On Sun, Apr 24, 2011 at 9:19 PM, Brian Burch <[email protected]> wrote:
> On 24/04/11 17:50, Brian Bowling wrote: > >> Hi Brian, >> I have been looking at adding LDAP authentication to my jspwiki >> implementation also, so this was very helpful. Would it be possible for you >> to post a sample LDIF entry for a user or two? >> > > I should start by saying that I use the apacheds project for my ldap > server. I used to use the iPlanet/Sun/Fedora directory server and it has > taken me a while to come to terms with the more modern (standards > conformant) schema and access control mechanisms in apacheds. (I'm not at > the bleeding edge - I've been using 1.5.4 in production for nearly 2 years). > The last time I looked, most of the alternatives are incompatible in these > important areas, but I'll offer mine and you'll have to convert if necessary > (you'll get the general idea). > > I have a lot of SIP mods in my directory, so I "stole" some "spare" oid's > from the SIP space... > > dn: cn=schema > changetype: modify > add: attributetypes > attributetypes: ( 0.0.8.350.1.1.6.1.20 > NAME 'tomcatRole' > DESC ' the name of a tomcat security role' > EQUALITY caseIgnoreMatch > SUBSTR caseIgnoreSubstringsMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) > > dn: cn=schema > changetype: modify > add: objectclasses > objectclasses: ( 0.0.8.350.1.1.6.2.80 > NAME 'tomcatRoleAllowed' > DESC 'tomcatRoleAllowed aux object' > SUP top AUXILIARY > MAY tomcatRole > ) > > OpenDJ (and I think OpenDS, too) does not recognize "SUBSTR caseIgnoreSubstringsMatch" in the attribute type definition. I put the following in a file called 99-tomcat-roles.ldif<http://mcraig.org/ldif/99-tomcat-roles.ldif>, copied it to OpenDJ/config/schema, and it seemed to work for me. (YMMV copying LDIF out of email, hence the link.) dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema attributeTypes: ( 0.0.8.350.1.1.6.1.20 NAME 'tomcatRole' DESC 'the name of a tomcat security role' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) objectClasses: ( 0.0.8.350.1.1.6.2.80 NAME 'tomcatRoleAllowed' DESC 'tomcatRoleAllowed aux object' SUP top AUXILIARY MAY tomcatRole ) Regards, Mark > I'll leave it to you to define an authenticator user entry and suitable > ACI's (because they are not critical to getting something working). I have a > group called ldapAuths and define ACI's to say what they can and can't do. > My tomcat container authenticator is a member of that group, so it can read > a wider range of sensitive attributes than it actually needs, but it can't > change anything. > > Here is how I give a typical user permission to access jspwiki: > > dn: uid=testUser1,ou=People,o=PingToo.com > changetype: modify > replace: objectclass > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectclass: tomcatRoleAllowed > - > replace: tomcatRole > tomcatRole: tomcat > tomcatRole: family > tomcatRole: photoview > tomcatRole: wikiuser > - > replace: userpassword > # tomcat is setup for SHA digests but can't handle multiple hashes > userPassword: {SHA}nvRBAtZQFzdRld1vS1TWlBb6kuQ= > > Don't be afraid - the best way to eat an elephant is one bite at a time! > > Regards, > > Brian > >
