Jun,
I think that the "Forbidden" results from that user names mapped by the ldap store and
the user names in Slide's node permissions do not match. If you have set node permissions with
roles then maybe the added user names per role do not match the mapped user names from the ldap
store.
1. Is it required that I have to store "/roles" node to ldap, too if I store "/users"
to ldap server? For now, I still store "/roles" in jdbc store. Is that a problem?
No it's not required. But I would recommend using the ldap store for roles too,
because then you do not have to update role memberships twice (first in the ldap
directory and second in the Slide repository) in case of changes.
2. If I don't put any subnodes under "/users" in the domain.xml, could I still
define those user members under "/roles"?
Yes, because the user nodes are mapped into Slide's namespace by the ldap store.
But make sure that the user names which you use in the role membership definition
match the user names of the ldap store.
I had some problems myself with the user names because in our environment the user
names were mapped into Slide with real names, not with the login names. Thus no
security checking worked with the node permissions I gave. You can switch off security
in slide.properties for first, if you want to see results of your configuration.
Best regards
Stefan
Am Tue, 19 Oct 2004 02:49:38 -0700 (PDT) schrieb Gao Jun <[EMAIL PROTECTED]>:
Hi James,
Thanks for your reply. After I removed those subnodes from /users, the error
is gone :). However, when I go to visit some folder in slide, I got a "Forbidden"
error. I've two questions here:
1. Is it required that I have to store "/roles" node to ldap, too if I store "/users"
to ldap server? For now, I still store "/roles" in jdbc store. Is that a problem?
2. If I don't put any subnodes under "/users" in the domain.xml, could I still
define those user members under "/roles", like
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/roles">
<!--<permission action="all" subject="unauthenticated" inheritable="false"
negative="true"/>-->
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/roles/root">
<revision>
<!--<property name="group-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/users/[EMAIL
PROTECTED]</D:href><D:href xmlns:D='DAV:'>/users/[EMAIL PROTECTED]</D:href>]]></property>-->
<property name="group-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/users/[EMAIL
PROTECTED]</D:href><D:href xmlns:D='DAV:'>/users/[EMAIL PROTECTED]</D:href><D:href xmlns:D='DAV:'>/users/[EMAIL
PROTECTED]</D:href>]]></property>
</revision>
</objectnode>
</objectnode>
Will it work if I define that way?
Thanks.
regards,
Jun
James Mason <[EMAIL PROTECTED]> wrote:
Actually, I do see something wrong :). Comment out all the child nodes
for /user. The JNDI store is read-only (all data is loaded from LDAP, no
data is written) so specifying child nodes in Domain.xml won't work. The
error you're seeing seems to be caused by Slide trying to create the
node specified in Domain.xml and finding that the JNDI store already has
node with this value. Something along those lines.
-James
On Mon, 2004-10-18 at 19:51, Gao Jun wrote:
James,
It's strange. I'm not using bindingstore. I've cleaned up the DB and the store and
work dir in my file system,
but when I restart the slide server, I still see the same problem. Here is my
domain.xml. Could you see anyproblem in it?Thanks a lot.
org.apache.slide.store.impl.rdbms.CommonRDBMSAdapter
oracle.jdbc.driver.OracleDriver
jdbc:oracle:thin:@192.168.32.31:1521:rddev
gsnx
gsnx
true
10
false
store/content
work/content
true
120
ou=People,dc=gsnx,dc=com
uid
(objectClass=person)
ONELEVEL_SCOPE
ldap://localhost:389
com.sun.jndi.ldap.LdapCtxFactory
cn=Manager,dc=gsnx,dc=com
simple
Manager
15
800
15000
roles/store/metadata
roles/work/metadata
/actions/read
/actions/write
/actions/write
/actions/write-acl
/actions/write-acl
/actions/read-acl
/actions/read-current-user-privilege-set
/actions/write
/actions/unlock
/actions/read
/actions/read
/actions/write-properties
/actions/write-properties
/actions/write-properties
/actions/read
/actions/write-content
/actions/write-content
/actions/write-content
/actions/bind
/actions/unbind
/users
/roles
/actions
/files
true
true
path
0
full
true
> any user "all"
authenticated user "authenticated"
unauthenticated user "unauthenticated"
self "self"
owner of resource "owner"
a user "/users/john"
a role "/roles/admin"
-->
-->
-->
/users/[EMAIL PROTECTED]/users/[EMAIL PROTECTED]>
-->
/users/[EMAIL PROTECTED]/users/[EMAIL PROTECTED]/users/[EMAIL PROTECTED]>
/actions/read-acl /actions/read-current-user-privilege-set]]>
/actions/read /actions/write-acl /actions/write-properties /actions/write-content]]>
/actions/bind /actions/unbind]]>
-->
> DeltaV global parameters
========================
* historypath (mandatory=no, default="/history"):
Specifies a Slide path which determines the location where this DeltaV
server stores history data.
