Re: LDAP groups

Wed, 05 Mar 2008 17:45:27 -0800 

Hi Milton,
I did not change the policy for "Authenticated" as I think jspwiki may need that internally. Hope my configuration below may help 


Tomcat server.xml (only JNDIRealm enabled) (LDAP server is Sun One 
Directory Server)

     <Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
          connectionURL="ldap://localhost:389";
          connectionName="cn=Directory Manager"
          connectionPassword="password"
          userPassword="userPassword"
          userPattern="uid={0}, ou=People,dc=example,dc=com"
          roleBase="ou=Groups,dc=example,dc=com"
          roleName="cn"
          roleSubtree="true"
          roleSearch="(uniqueMember={0})"
     />
----------------------------------------------------------------------------
JSPWiki web.xml Security constraint

      <auth-constraint>
          <role-name>tomcat-admin</role-name>
          <role-name>LGE-SH</role-name>
...................

  <security-role>
      <description>
          This logical role includes all administrative users
      </description>
      <role-name>tomcat-admin</role-name>
  </security-role>
-------------------------------------------------------------------------------

Security policy: (added the following as a new entry, no new policy 
added for other LDAP groups)


grant principal com.ecyrd.jspwiki.auth.authorize.Role "tomcat-admin" {
   permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};


-------- Original Message --------

Can I just clarify that it is not possible to "rename" the 
Authenticated role in the policy file in order to map it to something 
else in the LDAP directory?



Last time I investigated this, it seemed that jspwiki expected there 
to be a role named "Authenticated" that the user was a member of, 
regardless of what the policy file might call this role.



Andrew Jaquith wrote:

David - your simple example works much better than my long-winded 
explanation might have. :) Nice one.



Ryan - the important point here is that you can add container roles 
to your security policy file using the syntax in David's example. You 
can use container roles in wiki page ACLs, too. To make this work, 
you need to make sure you have a "role" element in your web.xml for 
each LDAP group you are referencing.


Andrew

On Mar 5, 2008, at 16:59, David Gao <[EMAIL PROTECTED]> wrote:






--
David Gao ([EMAIL PROTECTED])























					Reply via email to