Hi Jun,
I've set up a configuration similar to yours. The user data comes from a JNDIPrincipalStore. For the role data I
didn't configure a special store, but used the default store "tx" for it. Further I switched off
authentication in the web.xml inside slide.war. The problem is that the role data is not correctly mapped into Slide
even when it exists. I checked that with the file based stores for "tx": the metadata is available on the
hard disk and looks ok (at first glance). The role data is also not mapped into Slide when "tx" uses
JDBCStore for storing data (same problem). To make it working I had to use the JNDIPrincipalStore for roles too. See
the attached Domain.xml.
Your principal name must be ok. Otherwise you would see an error in the log. I checked
that too.
I don't know how the LDAP directory is maintained in our environment. It's an MS
Active Directory. I think there are used several tools for maintaining users and
roles. But this is not the only thing which is contained there. So I guess there are
used specific tools for each task. Under the link
http://www-unix.mcs.anl.gov/~gawor/ldap/ you can find a generic LDAP browser/editor.
For testing purposes it should be enough. But I don't know how far it gives support
when managing complex interrelations.
As a question to the Slide community: Why isn't it possible to separate user and role
data to different stores. I had already experienced this problem with the file based
stores (earlier with Slide 2.0 if I remember correctly).
Regards
Stefan
<?xml version="1.0"?>
<slide>
<namespace name="slide">
<definition>
<store name="tx" classname="org.apache.slide.store.ExtendedStore">
<nodestore classname="org.apache.slide.store.impl.rdbms.JDBCStore">
<parameter name="driver">com.mysql.jdbc.Driver</parameter>
<parameter
name="url">jdbc:mysql://localhost:3306/jettyslide</parameter>
<parameter name="user">root</parameter>
<parameter name="password"></parameter>
<parameter
name="adapter">org.apache.slide.store.impl.rdbms.MySqlRDBMSAdapter</parameter>
<parameter name="dbcpPooling">true</parameter>
<parameter name="maxPooledConnections">10</parameter>
</nodestore>
<sequencestore
classname="org.apache.slide.store.txfile.FileSequenceStore">
<parameter name="rootpath">store/sequence</parameter>
</sequencestore>
<securitystore>
<reference store="nodestore"/>
</securitystore>
<lockstore>
<reference store="nodestore"/>
</lockstore>
<revisiondescriptorsstore>
<reference store="nodestore"/>
</revisiondescriptorsstore>
<revisiondescriptorstore>
<reference store="nodestore"/>
</revisiondescriptorstore>
<contentstore>
<reference store="nodestore"/>
</contentstore>
<!--contentstore
classname="org.apache.slide.store.txfile.TxFileContentStore">
<parameter name="rootpath">store/content</parameter>
<parameter name="workpath">work/content</parameter>
<parameter name="defer-saving">true</parameter>
<parameter name="timeout">120</parameter>
</contentstore-->
</store>
<scope match="/" store="tx"/>
<store name="users" classname="org.apache.slide.store.ExtendedStore">
<parameter name="tlock-timeout">120</parameter>
<nodestore
classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
<parameter
name="jndi.container">CN=Users,DC=...,DC=...,DC=de</parameter>
<parameter name="jndi.attributes.rdn">CN</parameter>
<parameter name="jndi.search.filter">(objectClass=user)</parameter>
<parameter name="jndi.search.scope">ONELEVEL_SCOPE</parameter>
<parameter
name="jndi.search.attributes">mail,fullName,telephoneNumber</parameter>
<parameter name="java.naming.provider.url">ldap://...</parameter>
<parameter
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</parameter>
<parameter name="java.naming.security.principal">...</parameter>
<parameter
