Hi, This is what we are looking for one of our application, LDAP integration. Can someone tell us what the .ldif file is going to look like. Also will there be any change in the original database schema app_user, role, user_role tables. Thanks. --Irshad.
melinate wrote: > > This looks like another gem for documentation... > > http://appfuse.org/display/APF/LDAP+Authentication > > I also added it to the FAQ. > > Nathan > > Matt Raible wrote: >> Here's what I've done in the past to get LDAP working with AppFuse 1.9.4: >> >> 1. Change the "authenticationManager" bean to use "ldapProvider" >> instead of "daoAuthenticationProvider": >> >> <bean id="authenticationManager" >> class="org.acegisecurity.providers.ProviderManager"> >> <property name="providers"> >> <list> >> <ref local="ldapProvider"/> >> <!--ref local="daoAuthenticationProvider"/--> >> <ref local="anonymousAuthenticationProvider"/> >> <ref local="rememberMeAuthenticationProvider"/> >> </list> >> </property> >> </bean> >> >> 2. Added ldapProvider and supporting beans: >> >> <bean id="ldapProvider" >> class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> >> <constructor-arg> >> <bean >> class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> >> <constructor-arg ref="initialDirContextFactory"/> >> <property name="userDnPatterns"> >> <list> >> <value>uid={0}</value> >> </list> >> </property> >> <property name="userSearch" ref="userSearch"/> >> <property name="userDetailsMapper" >> ref="ldapUserDetailsMapper"/> >> </bean> >> </constructor-arg> >> <constructor-arg> >> <bean >> class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> >> >> >> <constructor-arg ref="initialDirContextFactory"/> >> <constructor-arg value=""/> >> <property name="groupRoleAttribute" value="cn"/> >> <property name="groupSearchFilter" >> value="(&(objectclass=groupOfUniqueNames)(uniqueMember={0}))"/> >> <property name="searchSubtree" value="true"/> >> <property name="rolePrefix" value=""/> >> <property name="convertToUpperCase" value="false"/> >> </bean> >> </constructor-arg> >> </bean> >> >> <bean id="initialDirContextFactory" >> class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> >> <constructor-arg value="${ldap.url}/${ldap.base}"/> >> <property name="managerDn" value="${ldap.username}"/> >> <property name="managerPassword" value="${ldap.password}"/> >> </bean> >> >> <bean id="userSearch" >> class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch"> >> <constructor-arg index="0" value=""/> >> <constructor-arg index="1" value="(uid={0})"/> >> <constructor-arg index="2" ref="initialDirContextFactory"/> >> <property name="searchSubtree" value="true"/> >> </bean> >> >> <bean id="ldapUserDetailsMapper" >> class="org.acegisecurity.userdetails.ldap.LdapUserDetailsMapper"> >> <property name="rolePrefix" value=""/> >> </bean> >> >> 3. Change the passwordEncoder bean to be LdapShaPasswordEncoder: >> >> <bean id="passwordEncoder" >> class="org.acegisecurity.providers.ldap.authenticator.LdapShaPasswordEncoder"/> >> >> >> >> In this example, my ldap.properties (which populates >> initialDirContextFactory) is set to: >> >> ldap.url=ldap://localhost:1389 >> ldap.base=ou=system >> ldap.username=uid=admin,ou=system >> ldap.password=secret >> >> HTH, >> >> Matt >> >> On 4/9/07, ChenRanHow <[EMAIL PROTECTED]> wrote: >>> Dear all >>> >>> I try to use Appfuse 1.9.4 with apache DS >>> >>> I use the ldif download from apache DS >>> >>> >>> http://directory.apache.org/apacheds/1.0/15-about-the-sample-configurations-and-sample-directory-data.data/apache_ds_tutorial.ldif >>> >>> >>> >>> when login, I always get the error below >>> >>> //------------------- >>> [appfuse] WARN [http-80-Processor25] >>> LoggerListener.onApplicationEvent(55) | Authentication event >>> AuthenticationFailureB >>> adCredentialsEvent: jfryer; details: >>> [EMAIL PROTECTED]: >>> RemoteIpAddress: 127.0.0.1; >>> SessionId: 4EA50EF9019AA1D0630D1B1A1F88E663; exception: Bad credentials >>> //------------------- >>> >>> Below is the security.xml >>> >>> //------------------- >>> <?xml version="1.0" encoding="UTF-8"?