Jun,

I think that the "Forbidden" results from that user names mapped by the ldap store and 
the user names in Slide's node permissions do not match. If you have set node permissions with 
roles then maybe the added user names per role do not match the mapped user names from the ldap 
store.

1. Is it required that I have to store "/roles" node to ldap, too if I store "/users"
to ldap server? For now, I still store "/roles" in jdbc store. Is that a problem?

No it's not required. But I would recommend using the ldap store for roles too, because then you do not have to update role memberships twice (first in the ldap directory and second in the Slide repository) in case of changes.

2. If I don't put any subnodes under "/users" in the domain.xml, could I still
define those user members under "/roles"?

Yes, because the user nodes are mapped into Slide's namespace by the ldap store. But make sure that the user names which you use in the role membership definition match the user names of the ldap store.

I had some problems myself with the user names because in our environment the user 
names were mapped into Slide with real names, not with the login names. Thus no 
security checking worked with the node permissions I gave. You can switch off security 
in slide.properties for first, if you want to see results of your configuration.

Best regards
Stefan




Am Tue, 19 Oct 2004 02:49:38 -0700 (PDT) schrieb Gao Jun <[EMAIL PROTECTED]>:

Hi James,

Thanks for your reply. After I removed those subnodes from /users, the error
is gone :). However, when I go to visit some folder in slide, I got a "Forbidden"
error. I've two questions here:

1. Is it required that I have to store "/roles" node to ldap, too if I store "/users"
to ldap server? For now, I still store "/roles" in jdbc store. Is that a problem?
2. If I don't put any subnodes under "/users" in the domain.xml, could I still
define those user members under "/roles", like

                <objectnode classname="org.apache.slide.structure.SubjectNode" 
uri="/roles">
                    <!--<permission action="all" subject="unauthenticated" inheritable="false" 
negative="true"/>-->
                    <objectnode classname="org.apache.slide.structure.SubjectNode" 
uri="/roles/root">
                        <revision>
                            <!--<property name="group-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/users/[EMAIL 
PROTECTED]</D:href><D:href xmlns:D='DAV:'>/users/[EMAIL PROTECTED]</D:href>]]></property>-->
                            <property name="group-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/users/[EMAIL 
PROTECTED]</D:href><D:href xmlns:D='DAV:'>/users/[EMAIL PROTECTED]</D:href><D:href xmlns:D='DAV:'>/users/[EMAIL 
PROTECTED]</D:href>]]></property>
                        </revision>
                    </objectnode>
                </objectnode>

Will it work if I define that way?

Thanks.

regards,

Jun

James Mason <[EMAIL PROTECTED]> wrote:
Actually, I do see something wrong :). Comment out all the child nodes
for /user. The JNDI store is read-only (all data is loaded from LDAP, no
data is written) so specifying child nodes in Domain.xml won't work. The
error you're seeing seems to be caused by Slide trying to create the
node specified in Domain.xml and finding that the JNDI store already has
node with this value. Something along those lines.

-James

On Mon, 2004-10-18 at 19:51, Gao Jun wrote:
James,

It's strange. I'm not using bindingstore. I've cleaned up the DB and the store and 
work dir in my file system,
but when I restart the slide server, I still see the same problem. Here is my 
domain.xml. Could you see anyproblem in it?Thanks a lot.











org.apache.slide.store.impl.rdbms.CommonRDBMSAdapter


oracle.jdbc.driver.OracleDriver


jdbc:oracle:thin:@192.168.32.31:1521:rddev


gsnx


gsnx


true


10


false
















store/content


work/content


true


120







ou=People,dc=gsnx,dc=com


uid


(objectClass=person)


ONELEVEL_SCOPE





ldap://localhost:389


com.sun.jndi.ldap.LdapCtxFactory


cn=Manager,dc=gsnx,dc=com


simple


Manager



15


800


15000





roles/store/metadata


roles/work/metadata





















/actions/read
/actions/write
/actions/write
/actions/write-acl
/actions/write-acl
/actions/read-acl
/actions/read-current-user-privilege-set
/actions/write
/actions/unlock
/actions/read
/actions/read
/actions/write-properties
/actions/write-properties
/actions/write-properties
/actions/read
/actions/write-content
/actions/write-content
/actions/write-content
/actions/bind
/actions/unbind

/users
/roles
/actions
/files

true


true


path



0



full



true




> any user "all" authenticated user "authenticated" unauthenticated user "unauthenticated" self "self" owner of resource "owner" a user "/users/john" a role "/roles/admin" -->