name="java.naming.security.authentication">simple</parameter>
<parameter name="java.naming.security.credentials">...</parameter>
</nodestore>
<sequencestore
classname="org.apache.slide.store.txfile.FileSequenceStore">
<parameter name="rootpath">store/sequence</parameter>
</sequencestore>
<securitystore>
<reference store="nodestore"/>
</securitystore>
<lockstore>
<reference store="nodestore"/>
</lockstore>
<revisiondescriptorsstore>
<reference store="nodestore"/>
</revisiondescriptorsstore>
<revisiondescriptorstore>
<reference store="nodestore"/>
</revisiondescriptorstore>
<contentstore>
<reference store="nodestore"/>
</contentstore>
</store>
<scope match="/users" store="users"/>
<store name="roles" classname="org.apache.slide.store.ExtendedStore">
<parameter name="tlock-timeout">120</parameter>
<nodestore
classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
<parameter
name="jndi.container">CN=Users,DC=...,DC=...,DC=de</parameter>
<parameter name="jndi.attributes.rdn">CN</parameter>
<parameter name="jndi.attributes.groupmemberset">member</parameter>
<parameter
name="jndi.search.filter">(objectClass=group)</parameter>
<parameter name="jndi.search.scope">ONELEVEL_SCOPE</parameter>
<parameter name="jndi.search.attributes">cn</parameter>
<parameter name="java.naming.provider.url">ldap://...</parameter>
<parameter
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</parameter>
<parameter name="java.naming.security.principal">...</parameter>
<parameter
name="java.naming.security.authentication">simple</parameter>
<parameter name="java.naming.security.credentials">...</parameter>
</nodestore>
<sequencestore
classname="org.apache.slide.store.txfile.FileSequenceStore">
<parameter name="rootpath">store/sequence</parameter>
</sequencestore>
<securitystore>
<reference store="nodestore"/>
</securitystore>
<lockstore>
<reference store="nodestore"/>
</lockstore>
<revisiondescriptorsstore>
<reference store="nodestore"/>
</revisiondescriptorsstore>
<revisiondescriptorstore>
<reference store="nodestore"/>
</revisiondescriptorstore>
<contentstore>
<reference store="nodestore"/>
</contentstore>
</store>
<scope match="/roles" store="roles"/>
</definition>
<configuration>
<!-- Actions mapping -->
<read-object>/actions/read</read-object>
<create-object>/actions/write</create-object>
<remove-object>/actions/write</remove-object>
<grant-permission>/actions/write-acl</grant-permission>
<revoke-permission>/actions/write-acl</revoke-permission>
<read-permissions>/actions/read-acl</read-permissions>
<read-own-permissions>/actions/read-current-user-privilege-set</read-own-permissions>
<lock-object>/actions/write</lock-object>
<kill-lock>/actions/unlock</kill-lock>
<read-locks>/actions/read</read-locks>
<read-revision-metadata>/actions/read</read-revision-metadata>
<create-revision-metadata>/actions/write-properties</create-revision-metadata>
<modify-revision-metadata>/actions/write-properties</modify-revision-metadata>
<remove-revision-metadata>/actions/write-properties</remove-revision-metadata>
<read-revision-content>/actions/read</read-revision-content>
<create-revision-content>/actions/write-content</create-revision-content>
<modify-revision-content>/actions/write-content</modify-revision-content>
<remove-revision-content>/actions/write-content</remove-revision-content>
<bind-member>/actions/bind</bind-member>
<unbind-member>/actions/unbind</unbind-member>
<!-- Paths configuration -->
<userspath>/users</userspath>
<rolespath>/roles</rolespath>
<actionspath>/actions</actionspath>
<filespath>/files</filespath>
<parameter name="dav">true</parameter>
<parameter name="standalone">true</parameter>
<parameter name="acl_inheritance_type">path</parameter>
<!-- Nested roles: 0 means no nesting (default), 1 means one sublevel, etc.
