Hi, first of all: great project!!
I've implemented the LDAP authentication - for (my) ease, I've uploaded the SWAMPLDAPAuthManager.java to one of our servers (I can only send out .ZIP attachments from work and SF currently rejects them). http://labs.akkaya.de/software/SWAMP_LDAP.html The implementation checks (for loading a user) whether a user is already in the DB, if so it loads that record - otherwise it loads it from LDAP (it seems that was the intended way of the auth system - but I may have misinterpreted it?). Authentication is done by trying to bind with the supplied credentials to the LDAP server. The username in this implementation is (kind of) expected to be a username part only and the full LDAP DN is added within the code. I have developed/tested my implementation with a Windows AD, and therefore the sample values below and some of my code are tweaked that way - but I have added some logic to (at least in theory) make it work with other LDAP servers (ie: base64 value encoding as implemented in OpenLDAP for non-7bit ASCII values). However, especially the base64 code is UNTESTED as I don't have an non-AD LDAP system at hand. There are several configuration values, which need to be set in the "WEB-INF/conf/defaults" file - here some sample values (roughly based on our internal Windows AD setup): # ldap server LDAP_BIND_URL=ldap://domaincontroller/ # bind user and password [EMAIL PROTECTED] LDAP_BIND_PASS=password # where to search for user entries when looking up the username LDAP_USER_BASEDN=dc=intranet,dc=akkaya,dc=de # the search filter for user entries LDAP_USER_FILTER=(&(objectClass=user)(sAMAccountName=%s)) # this is used to construct the full DN from the username only and in # this form only works with M$ ADs [EMAIL PROTECTED] # Attributes from which to fetch the user data LDAP_USER_ATTR_GIVENNAME=givenName LDAP_USER_ATTR_SURNAME=sn LDAP_USER_ATTR_EMAIL=mail Please note again that the Email-style usernames are a feature only implemented in MS AD - for other LDAP servers you'll most likely need regular LDAP DN based usernames, like so: LDAP_BIND_USER=cn=SWAMP,dc=intranet,dc=akkaya,dc=de LDAP_USER_TEMPLATE=cn=%s,dc=intranet,dc=akkaya,dc=de If you would like to log in using a full LDAP DN, set these: LDAP_USER_FILTER= LDAP_USER_TEMPLATE=%s However, two warnings: - this is untested (I think it should work like this) - I don't know if SWAMP chokes on such a "complex" username If you've build from source and would like to integrate this in your "build", here's the run-down (<SRC> being the base directory with the SWAMP sources): - extract file in archive to: <SRC>/src/de/suse/swamp/core/security - in <SRC>: ant compile-swamp - copy compiled class into tomcat (stop first): cp <SRC>/build/de/suse/swamp/core/security/SWAMPLDAPUserManager.class <TOMCAT_BASE>/common/classes/de/suse/swamp/core/security/ - set AUTH_CLASS in <TOMCAT_WEBAPPS>/webswamp/WEB-INF/conf/defaults to: de.suse.swamp.core.security.SWAMPLDAPUserManager - set LDAP configuration values as stated above in: <TOMCAT_WEBAPPS>/webswamp/WEB-INF/conf/defaults I would like for this to be a one-time contribution, as I really don't have time to support/continue developing this code (I will answer questions, but please CC me, as I don't read this list). If you like this implementation, please integrate it in the project. jp -- Jürgen Pabel, CISSP Akkaya Consulting GmbH Eupener Straße 137 50933 Köln Telefon: +49 221 9473007 Telefax: +49 221 4911970 Mobil: +49 160 8806134 E-Mail: [EMAIL PROTECTED] Internet: http://www.akkaya.de ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ swamp-devel mailing list swamp-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/swamp-devel http://swamp.sf.net
