Hi Stefan,
 
Thanks for your reply. But I still can't find out the problem.
 
In my Domain.xml, I have:
 
     <store name="users">
  <nodestore classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
   <parameter name="jndi.container">ou=People,dc=jgao,dc=com</parameter>
   <parameter name="jndi.attributes.rdn">uid</parameter>
   <parameter name="jndi.search.filter">(objectClass=person)</parameter>
   <parameter name="jndi.search.scope">ONELEVEL_SCOPE</parameter>
   <parameter name="jndi.search.attributes"></parameter>
   <parameter name="java.naming.provider.url">ldap://localhost:389</parameter>
   <parameter 
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</parameter>
   <parameter 
name="java.naming.security.principal">cn=Manager,dc=jgao,dc=com</parameter>
   <parameter name="java.naming.security.authentication">simple</parameter>
   <parameter name="java.naming.security.credentials">Manager</parameter>
   
   <parameter name="cache.refresh.checkrate">15</parameter>
   <parameter name="cache.refresh.rate">800</parameter>
   <parameter name="cache.refresh.threshold">15000</parameter>
  </nodestore>

Then in my ldap server, I does have user 
[EMAIL PROTECTED] 
defined under "ou=People,dc=jgao,dc=com".
 
In Domain.xml, I have:
 
                <objectnode classname="org.apache.slide.structure.SubjectNode" 
uri="/roles">
                    <objectnode classname="org.apache.slide.structure.SubjectNode" 
uri="/roles/root">
                        <revision>
                            <property name="group-member-set"><![CDATA[<D:href 
xmlns:D='DAV:'>/users/[EMAIL PROTECTED]</D:href>]]></property>
                        </revision>
                    </objectnode>        
                </objectnode>
 
And I checked the DB, found it has been saved to the table properties successfully.
 
And for the root node, I have defined in Domain.xml:
 
            <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/">
                <permission action="all" subject="/roles/root" inheritable="true"/>
 ........
 
But when  I try login. I still get the forbidden error:

org.apache.slide.webdav.WebdavException: Forbidden

Can you see any problem in the configuration? Thanks.
 
regards,
 
Jun

Stefan Fromm <[EMAIL PROTECTED]> wrote:
Jun,

I think that the "Forbidden" results from that user names mapped by the ldap store and 
the user names in Slide's node permissions do not match. If you have set node 
permissions with roles then maybe the added user names per role do not match the 
mapped user names from the ldap store.

> 1. Is it required that I have to store "/roles" node to ldap, too if I store "/users"
> to ldap server? For now, I still store "/roles" in jdbc store. Is that a problem?

No it's not required. But I would recommend using the ldap store for roles too, 
because then you do not have to update role memberships twice (first in the ldap 
directory and second in the Slide repository) in case of changes.

> 2. If I don't put any subnodes under "/users" in the domain.xml, could I still
> define those user members under "/roles"?

Yes, because the user nodes are mapped into Slide's namespace by the ldap store. But 
make sure that the user names which you use in the role membership definition match 
the user names of the ldap store.

I had some problems myself with the user names because in our environment the user 
names were mapped into Slide with real names, not with the login names. Thus no 
security checking worked with the node permissions I gave. You can switch off security 
in slide.properties for first, if you want to see results of your configuration.

Best regards
Stefan




Am Tue, 19 Oct 2004 02:49:38 -0700 (PDT) schrieb Gao Jun :

> Hi James,
>
> Thanks for your reply. After I removed those subnodes from /users, the error
> is gone :). However, when I go to visit some folder in slide, I got a "Forbidden"
> error. I've two questions here:
>
> 1. Is it required that I have to store "/roles" node to ldap, too if I store "/users"
> to ldap server? For now, I still store "/roles" in jdbc store. Is that a problem?
> 2. If I don't put any subnodes under "/users" in the domain.xml, could I still
> define those user members under "/roles", like
>
> 
> -->
> 
> 
> /users/[EMAIL PROTECTED]/users/[EMAIL PROTECTED]>
-->
> 
/users/[EMAIL PROTECTED]/users/[EMAIL PROTECTED]/users/[EMAIL PROTECTED]>