-->
<parameter name="nested_roles_maxdepth">0</parameter>
<!-- Can be "off", "write" and "full" -->
<parameter name="sequential-mode">full</parameter>
<!-- "false" lets all read-only methods be executed outside of transactions
-->
<parameter name="all-methods-in-transactions">true</parameter>
<!-- Setting this to true will force Slide to internally convert the
username a user
enters at login to lowercase. This is useful for users who can't be
bothered
with turning off their capslock key before logging in. -->
<parameter name="force-lowercase-login">false</parameter>
</configuration>
<data>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/">
<!-- Subject can be:
any user "all"
authenticated user "authenticated"
unauthenticated user "unauthenticated"
self "self"
owner of resource "owner"
a user "/users/john"
a role "/roles/admin"
-->
<permission action="all" subject="/roles/root" inheritable="true"/>
<permission action="/actions/read-acl" subject="all" inheritable="true"
negative="true"/>
<permission action="/actions/write-acl" subject="all" inheritable="true"
negative="true"/>
<permission action="/actions/unlock" subject="all" inheritable="true"
negative="true"/>
<permission action="/actions/read" subject="all" inheritable="true"/>
<!-- /users -->
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/users">
<permission action="all" subject="self" inheritable="true"/>
<permission action="all" subject="unauthenticated" inheritable="true"
negative="true"/>
</objectnode>
<!-- /roles -->
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/roles">
<permission action="all" subject="self" inheritable="true"/>
<permission action="all" subject="unauthenticated" inheritable="true"
negative="true"/>
</objectnode>
<!-- action -->
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions">
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions/read">
<revision>
<property name="privilege-member-set"><![CDATA[<D:href
xmlns:D='DAV:'>/actions/read-acl</D:href> <D:href
xmlns:D='DAV:'>/actions/read-current-user-privilege-set</D:href>]]></property>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions/read-acl">
<revision>
<property name="privilege-member-set"/>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions/read-current-user-privilege-set">
<revision>
<property name="privilege-member-set"/>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions/write">
<revision>
<property name="privilege-member-set"><![CDATA[<D:href
xmlns:D='DAV:'>/actions/write-acl</D:href> <D:href xmlns:D='DAV:'>/actions/write-properties</D:href> <D:href
xmlns:D='DAV:'>/actions/write-content</D:href>]]></property>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions/write-acl">
<revision>
<property name="privilege-member-set"/>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions/write-properties">
<revision>
<property name="privilege-member-set"/>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions/write-content">
<revision>
<property name="privilege-member-set"><![CDATA[<D:href
xmlns:D='DAV:'>/actions/bind</D:href> <D:href xmlns:D='DAV:'>/actions/unbind</D:href>]]></property>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions/bind">
<revision>
<property name="privilege-member-set"/>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions/unbind">
<revision>
<property name="privilege-member-set"/>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions/unlock">
<revision>
<property name="privilege-member-set"/>
</revision>
</objectnode>
</objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/files">
<permission action="all" subject="unauthenticated"
inheritable="true"/>
<permission action="/actions/write" subject="/roles/user"
inheritable="true"/>
<permission action="/actions/read-acl" subject="owner"
inheritable="true"/>
</objectnode>
<!-- DeltaV: default history and workspace paths -->
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/history">
<permission action="all" subject="unauthenticated"
inheritable="true"/>
<permission action="/actions/write" subject="/roles/user"
inheritable="true"/>
<permission action="/actions/read-acl" subject="owner"
inheritable="true"/>
</objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/workspace">
<permission action="all" subject="unauthenticated"
inheritable="true"/>
<permission action="/actions/write" subject="/roles/user"
inheritable="true"/>
<permission action="/actions/read-acl" subject="owner"
inheritable="true"/>
</objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/workingresource">
<permission action="all" subject="unauthenticated"
inheritable="true"/>
<permission action="/actions/write" subject="/roles/user"
inheritable="true"/>
<permission action="/actions/read-acl" subject="owner"
inheritable="true"/>
</objectnode>
</objectnode>
</data>
</namespace>
<!--
DeltaV global parameters
========================
* historypath (mandatory=no, default="/history"):
Specifies a Slide path which determines the location where this DeltaV
server stores history data.
* workspacepath (mandatory=no, default="/workspace"):
Specifies a Slide path which determines the location where this DeltaV
server allows workspaces to reside.
* workingresourcepath (mandatory=no, default="/workingresource"):
Specifies a Slide path which determines the location where this DeltaV
server stores working resources.
* auto-version (mandatory=no, default="checkout-checkin"):
Controls the DeltaV auto-version behaviour.
* auto-version-control (mandatory=no, default="false"):
Indicates if a resource just created by a PUT should be set under
version-control.
* versioncontrol-exclude (mandatory=no, default=""):
Specifies a Slide path which determines resources which are excluded from
version-control.
The default value "" makes no path being excluded.
* checkout-fork (mandatory=no, default="forbidden"):
Controls the DeltaV check-out behaviour when a version is already
checked-out or has a successor.
* checkin-fork (mandatory=no, default="forbidden"):
Controls the DeltaV check-out behaviour when a version has already a
successor.