* workspacepath (mandatory=no, default="/workspace"):
Specifies a Slide path which determines the location where this DeltaV
server allows workspaces to reside.
* workingresourcepath (mandatory=no, default="/workingresource"):
Specifies a Slide path which determines the location where this DeltaV
server stores working resources.
* auto-version (mandatory=no, default="checkout-checkin"):
Controls the DeltaV auto-version behaviour.
* auto-version-control (mandatory=no, default="false"):
Indicates if a resource just created by a PUT should be set under
version-control.
* versioncontrol-exclude (mandatory=no, default=""):
Specifies a Slide path which determines resources which are excluded from
version-control.
The default value "" makes no path being excluded.
* checkout-fork (mandatory=no, default="forbidden"):
Controls the DeltaV check-out behaviour when a version is already
checked-out or has a successor.
* checkin-fork (mandatory=no, default="forbidden"):
Controls the DeltaV check-out behaviour when a version has already a
successor.
* standardLivePropertiesClass (mandatory=no,
default="org.apache.slide.webdav.util.resourcekind.AbstractResourceKind"):
Determines the "agent" knowing about what the standard live properties are.
It should be a loadable class containing the following static methods:
- boolean isLiveProperty(String propName)
- boolean isProtectedProperty(String propName)
- boolean isComputedProperty(String propName)
- Set getAllLiveProperties()
- Set getAllProtectedProperties()
- Set getAllComputedProperties()
* uriRedirectorClass (mandatory=no,
default="org.apache.slide.webdav.util.DeltavUriRedirector"):
Determines the URI redirector class. The DeltaV URI redirector is in
charge of the following redirections:
- version URI to history URI, e.g. /history/2/1.4 to /history/2
- latest revision number for history resource to 0.0
- latest revision number for version resource to last URI token,
e.g. /history/2/1.4 to 1.4
It should be a loadable class containing the following static methods:
- String redirectUri(String uri)
- NodeRevisionNumber redirectLatestRevisionNumber(String uri)
-->
/history
/workspace
/workingresource
false
forbidden
forbidden
regards,
Jun
James Mason wrote:
Jun,
It looks like you're using the BindingStore, and I'm afraid I've only
tested the JNDI store with ExtendedStore. It should still work; it looks
like the error you're getting is caused by having a pre-existing binding
for /users. I'd suggest to get this working with a fresh database first
just to be sure there aren't any conflicts. If it works that way then
you can come back and try to clean up any conflicting bindings.
-James
On Mon, 2004-10-18 at 03:08, Gao Jun wrote:
> Hi James,
>
> Thanks for your reply. I'm testing this as well:
> with the JNDI store for users and
> roles and a JDBC store (MySQL) for everything else.
>
> However, I end up with getting this error msg:
>
> 18 Oct 2004 17:52:36 - org.apache.slide.common.XMLUnmarshaller - INFO - Loading
object /users/[EMAIL PROTECTED]
> 18 Oct 2004 17:52:36 - org.apache.slide.common.Namespace - ERROR - Unable to read
Namespace base configuration file :
> 18 Oct 2004 17:52:36 - org.apache.slide.common.Namespace - ERROR -
java.lang.IllegalStateException: Existing binding [EMAIL PROTECTED] at /users has to be
removed first
> java.lang.IllegalStateException: Existing binding [EMAIL PROTECTED] at /users has to
be removed first
> at org.apache.slide.structure.ObjectNode.addBinding(ObjectNode.java:474)
> at org.apache.slide.structure.ObjectNode.addChild(ObjectNode.java:444)
> at org.apache.slide.structure.StructureImpl.create(StructureImpl.java:385)
> at org.apache.slide.common.XMLUnmarshaller.loadObjectNode(XMLUnmarshaller.java:158)
> at org.apache.slide.common.XMLUnmarshaller.loadObjectNode(XMLUnmarshaller.java:280)
> at org.apache.slide.common.XMLUnmarshaller.loadObjectNode(XMLUnmarshaller.java:280)
=== message truncated ===
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]