> 
> 
> 
>
> Will it work if I define that way?
>
> Thanks.
>
> regards,
>
> Jun
>
> James Mason wrote:
> Actually, I do see something wrong :). Comment out all the child nodes
> for /user. The JNDI store is read-only (all data is loaded from LDAP, no
> data is written) so specifying child nodes in Domain.xml won't work. The
> error you're seeing seems to be caused by Slide trying to create the
> node specified in Domain.xml and finding that the JNDI store already has
> node with this value. Something along those lines.
>
> -James
>
> On Mon, 2004-10-18 at 19:51, Gao Jun wrote:
>> James,
>>
>> It's strange. I'm not using bindingstore. I've cleaned up the DB and the store and 
>> work dir in my file system,
>> but when I restart the slide server, I still see the same problem. Here is my 
>> domain.xml. Could you see anyproblem in it?Thanks a lot.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
> org.apache.slide.store.impl.rdbms.CommonRDBMSAdapter
>
>>
> oracle.jdbc.driver.OracleDriver
>
>>
> jdbc:oracle:thin:@192.168.32.31:1521:rddev
>
>>
> gsnx
>
>>
> gsnx
>
>>
> true
>
>>
> 10
>
>>
> false
>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
> store/content
>
>>
> work/content
>
>>
> true
>
>>
> 120
>
>>
>>
>>
>>
>>
>>
> ou=People,dc=gsnx,dc=com
>
>>
> uid
>
>>
> (objectClass=person)
>
>>
> ONELEVEL_SCOPE
>
>>
>
>
>>
> ldap://localhost:389
>
>>
> com.sun.jndi.ldap.LdapCtxFactory
>
>>
> cn=Manager,dc=gsnx,dc=com
>
>>
> simple
>
>>
> Manager
>
>>
>>
> 15
>
>>
> 800
>
>>
> 15000
>
>>
>>
>>
>>
> roles/store/metadata
>
>>
> roles/work/metadata
>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> /actions/read
>> /actions/write
>> /actions/write
>> /actions/write-acl
>> /actions/write-acl
>> /actions/read-acl
>> /actions/read-current-user-privilege-set
>> /actions/write
>> /actions/unlock
>> /actions/read
>> /actions/read
>> /actions/write-properties
>> /actions/write-properties
>> /actions/write-properties
>> /actions/read
>> /actions/write-content
>> /actions/write-content
>> /actions/write-content
>> /actions/bind
>> /actions/unbind
>>
>> /users
>> /roles
>> /actions
>> /files
>>
> true
>
>>
> true
>
>>
> path
>
>>
>>
> 0
>
>>
>>
> full
>
>>
>>
> true
>
>>
>>
>>
>> > any user "all"
>> authenticated user "authenticated"
>> unauthenticated user "unauthenticated"
>> self "self"
>> owner of resource "owner"
>> a user "/users/john"
>> a role "/roles/admin"
>> -->
>>
>
>>
>
>>
>
>>
>
>>
>>
>>
>> -->
>>
>>
>>
>>
>
>
>>
>>
>>
>>
>>
>>
>>
>
>
>>
>>
>>
>>
>>
>>
>
>
>>
>>
>>
>>
>>
>>
>> -->
>>
>>
>> /users/[EMAIL PROTECTED]/users/[EMAIL PROTECTED]>
> -->
>>
> /users/[EMAIL PROTECTED]/users/[EMAIL PROTECTED]/users/[EMAIL PROTECTED]>
>
>>
>>
>>
>>
>>
>>
>>
>>
>>
> /actions/read-acl /actions/read-current-user-privilege-set]]>
>
>>
>>
>>
>>
>>
>
>
>>
>>
>>
>>
>>
>
>
>>
>>
>>
>>
>>
> /actions/read /actions/write-acl /actions/write-properties /actions/write-content]]>
>
>>
>>
>>
>>
>>
>
>
>>
>>
>>
>>
>>
>
>
>>
>>
>>
>>
>>
> /actions/bind /actions/unbind]]>
>
>>
>>
>>
>>
>>
>
>
>>
>>
>>
>>
>>
>
>
>>
>>
>>
>>
>>
>
>
>>
>>
>>
>>
>>
>>
>>
>
>>
>>
> -->
>>
>>
>>
>>
>
>>
>>
>>
>
>>
>>
>>
>
>>
>>
>>
>>
>>
>> > DeltaV global parameters
>> ========================
>> * historypath (mandatory=no, default="/history"):
>> Specifies a Slide path which determines the location where this DeltaV
>> server stores history data.
>> * workspacepath (mandatory=no, default="/workspace"):
>> Specifies a Slide path which determines the location where this DeltaV
>> server allows workspaces to reside.
>> * workingresourcepath (mandatory=no, default="/workingresource"):
>> Specifies a Slide path which determines the location where this DeltaV
>> server stores working resources.
>> * auto-version (mandatory=no, default="checkout-checkin"):
>> Controls the DeltaV auto-version behaviour.
>> * auto-version-control (mandatory=no, default="false"):