> >>> <beans xmlns="http://www.springframework.org/schema/beans"; >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>> xmlns:aop="http://www.springframework.org/schema/aop"; >>> xsi:schemaLocation="http://www.springframework.org/schema/beans >>> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd >>> http://www.springframework.org/schema/aop >>> http://www.springframework.org/schema/aop/spring-aop-2.0.xsd";> >>> >>> <!-- ======================== FILTER CHAIN >>> ======================= --> >>> <bean id="filterChainProxy" >>> class="org.acegisecurity.util.FilterChainProxy"> >>> <property name="filterInvocationDefinitionSource"> >>> <value> >>> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON >>> PATTERN_TYPE_APACHE_ANT >>> >>> /**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor >>> >>> >>> </value> >>> <!-- Put channelProcessingFilter before >>> securityContextHolderAwareRequestFilter to turn on SSL switching --> >>> <!-- It's off by default b/c Canoo WebTest doesn't support >>> SSL out-of-the-box --> >>> </property> >>> </bean> >>> >>> <bean id="httpSessionContextIntegrationFilter" >>> class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/> >>> >>> <bean id="logoutFilter" >>> class="org.acegisecurity.ui.logout.LogoutFilter"> >>> <constructor-arg value="/index.jsp"/> <!-- URL redirected to >>> after logout --> >>> <constructor-arg> >>> <list> >>> <ref bean="rememberMeServices"/> >>> <bean >>> class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/> >>> </list> >>> </constructor-arg> >>> <property name="filterProcessesUrl" value="/logout.jsp"/> >>> </bean> >>> >>> <bean id="authenticationProcessingFilter" >>> class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter"> >>> <property name="authenticationManager" >>> ref="authenticationManager"/> >>> <property name="authenticationFailureUrl" >>> value="/login.jsp?error=true"/> >>> <property name="defaultTargetUrl" value="/"/> >>> <property name="filterProcessesUrl" value="/j_security_check"/> >>> <property name="rememberMeServices" ref="rememberMeServices"/> >>> </bean> >>> >>> <bean id="securityContextHolderAwareRequestFilter" >>> class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/> >>> >>> >>> <bean id="rememberMeProcessingFilter" >>> class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter"> >>> <property name="authenticationManager" >>> ref="authenticationManager"/> >>> <property name="rememberMeServices" ref="rememberMeServices"/> >>> </bean> >>> >>> <bean id="anonymousProcessingFilter" >>> class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter"> >>> <property name="key" value="anonymous"/> >>> <property name="userAttribute" >>> value="anonymous,ROLE_ANONYMOUS"/> >>> </bean> >>> >>> <bean id="exceptionTranslationFilter" >>> class="org.acegisecurity.ui.ExceptionTranslationFilter"> >>> <property name="authenticationEntryPoint"> >>> <bean >>> class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint"> >>> >>> >>> <property name="loginFormUrl" value="/login.jsp"/> >>> <property name="forceHttps" value="false"/> >>> </bean> >>> </property> >>> </bean> >>> >>> <bean id="filterInvocationInterceptor" >>> class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> >>> <property name="authenticationManager" >>> ref="authenticationManager"/> >>> <property name="accessDecisionManager" >>> ref="accessDecisionManager"/> >>> <property name="objectDefinitionSource"> >>> <value> >>> PATTERN_TYPE_APACHE_ANT >>> /clickstreams.jsp*=admin >>> /flushCache.*=admin >>> /passwordHint.html*=ROLE_ANONYMOUS,admin,user >>> /reload.