To be fully precise, this is what we use:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="CN=Ldaplogin,OU=EDP Login,OU=All Users
XP,DC=poison,DC=in"
connectionPassword="***secret***"
connectionURL="ldap://domaincontroller-host:389";
userBase="OU=All Users XP,DC=domain" userSubtree="true"
userSearch="([EMAIL PROTECTED])" userRoleName="memberOf"
roleBase="CN=Groups,DC=domain" roleName="cn" roleSubtree="true"
roleSearch="(member={0})" />
(this because we use the e-mail as the login identifier)
By the way, BEWARE: recursive groups are NOT supported by
org.apache.catalina.realm.JNDIRealm : your users will NOT inherit from roles
(groups) containing the groups within which your users are placed.
Good luck!
Christophe
-----Original Message-----
From: David Gao [mailto:[EMAIL PROTECTED]
Sent: jeudi 6 mars 2008 6:53
To: [email protected]
Subject: Re: LDAP groups
Andrew,
My configuration just works fine. Every user in the dedicated LDAP
group can login JSPWiki with proper access rights defined in security
policy.
-------- Original Message --------
> David --
>
> Your configuration looks fine. Does it work for you? It looks like it
> should...
>
> Milt --JSPWiki does have a role called "Authenticated" that is granted
> to *every* user who successfully authenticates, regardless of the
> method used to authenticate (container-based or custom).
> "Authenticated" is the role name you should use in the jspwiki.policy
> file to denote authenticated users, and indeed, its name cannot be
> changed. It's what we call a "built-in" role, along with the
> "Anonymous" and "Asserted" roles. It might help you to think of these
> "states" rather than logical roles.
>
> In addition to granting privileges to built-in roles (states), you can
> grant privileges to specific container-managed roles (such as those
> returned by an LDAP lookup). These are entered as grant blocks in
> jspwiki.policy. These container roles must also be entered into
> web.xml, preferably as "security-role" elements, or as
> "auth-constraint/role-name" elements. David has done both of these
> things in his examples: in jspwiki.policy you see a permission grant
> for the container role "tomcat-admin", and a corresponding
> auth-constraint/role-name element for "tomcat-admin" in web.xml.
>
> Milt, if I've failed to answer your (implied) question, please let me
> know and we can investigate further.
>
> Andrew
>
> On Mar 5, 2008, at 5:45 PM, David Gao wrote:
>
>> Hi Milton,
>>
>> I did not change the policy for "Authenticated" as I think jspwiki
>> may need that internally. Hope my configuration below may help
>>
>> Tomcat server.xml (only JNDIRealm enabled) (LDAP server is Sun One
>> Directory Server)
>> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
>> connectionURL="ldap://localhost:389";
>> connectionName="cn=Directory Manager"
>> connectionPassword="password"
>> userPassword="userPassword"
>> userPattern="uid={0}, ou=People,dc=example,dc=com"
>> roleBase="ou=Groups,dc=example,dc=com"
>> roleName="cn"
>> roleSubtree="true"
>> roleSearch="(uniqueMember={0})"
>> />
>> ----------------------------------------------------------------------------
>>
>> JSPWiki web.xml Security constraint
>>
>> <auth-constraint>
>> <role-name>tomcat-admin</role-name>
>> <role-name>LGE-SH</role-name>
>> ...................
>>
>> <security-role>
>> <description>
>> This logical role includes all administrative users
>> </description>
>> <role-name>tomcat-admin</role-name>
>> </security-role>
>> -------------------------------------------------------------------------------
>>
>> Security policy: (added the following as a new entry, no new policy
>> added for other LDAP groups)
>>
>> grant principal com.ecyrd.jspwiki.auth.authorize.Role "tomcat-admin" {
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
>> };
>>
>>
>> -------- Original Message --------
>>> Can I just clarify that it is not possible to "rename" the
>>> Authenticated role in the policy file in order to map it to
>>> something else in the LDAP directory?
>>>
>>> Last time I investigated this, it seemed that jspwiki expected there
>>> to be a role named "Authenticated" that the user was a member of,
>>> regardless of what the policy file might call this role.
>>>
>>>
>>> Andrew Jaquith wrote:
>>>> David - your simple example works much better than my long-winded
>>>> explanation might have. :) Nice one.
>>>>
>>>> Ryan - the important point here is that you can add container roles
>>>> to your security policy file using the syntax in David's example.
>>>> You can use container roles in wiki page ACLs, too. To make this
>>>> work, you need to make sure you have a "role" element in your
>>>> web.xml for each LDAP group you are referencing.
>>>>
>>>> Andrew
>>>>
>>>> On Mar 5, 2008, at 16:59, David Gao <[EMAIL PROTECTED]> wrote:
>>>
>>>
>>
>>
>> --
>> David Gao ([EMAIL PROTECTED])
>>
>
>
--
David Gao ([EMAIL PROTECTED])