-->





























-->


/users/[EMAIL PROTECTED]/users/[EMAIL PROTECTED]>
-->

/users/[EMAIL PROTECTED]/users/[EMAIL PROTECTED]/users/[EMAIL PROTECTED]>










/actions/read-acl /actions/read-current-user-privilege-set]]>




















/actions/read /actions/write-acl /actions/write-properties /actions/write-content]]>




















/actions/bind /actions/unbind]]>
































-->


















> DeltaV global parameters ======================== * historypath (mandatory=no, default="/history"): Specifies a Slide path which determines the location where this DeltaV server stores history data. * workspacepath (mandatory=no, default="/workspace"): Specifies a Slide path which determines the location where this DeltaV server allows workspaces to reside. * workingresourcepath (mandatory=no, default="/workingresource"): Specifies a Slide path which determines the location where this DeltaV server stores working resources. * auto-version (mandatory=no, default="checkout-checkin"): Controls the DeltaV auto-version behaviour. * auto-version-control (mandatory=no, default="false"): Indicates if a resource just created by a PUT should be set under version-control. * versioncontrol-exclude (mandatory=no, default=""): Specifies a Slide path which determines resources which are excluded from version-control. The default value "" makes no path being excluded. * checkout-fork (mandatory=no, default="forbidden"): Controls the DeltaV check-out behaviour when a version is already checked-out or has a successor. * checkin-fork (mandatory=no, default="forbidden"): Controls the DeltaV check-out behaviour when a version has already a successor. * standardLivePropertiesClass (mandatory=no, default="org.apache.slide.webdav.util.resourcekind.AbstractResourceKind"): Determines the "agent" knowing about what the standard live properties are. It should be a loadable class containing the following static methods: - boolean isLiveProperty(String propName) - boolean isProtectedProperty(String propName) - boolean isComputedProperty(String propName) - Set getAllLiveProperties() - Set getAllProtectedProperties() - Set getAllComputedProperties() * uriRedirectorClass (mandatory=no, default="org.apache.slide.webdav.util.DeltavUriRedirector"): Determines the URI redirector class. The DeltaV URI redirector is in charge of the following redirections: - version URI to history URI, e.g. /history/2/1.4 to /history/2 - latest revision number for history resource to 0.0 - latest revision number for version resource to last URI token, e.g. /history/2/1.4 to 1.4 It should be a loadable class containing the following static methods: - String redirectUri(String uri) - NodeRevisionNumber redirectLatestRevisionNumber(String uri) -->

/history


/workspace


/workingresource





false




forbidden


forbidden





regards,

Jun
James Mason wrote:
Jun,

It looks like you're using the BindingStore, and I'm afraid I've only
tested the JNDI store with ExtendedStore. It should still work; it looks
like the error you're getting is caused by having a pre-existing binding
for /users. I'd suggest to get this working with a fresh database first
just to be sure there aren't any conflicts. If it works that way then
you can come back and try to clean up any conflicting bindings.

-James


On Mon, 2004-10-18 at 03:08, Gao Jun wrote: > Hi James, > > Thanks for your reply. I'm testing this as well: > with the JNDI store for users and > roles and a JDBC store (MySQL) for everything else. > > However, I end up with getting this error msg: > > 18 Oct 2004 17:52:36 - org.apache.slide.common.XMLUnmarshaller - INFO - Loading object /users/[EMAIL PROTECTED] > 18 Oct 2004 17:52:36 - org.apache.slide.common.Namespace - ERROR - Unable to read Namespace base configuration file : > 18 Oct 2004 17:52:36 - org.apache.slide.common.Namespace - ERROR - java.lang.IllegalStateException: Existing binding [EMAIL PROTECTED] at /users has to be removed first > java.lang.IllegalStateException: Existing binding [EMAIL PROTECTED] at /users has to be removed first > at org.apache.slide.structure.ObjectNode.addBinding(ObjectNode.java:474) > at org.apache.slide.structure.ObjectNode.addChild(ObjectNode.java:444) > at org.apache.slide.structure.StructureImpl.create(StructureImpl.java:385) > at org.apache.slide.common.XMLUnmarshaller.loadObjectNode(XMLUnmarshaller.java:158) > at org.apache.slide.common.XMLUnmarshaller.loadObjectNode(XMLUnmarshaller.java:280) > at org.apache.slide.common.XMLUnmarshaller.loadObjectNode(XMLUnmarshaller.java:280)

=== message truncated === __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com



--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]



Reply via email to