRows(RoleDetails.java:109) 


    at

org.apache.jetspeed.portlets.security.roles.RoleDetails.getRows(RoleDetails.java:81) 


    at

org.apache.portals.gems.browser.BrowserPortlet.doView(BrowserPortlet.java:189) 


    at

org.apache.jetspeed.portlets.security.roles.RoleDetails.doView(RoleDetails.java:174) 

    at 
javax.portlet.GenericPortlet.doDispatch(GenericPortlet.java:247)

    at javax.portlet.GenericPortlet.render(GenericPortlet.java:175)
    at

org.apache.portals.bridges.velocity.GenericVelocityPortlet.render(GenericVelocityPortlet.java:164) 


    at

org.apache.jetspeed.factory.JetspeedPortletInstance.render(JetspeedPortletInstance.java:103) 


    at

org.apache.jetspeed.container.JetspeedContainerServlet.doGet(JetspeedContainerServlet.java:265) 


    at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    at

org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252) 


    at

org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) 


    at

org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:672) 


    at

org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:574) 


    at

org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:499) 


    at

org.apache.jetspeed.container.invoker.ServletPortletInvoker.invoke(ServletPortletInvoker.java:245) 


    at

org.apache.jetspeed.container.invoker.ServletPortletInvoker.render(ServletPortletInvoker.java:128) 


    at

org.apache.pluto.PortletContainerImpl.renderPortlet(PortletContainerImpl.java:119) 


    at

org.apache.jetspeed.container.JetspeedPortletContainerWrapper.renderPortlet(JetspeedPortletContainerWrapper.java:121) 


    at

org.apache.jetspeed.aggregator.impl.RenderingJobImpl.execute(RenderingJobImpl.java:242) 


    at

org.apache.jetspeed.aggregator.impl.PortletRendererImpl.renderNow(PortletRendererImpl.java:226) 


    at

org.apache.jetspeed.aggregator.impl.PageAggregatorImpl.aggregateAndRender(PageAggregatorImpl.java:147) 


    at

org.apache.jetspeed.aggregator.impl.PageAggregatorImpl.aggregateAndRender(PageAggregatorImpl.java:143) 


    at

org.apache.jetspeed.aggregator.impl.PageAggregatorImpl.build(PageAggregatorImpl.java:78) 


    at

org.apache.jetspeed.aggregator.AggregatorValve.invoke(AggregatorValve.java:46) 


    at

org.apache.jetspeed.pipeline.JetspeedPipeline$Invocation.invokeNext(JetspeedPipeline.java:167) 


    at

org.apache.jetspeed.aggregator.HeaderAggregatorValve.invoke(HeaderAggregatorValve.java:53) 


    at

org.apache.jetspeed.pipeline.JetspeedPipeline$Invocation.invokeNext(JetspeedPipeline.java:167) 


    at

org.apache.jetspeed.decoration.DecorationValve.invoke(DecorationValve.java:130) 


    at

org.apache.jetspeed.pipeline.JetspeedPipeline$Invocation.invokeNext(JetspeedPipeline.java:167) 


    at

org.apache.jetspeed.resource.ResourceValveImpl.invoke(ResourceValveImpl.java:130) 


    at

org.apache.jetspeed.pipeline.JetspeedPipeline$Invocation.invokeNext(JetspeedPipeline.java:167) 


    at

org.apache.jetspeed.pipeline.valve.impl.ActionValveImpl.invoke(ActionValveImpl.java:184) 


    at

org.apache.jetspeed.pipeline.JetspeedPipeline$Invocation.invokeNext(JetspeedPipeline.java:167) 


    at

org.apache.jetspeed.container.ContainerValve.invoke(ContainerValve.java:104) 


    at

org.apache.jetspeed.pipeline.JetspeedPipeline$Invocation.invokeNext(JetspeedPipeline.java:167) 


    at

org.apache.jetspeed.profiler.impl.ProfilerValveImpl.invoke(ProfilerValveImpl.java:248) 


    at

org.apache.jetspeed.pipeline.JetspeedPipeline$Invocation.invokeNext(JetspeedPipeline.java:167) 


    at

org.apache.jetspeed.security.impl.LoginValidationValveImpl.invoke(LoginValidationValveImpl.java:159) 


    at

org.apache.jetspeed.pipeline.JetspeedPipeline$Invocation.invokeNext(JetspeedPipeline.java:167) 


    at

org.apache.jetspeed.security.impl.PasswordCredentialValveImpl.invoke(PasswordCredentialValveImpl.java:150) 


    at

org.apache.jetspeed.pipeline.JetspeedPipeline$Invocation.invokeNext(JetspeedPipeline.java:167) 


    at

org.apache.jetspeed.localization.impl.LocalizationValveImpl.invoke(LocalizationValveImpl.java:170) 


    at

org.apache.jetspeed.pipeline.JetspeedPipeline$Invocation.invokeNext(JetspeedPipeline.java:167) 


    at

org.apache.jetspeed.security.impl.AbstractSecurityValve$1.run(AbstractSecurityValve.java:138) 


