At my knowledge, with Microsoft Active Directory,
roleSearch="(uniqueMember={0})" must be changed to roleSearch="(member={0})"
Christophe Dupriez
Centre Antipoisons-Antigifcentrum
C/o Hôpital Central de la Base Reine Astrid
Rue Bruyn
1120 Bruxelles
Belgique
tel 32-(0)2.264.96.36
fax 32-(0)2.264.96.46
----- Original Message -----
From: David Gao [mailto:[EMAIL PROTECTED]
To: [email protected]
Subject: Re: LDAP groups
> Andrew,
>
> My configuration just works fine. Every user in the dedicated LDAP
> group can login JSPWiki with proper access rights defined in security
> policy.
>
> -------- Original Message --------
> > David --
> >
> > Your configuration looks fine. Does it work for you? It looks like it
> > should...
> >
> > Milt --JSPWiki does have a role called "Authenticated" that is granted
> > to *every* user who successfully authenticates, regardless of the
> > method used to authenticate (container-based or custom).
> > "Authenticated" is the role name you should use in the jspwiki.policy
> > file to denote authenticated users, and indeed, its name cannot be
> > changed. It's what we call a "built-in" role, along with the
> > "Anonymous" and "Asserted" roles. It might help you to think of these
> > "states" rather than logical roles.
> >
> > In addition to granting privileges to built-in roles (states), you can
> > grant privileges to specific container-managed roles (such as those
> > returned by an LDAP lookup). These are entered as grant blocks in
> > jspwiki.policy. These container roles must also be entered into
> > web.xml, preferably as "security-role" elements, or as
> > "auth-constraint/role-name" elements. David has done both of these
> > things in his examples: in jspwiki.policy you see a permission grant
> > for the container role "tomcat-admin", and a corresponding
> > auth-constraint/role-name element for "tomcat-admin" in web.xml.
> >
> > Milt, if I've failed to answer your (implied) question, please let me
> > know and we can investigate further.
> >
> > Andrew
> >
> > On Mar 5, 2008, at 5:45 PM, David Gao wrote:
> >
> >> Hi Milton,
> >>
> >> I did not change the policy for "Authenticated" as I think jspwiki
> >> may need that internally. Hope my configuration below may help
> >>
> >> Tomcat server.xml (only JNDIRealm enabled) (LDAP server is Sun One
> >> Directory Server)
> >> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
> >> connectionURL="ldap://localhost:389";
> >> connectionName="cn=Directory Manager"
> >> connectionPassword="password"
> >> userPassword="userPassword"
> >> userPattern="uid={0}, ou=People,dc=example,dc=com"
> >> roleBase="ou=Groups,dc=example,dc=com"
> >> roleName="cn"
> >> roleSubtree="true"
> >> roleSearch="(uniqueMember={0})"
> >> />
> >>
> ----------------------------------------------------------------------------
>
> >>
> >> JSPWiki web.xml Security constraint
> >>
> >> <auth-constraint>
> >> <role-name>tomcat-admin</role-name>
> >> <role-name>LGE-SH</role-name>
> >> ...................
> >>
> >> <security-role>
> >> <description>
> >> This logical role includes all administrative users
> >> </description>
> >> <role-name>tomcat-admin</role-name>
> >> </security-role>
> >>
> -------------------------------------------------------------------------------
>
> >>
> >> Security policy: (added the following as a new entry, no new policy
> >> added for other LDAP groups)
> >>
> >> grant principal com.ecyrd.jspwiki.auth.authorize.Role "tomcat-admin" {
> >> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> >> };
> >>
> >>
> >> -------- Original Message --------
> >>> Can I just clarify that it is not possible to "rename" the
> >>> Authenticated role in the policy file in order to map it to
> >>> something else in the LDAP directory?
> >>>
> >>> Last time I investigated this, it seemed that jspwiki expected there
> >>> to be a role named "Authenticated" that the user was a member of,
> >>> regardless of what the policy file might call this role.
> >>>
> >>>
> >>> Andrew Jaquith wrote:
> >>>> David - your simple example works much better than my long-winded
> >>>> explanation might have. :) Nice one.
> >>>>
> >>>> Ryan - the important point here is that you can add container roles
> >>>> to your security policy file using the syntax in David's example.
> >>>> You can use container roles in wiki page ACLs, too. To make this
> >>>> work, you need to make sure you have a "role" element in your
> >>>> web.xml for each LDAP group you are referencing.
> >>>>
> >>>> Andrew
> >>>>
> >>>> On Mar 5, 2008, at 16:59, David Gao <[EMAIL PROTECTED]> wrote:
> >>>
> >>>
> >>
> >>
> >> --
> >> David Gao ([EMAIL PROTECTED])
> >>
> >
> >
>
>
> --
> David Gao ([EMAIL PROTECTED])
>
>