>> Indicates if a resource just created by a PUT should be set under
>> version-control.
>> * versioncontrol-exclude (mandatory=no, default=""):
>> Specifies a Slide path which determines resources which are excluded from 
>> version-control.
>> The default value "" makes no path being excluded.
>> * checkout-fork (mandatory=no, default="forbidden"):
>> Controls the DeltaV check-out behaviour when a version is already
>> checked-out or has a successor.
>> * checkin-fork (mandatory=no, default="forbidden"):
>> Controls the DeltaV check-out behaviour when a version has already a
>> successor.
>> * standardLivePropertiesClass (mandatory=no,
>> default="org.apache.slide.webdav.util.resourcekind.AbstractResourceKind"):
>> Determines the "agent" knowing about what the standard live properties are.
>> It should be a loadable class containing the following static methods:
>> - boolean isLiveProperty(String propName)
>> - boolean isProtectedProperty(String propName)
>> - boolean isComputedProperty(String propName)
>> - Set getAllLiveProperties()
>> - Set getAllProtectedProperties()
>> - Set getAllComputedProperties()
>> * uriRedirectorClass (mandatory=no,
>> default="org.apache.slide.webdav.util.DeltavUriRedirector"):
>> Determines the URI redirector class. The DeltaV URI redirector is in
>> charge of the following redirections:
>> - version URI to history URI, e.g. /history/2/1.4 to /history/2
>> - latest revision number for history resource to 0.0
>> - latest revision number for version resource to last URI token,
>> e.g. /history/2/1.4 to 1.4
>> It should be a loadable class containing the following static methods:
>> - String redirectUri(String uri)
>> - NodeRevisionNumber redirectLatestRevisionNumber(String uri)
>> -->
>>
> /history
>
>>
> /workspace
>
>>
> /workingresource
>
>>
>
>
>>
> false
>
>>
>
>>
> forbidden
>
>>
> forbidden
>
>>
>>
>>
>>
>> regards,
>>
>> Jun
>> James Mason wrote:
>> Jun,
>>
>> It looks like you're using the BindingStore, and I'm afraid I've only
>> tested the JNDI store with ExtendedStore. It should still work; it looks
>> like the error you're getting is caused by having a pre-existing binding
>> for /users. I'd suggest to get this working with a fresh database first
>> just to be sure there aren't any conflicts. If it works that way then
>> you can come back and try to clean up any conflicting bindings.
>>
>> -James
>>
>>
>> On Mon, 2004-10-18 at 03:08, Gao Jun wrote:
>> > Hi James,
>> >
>> > Thanks for your reply. I'm testing this as well:
>> > with the JNDI store for users and
>> > roles and a JDBC store (MySQL) for everything else.
>> >
>> > However, I end up with getting this error msg:
>> >
>> > 18 Oct 2004 17:52:36 - org.apache.slide.common.XMLUnmarshaller - INFO - Loading 
>> > object /users/[EMAIL PROTECTED]
>> > 18 Oct 2004 17:52:36 - org.apache.slide.common.Namespace - ERROR - Unable to read 
>> > Namespace base configuration file :
>> > 18 Oct 2004 17:52:36 - org.apache.slide.common.Namespace - ERROR - 
>> > java.lang.IllegalStateException: Existing binding [EMAIL PROTECTED] at /users has 
>> > to be removed first
>> > java.lang.IllegalStateException: Existing binding [EMAIL PROTECTED] at /users has 
>> > to be removed first
>> > at org.apache.slide.structure.ObjectNode.addBinding(ObjectNode.java:474)
>> > at org.apache.slide.structure.ObjectNode.addChild(ObjectNode.java:444)
>> > at org.apache.slide.structure.StructureImpl.create(StructureImpl.java:385)
>> > at 
>> > org.apache.slide.common.XMLUnmarshaller.loadObjectNode(XMLUnmarshaller.java:158)
>> > at 
>> > org.apache.slide.common.XMLUnmarshaller.loadObjectNode(XMLUnmarshaller.java:280)
>> > at 
>> > org.apache.slide.common.XMLUnmarshaller.loadObjectNode(XMLUnmarshaller.java:280)
>
> === message truncated ===
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Reply via email to