    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:454)
    at

org.apache.jetspeed.security.JSSubject.doAsPrivileged(JSSubject.java:179) 


    at

org.apache.jetspeed.security.impl.AbstractSecurityValve.invoke(AbstractSecurityValve.java:132) 


    at

org.apache.jetspeed.pipeline.JetspeedPipeline$Invocation.invokeNext(JetspeedPipeline.java:167) 


    at

org.apache.jetspeed.container.url.impl.PortalURLValveImpl.invoke(PortalURLValveImpl.java:66) 


    at

org.apache.jetspeed.pipeline.JetspeedPipeline$Invocation.invokeNext(JetspeedPipeline.java:167) 


    at

org.apache.jetspeed.capabilities.impl.CapabilityValveImpl.invoke(CapabilityValveImpl.java:126) 


    at

org.apache.jetspeed.pipeline.JetspeedPipeline$Invocation.invokeNext(JetspeedPipeline.java:167) 


    at

org.apache.jetspeed.pipeline.JetspeedPipeline.invoke(JetspeedPipeline.java:146) 


    at

org.apache.jetspeed.engine.JetspeedEngine.service(JetspeedEngine.java:227) 


    at

org.apache.jetspeed.engine.JetspeedServlet.doGet(JetspeedServlet.java:242) 


    at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    at

org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252) 


    at

org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) 


    at

org.apache.jetspeed.engine.servlet.XXSUrlAttackFilter.doFilter(XXSUrlAttackFilter.java:52) 


    at

org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) 


    at

org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) 


    at

org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) 


    at

org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) 


    at

org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524) 


    at

org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) 


    at

org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) 

    at 
org.josso.tc55.agent.SSOAgentValve.invoke(SSOAgentValve.java:541)

    at

org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) 


    at

org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) 


    at

org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869) 


    at

org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664) 


    at

org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) 


    at

org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80) 


    at

org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) 


    at java.lang.Thread.run(Thread.java:595)



Dennis Dam ha scritto:

 
 

Hi Troisi,

can you paste a stacktrace of the null pointer exception here ? That
would be of great help.

Dennis

Alberto Troisi wrote:

      

Hi,
following the guidelines of the "Role membership" section in the
Jetspeed & LDAP tutorial

(http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/ldap.html#Group_Role_membership), 


I defined the RoleMembership attribute and I set an empty value for
the UserRoleMembership in order to store the role membership as a
role attribute (the default was to store it as user attribute).
Now, when I access to Role Management page, in the "Security

Administration" section on the Jetspeed portal,  I can't view 
details

for a selected role: I have a NullPointerException. On the other
hand, in the User Management page, I can view roles details about a
defined user.

Is the problem related to a missing configuration in the
security-spi-ldap.xml file?

Thanks in advance.



--------------------------------------------------------------------- 

To unsubscribe, e-mail: 
[EMAIL PROTECTED]
For additional commands, e-mail: 
[EMAIL PROTECTED]



             

--------------------------------------------------------------------- 


To unsubscribe, e-mail: [EMAIL PROTECTED]

For additional commands, e-mail: 
[EMAIL PROTECTED]



__________ Informazione NOD32 2698 (20071203) __________

Questo messaggio  è stato controllato dal Sistema Antivirus NOD32
http://www.nod32.it <http://www.nod32.it/>  <http://www.nod32.it/>




         

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]

For additional commands, e-mail: 
[EMAIL PROTECTED]








__________ Informazione NOD32 2698 (20071203) __________

Questo messaggio  è stato controllato dal Sistema Antivirus NOD32

http://www.nod32.it <http://www.nod32.it/>  
------------------------------------------------------------------------ 



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]

For additional commands, e-mail: 
[EMAIL PROTECTED]



__________ Informazione NOD32 2698 (20071203) __________

Questo messaggio  è stato controllato dal Sistema Antivirus NOD32

http://www.nod32.it <http://www.nod32.it/>      








__________ Informazione NOD32 2698 (20071203) __________

Questo messaggio  è stato controllato dal Sistema Antivirus NOD32
http://www.nod32.it

  
------------------------------------------------------------------------ 



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


__________ Informazione NOD32 2698 (20071203) __________

Questo messaggio  è stato controllato dal Sistema Antivirus NOD32
http://www.nod32.it

  



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


__________ Informazione NOD32 2698 (20071203) __________

Questo messaggio  è stato controllato dal Sistema Antivirus NOD32
http://www.nod32.it






---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to