Hi Jun,
the only strange thing in your configuration is the principal "cn=Manager,dc=jgao,dc=com". I do not know if you can connect to the ldap server with a user like this. Because you wrote that e.g. the admin has the name "[EMAIL PROTECTED]". I would expect something like [EMAIL PROTECTED]
Regards, Stefan
Am Tue, 19 Oct 2004 23:16:54 -0700 (PDT) schrieb Gao Jun <[EMAIL PROTECTED]>:
Hi Stefan,
Thanks for your reply. But I still can't find out the problem.
In my Domain.xml, I have:
<store name="users"> <nodestore classname="org.apache.slide.store.txjndi.JNDIPrincipalStore"> <parameter name="jndi.container">ou=People,dc=jgao,dc=com</parameter> <parameter name="jndi.attributes.rdn">uid</parameter> <parameter name="jndi.search.filter">(objectClass=person)</parameter> <parameter name="jndi.search.scope">ONELEVEL_SCOPE</parameter> <parameter name="jndi.search.attributes"></parameter> <parameter name="java.naming.provider.url">ldap://localhost:389</parameter> <parameter name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</parameter> <parameter name="java.naming.security.principal">cn=Manager,dc=jgao,dc=com</parameter> <parameter name="java.naming.security.authentication">simple</parameter> <parameter name="java.naming.security.credentials">Manager</parameter>
<parameter name="cache.refresh.checkrate">15</parameter> <parameter name="cache.refresh.rate">800</parameter> <parameter name="cache.refresh.threshold">15000</parameter> </nodestore>
Then in my ldap server, I does have user [EMAIL PROTECTED] defined under "ou=People,dc=jgao,dc=com".
In Domain.xml, I have:
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/roles"> <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/roles/root"> <revision> <property name="group-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/users/[EMAIL PROTECTED]</D:href>]]></property> </revision> </objectnode> </objectnode>
And I checked the DB, found it has been saved to the table properties successfully.
And for the root node, I have defined in Domain.xml:
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/"> <permission action="all" subject="/roles/root" inheritable="true"/> ........
But when I try login. I still get the forbidden error:
org.apache.slide.webdav.WebdavException: Forbidden
Can you see any problem in the configuration? Thanks.
regards,
Jun
Stefan Fromm <[EMAIL PROTECTED]> wrote: Jun,
I think that the "Forbidden" results from that user names mapped by the ldap store and the user names in Slide's node permissions do not match. If you have set node permissions with roles then maybe the added user names per role do not match the mapped user names from the ldap store.
1. Is it required that I have to store "/roles" node to ldap, too if I store "/users" to ldap server? For now, I still store "/roles" in jdbc store. Is that a problem?
No it's not required. But I would recommend using the ldap store for roles too, because then you do not have to update role memberships twice (first in the ldap directory and second in the Slide repository) in case of changes.
2. If I don't put any subnodes under "/users" in the domain.xml, could I still define those user members under "/roles"?
Yes, because the user nodes are mapped into Slide's namespace by the ldap store. But make sure that the user names which you use in the role membership definition match the user names of the ldap store.
I had some problems myself with the user names because in our environment the user names were mapped into Slide with real names, not with the login names. Thus no security checking worked with the node permissions I gave. You can switch off security in slide.properties for first, if you want to see results of your configuration.
Best regards Stefan
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