* standardLivePropertiesClass (mandatory=no,
default="org.apache.slide.webdav.util.resourcekind.AbstractResourceKind"):
Determines the "agent" knowing about what the standard live properties are.
It should be a loadable class containing the following static methods:
- boolean isLiveProperty(String propName)
- boolean isProtectedProperty(String propName)
- boolean isComputedProperty(String propName)
- Set getAllLiveProperties()
- Set getAllProtectedProperties()
- Set getAllComputedProperties()
* uriRedirectorClass (mandatory=no,
default="org.apache.slide.webdav.util.DeltavUriRedirector"):
Determines the URI redirector class. The DeltaV URI redirector is in
charge of the following redirections:
- version URI to history URI, e.g. /history/2/1.4 to /history/2
- latest revision number for history resource to 0.0
- latest revision number for version resource to last URI token,
e.g. /history/2/1.4 to 1.4
It should be a loadable class containing the following static methods:
- String redirectUri(String uri)
- NodeRevisionNumber redirectLatestRevisionNumber(String uri)
-->
<parameter name="historypath">/history</parameter>
<parameter name="workspacepath">/workspace</parameter>
<parameter name="workingresourcepath">/workingresource</parameter>
<parameter name="auto-version">checkout-checkin</parameter>
<parameter name="auto-version-control">false</parameter>
<parameter name="versioncontrol-exclude"/>
<parameter name="checkout-fork">forbidden</parameter>
<parameter name="checkin-fork">forbidden</parameter>
<!-- Extractor configuration -->
<extractors>
<extractor classname="org.apache.slide.extractor.SimpleXmlExtractor"
uri="/files/articles/test.xml">
<configuration>
<instruction property="title" xpath="/article/title/text()" />
<instruction property="summary" xpath="/article/summary/text()" />
</configuration>
</extractor>
<extractor classname="org.apache.slide.extractor.OfficeExtractor"
uri="/files/docs/">
<configuration>
<instruction property="author" id="SummaryInformation-0-4" />
<instruction property="application" id="SummaryInformation-0-18" />
</configuration>
</extractor>
</extractors>
<!-- Event configuration -->
<events>
<event classname="org.apache.slide.webdav.event.WebdavEvent" enable="true" />
<event classname="org.apache.slide.event.ContentEvent" enable="true" />
<event classname="org.apache.slide.event.ContentEvent" method="retrieve"
enable="false" />
<event classname="org.apache.slide.event.EventCollection" enable="true" />
<event classname="org.apache.slide.event.TransactionEvent" enable="true" />
<event classname="org.apache.slide.event.MacroEvent" enable="true"/>
<!--listener classname="org.apache.slide.util.event.EventLogger" /-->
<listener classname="org.apache.slide.event.VetoableEventCollector" />
<listener classname="org.apache.slide.event.TransientEventCollector" />
<listener classname="org.apache.slide.webdav.event.NotificationTrigger">
<configuration>
<notification include-events="false" />
<persist-subscriptions filename="subscriptions.xml" />
</configuration>
</listener>
<listener classname="org.apache.slide.extractor.PropertyExtractorTrigger" />
<listener classname="org.apache.slide.search.IndexTrigger">
<configuration>
<indexer classname="org.apache.slide.search.LoggingIndexer" synchronous="false"
uri="/files/articles" />
</configuration>
</listener>
<!-- Uncomment for cluster support. Be sure to local-host and
repository-host -->
<!--
<listener classname="org.apache.slide.cluster.ClusterCacheRefresher">
<configuration>
<node local-host="local.host.domain"
local-port="4444"
repository-host="remote.host.domain"
repository-port="8080"
repository-protocol="http"
username="root"
password="root"
base-uri="/files/"
/>
</configuration>
</listener>
-->
<listener classname="org.apache.slide.macro.MacroPropertyUpdater">
<!-- Listener that updates some properties if resources are
copied or moved. This requires MacroEvents enabled (at
least methods copy and move) -->
<configuration>
<update-displayname>true</update-displayname>
<update-owner-on-move>false</update-owner-on-move>
<update-owner-on-copy>true</update-owner-on-copy>
</configuration>
</listener>
</events>
</slide>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
