Re: LDAP Authentication?

Sun, 24 Apr 2011 12:20:10 -0700 

On 24/04/11 17:50, Brian Bowling wrote:

Hi Brian,
I have been looking at adding LDAP authentication to my jspwiki implementation 
also, so this was very helpful.  Would it be possible for you to post a sample 
LDIF entry for a user or two?



I should start by saying that I use the apacheds project for my ldap 
server. I used to use the iPlanet/Sun/Fedora directory server and it has 
taken me a while to come to terms with the more modern (standards 
conformant) schema and access control mechanisms in apacheds. (I'm not 
at the bleeding edge - I've been using 1.5.4 in production for nearly 2 
years). The last time I looked, most of the alternatives are 
incompatible in these important areas, but I'll offer mine and you'll 
have to convert if necessary (you'll get the general idea).



I have a lot of SIP mods in my directory, so I "stole" some "spare" 
oid's from the SIP space...


dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 0.0.8.350.1.1.6.1.20
     NAME 'tomcatRole'
     DESC ' the name of a tomcat security role'
     EQUALITY caseIgnoreMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: ( 0.0.8.350.1.1.6.2.80
     NAME 'tomcatRoleAllowed'
     DESC 'tomcatRoleAllowed aux object'
     SUP top AUXILIARY
     MAY tomcatRole
   )


I'll leave it to you to define an authenticator user entry and suitable 
ACI's (because they are not critical to getting something working). I 
have a group called ldapAuths and define ACI's to say what they can and 
can't do. My tomcat container authenticator is a member of that group, 
so it can read a wider range of sensitive attributes than it actually 
needs, but it can't change anything.


Here is how I give a typical user permission to access jspwiki:

dn: uid=testUser1,ou=People,o=PingToo.com
changetype: modify
replace: objectclass
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectclass: tomcatRoleAllowed
-
replace: tomcatRole
tomcatRole: tomcat
tomcatRole: family
tomcatRole: photoview
tomcatRole: wikiuser
-
replace: userpassword
# tomcat is setup for SHA digests but can't handle multiple hashes
userPassword: {SHA}nvRBAtZQFzdRld1vS1TWlBb6kuQ=

Don't be afraid - the best way to eat an elephant is one bite at a time!

Regards,

Brian























					Reply via email to