Greetings, I am having difficulties getting LDAPS authentication to work and I think I must be missing some fundamental configuration.
My current state is that the Site loads and displays content properly, but when I go to edit content or I select the log in page directly, my LDAP credentials do not authenticate, and I am repeatedly presented with a login page. I used the follwing information as my "How To" for this effort. http://www.ecyrd.com/JSPWiki/wiki/WebContainerAuthenticationViaLDAP This article is very good but appears to be incomplete. I have done the following configuration to get ldaps to work: 1. I have a previously configured LDAP Server and I stored /trusted the cert for this Sun LDAP server into the central java keystore using this command: /usr/lib64/jvm/jre/bin/keytool -import -alias sunldap -file /web1/sst/dysc/content/CA-RA-v3.crt -keystore /usr/lib64/jvm/jre/lib/security/cacerts 2. I have configured the realm and sorted out all the log errors using the following realm in the server.xml file. I believe tomcat is successfully connecting to my LDAP server. <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldaps://mkedsintp.ds.mydomain.com:636" connectionName="uid=[bind User UID],ou=admin,dc=rmydomain,dc=com" connectionPassword="[Password]" userPattern="uid={0},ou=people,dc=mydomain,dc=com" roleBase="ou=Control-M,ou=group,dc=mydomain,dc=com" roleSubtree="true" roleName="cn" roleSearch="(uniqueMember={0})" /> 3. I uncommented the "CONTAINER-MANAGED AUTH" section from /web1/dyscq/webapps/apps/wiki/WEB-INF/web.xml There is a section at the bottom that says "Update JSPWiki security policy" If you would like to set permissions to LDAP groups, you can simply add policy entries on authorize.Role. The following is an entry for wiki-admin group (from LDAP). grant principal com.ecyrd.jspwiki.auth.authorize.Role "wiki-admin" { permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*"; }; I'm thinking it might go into web.xml, but I am not sure of that.. this section of the xml looks like this: <security-constraint> <web-resource-collection> <web-resource-name>Authenticated area</web-resource-name> <url-pattern>/Edit.jsp</url-pattern> <url-pattern>/Comment.jsp</url-pattern> <url-pattern>/Login.jsp</url-pattern> <url-pattern>/NewGroup.jsp</url-pattern> <url-pattern>/Rename.jsp</url-pattern> <url-pattern>/Upload.jsp</url-pattern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>HEAD</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <web-resource-collection> <web-resource-name>Read-only Area</web-resource-name> <url-pattern>/attach</url-pattern> <http-method>DELETE</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>Admin</role-name> <role-name>Authenticated</role-name> </auth-constraint> <!-- <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> --> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/LoginForm.jsp</form-login-page> <form-error-page>/LoginForm.jsp</form-error-page> </form-login-config> </login-config> <security-role> <description> This logical role includes all authenticated users </description> <role-name>Authenticated</role-name> </security-role> <security-role> <description> This logical role includes all administrative users </description> <role-name>Admin</role-name> </security-role> Regards, John Pimentel (Embedded image moved to file: pic05844.gif)Description: Description: ralogo_web jpimen...@ra.rockwell.com Office (414) 382-3354 Mobile (262) 501-4785 From: user-h...@jspwiki.apache.org To: jpimen...@ra.rockwell.com Date: 08/26/2013 08:16 AM Subject: WELCOME to user@jspwiki.apache.org Hi! This is the ezmlm program. I'm managing the user@jspwiki.apache.org mailing list. I'm working for my owner, who can be reached at user-ow...@jspwiki.apache.org. Acknowledgment: I have added the address jpimen...@ra.rockwell.com to the user mailing list. Welcome to user@jspwiki.apache.org! Please save this message so that you know the address you are subscribed under, in case you later want to unsubscribe or change your subscription address. --- Administrative commands for the user list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: To subscribe to the list, send a message to: <user-subscr...@jspwiki.apache.org> To remove your address from the list, send a message to: <user-unsubscr...@jspwiki.apache.org> Send mail to the following for info and FAQ for this list: <user-i...@jspwiki.apache.org> <user-...@jspwiki.apache.org> Similar addresses exist for the digest list: <user-digest-subscr...@jspwiki.apache.org> <user-digest-unsubscr...@jspwiki.apache.org> To get messages 123 through 145 (a maximum of 100 per request), mail: <user-get.123_...@jspwiki.apache.org> To get an index with subject and author for messages 123-456 , mail: <user-index.123_...@jspwiki.apache.org> They are always returned as sets of 100, max 2000 per request, so you'll actually get 100-499. To receive all messages with the same subject as message 12345, send a short message to: <user-thread.12...@jspwiki.apache.org> The messages should contain one line or word of text to avoid being treated as sp@m, but I will ignore their content. Only the ADDRESS you send to is important. You can start a subscription for an alternate address, for example "john@host.domain", just add a hyphen and your address (with '=' instead of '@') after the command word: <user-subscribe-john=host.dom...@jspwiki.apache.org> To stop subscription for this address, mail: <user-unsubscribe-john=host.dom...@jspwiki.apache.org> In both cases, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete your subscription. If despite following these instructions, you do not get the desired results, please contact my owner at user-ow...@jspwiki.apache.org. Please be patient, my owner is a lot slower than I am ;-) --- Enclosed is a copy of the request I received. Return-Path: <jpimen...@ra.rockwell.com> Received: (qmail 84748 invoked by uid 99); 26 Aug 2013 13:16:04 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013 13:16:04 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [205.175.240.251] (HELO ramilwsmtp01.ra.rockwell.com) (205.175.240.251) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013 13:16:00 +0000 In-Reply-To: <1377522681.70768.ez...@jspwiki.apache.org> References: <1377522681.70768.ez...@jspwiki.apache.org> Subject: Re: confirm subscribe to user@jspwiki.apache.org X-KeepSent: D7D57B0D:E2A05A18-86257BD3:0048D45A; type=4; name=$KeepSent To: user-sc.1377522681.pagaldeamkeafdeakcap-jpimentel=ra.rockwell....@jspwiki.apache.org X-Mailer: Lotus Notes Release 8.5.2FP2 March 23, 2011 Message-ID: <ofd7d57b0d.e2a05a18-on86257bd3.0048d45a-86257bd3.0048d...@ra.rockwell.com> From: John Pimentel <jpimen...@ra.rockwell.com> Date: Mon, 26 Aug 2013 08:15:38 -0500 X-MIMETrack: Serialize by Router on RAMilwSMTP01/Milwaukee/RA/Rockwell at 08/26/2013 08:15:59 AM MIME-Version: 1.0 Content-type: multipart/mixed; Boundary="0__=09BBF140DFDB52CA8f9e8a93df938690918c09BBF140DFDB52CA" Content-Disposition: inline X-Virus-Checked: Checked by ClamAV on apache.org