*=admin >>> /signup.html*=ROLE_ANONYMOUS,admin,user >>> /users.html*=admin >>> /**/*.html*=admin,user >>> </value> >>> </property> >>> </bean> >>> >>> <bean id="accessDecisionManager" >>> class="org.acegisecurity.vote.AffirmativeBased"> >>> <property name="allowIfAllAbstainDecisions" value="false"/> >>> <property name="decisionVoters"> >>> <list> >>> <bean class="org.acegisecurity.vote.RoleVoter"> >>> <property name="rolePrefix" value=""/> >>> </bean> >>> </list> >>> </property> >>> </bean> >>> >>> <bean id="rememberMeServices" >>> class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices"> >>> <property name="userDetailsService" ref="userDao"/> >>> <property name="key" value="appfuseRocks"/> >>> <property name="parameter" value="rememberMe"/> >>> </bean> >>> >>> <bean id="authenticationManager" >>> class="org.acegisecurity.providers.ProviderManager"> >>> <property name="providers"> >>> <list> >>> <ref local="ldapAuthProvider"/> >>> <ref local="anonymousAuthenticationProvider"/> >>> <ref local="rememberMeAuthenticationProvider"/> >>> </list> >>> </property> >>> </bean> >>> >>> <bean id="initialDirContextFactory" >>> class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> >>> <constructor-arg value="ldap://localhost"/> >>> <property name="managerDn"> >>> <value>uid=admin,OU=system</value> >>> </property> >>> <property name="managerPassword"> >>> <value>secret</value> >>> </property> >>> </bean> >>> >>> <bean id="userSearch" >>> >>> class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch"> >>> <constructor-arg index="0"> >>> <value></value> >>> </constructor-arg> >>> <constructor-arg index="1"> >>> <value>(uid={0})</value> >>> </constructor-arg> >>> <constructor-arg index="2"> >>> <ref local="initialDirContextFactory" /> >>> </constructor-arg> >>> <property name="searchSubtree"> >>> <value>true</value> >>> </property> >>> </bean> >>> >>> <bean id="ldapAuthProvider" >>> >>> class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> >>> <constructor-arg> >>> <bean >>> class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> >>> >>> <constructor-arg><ref >>> local="initialDirContextFactory"/></constructor-arg> >>> <property >>> name="userDnPatterns"><list><value>uid={0},ou=people,o=sevenSeas</value></list></property> >>> >>> >>> </bean> >>> </constructor-arg> >>> <constructor-arg> >>> <bean >>> class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> >>> >>> >>> <constructor-arg><ref >>> local="initialDirContextFactory"/></constructor-arg> >>> <constructor-arg><value>ou=groups</value></constructor-arg> >>> <property >>> name="groupRoleAttribute"><value>ou</value></property> >>> </bean> >>> </constructor-arg> >>> </bean> >>> >>> >>> <bean id="anonymousAuthenticationProvider" >>> class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider"> >>> >>> >>> <property name="key" value="anonymous"/> >>> </bean> >>> >>> <bean id="rememberMeAuthenticationProvider" >>> class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider"> >>> >>> >>> <property name="key" value="appfuseRocks"/> >>> </bean> >>> >>> <!-- This bean definition must be available to >>> ApplicationContext.getBean() so StartupListener >>> can look for it and detect if password encryption is turned >>> on or not --> >>> <bean id="passwordEncoder" >>> class="org.acegisecurity.providers.encoding.ShaPasswordEncoder"/> >>> >>> <!-- This bean is optional; it isn't used by any other bean as it >>> only listens and logs --> >>> <bean id="loggerListener" >>> class="org.acegisecurity.event.authentication.LoggerListener"/> >>> >>> <!-- Apply method-level interceptor to userManager bean --> >>> <aop:config> >>> <aop:advisor id="managerSecurity" >>> advice-ref="methodSecurityInterceptor" pointcut="execution(* >>> org.appfuse.service.UserManager.*(..))"/> >>> </aop:config> >>> >>> <bean id="methodSecurityInterceptor" >>> class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> >>> >>> >>> <property name="authenticationManager" >>> ref="authenticationManager"/> >>> <property name="accessDecisionManager" >>> ref="accessDecisionManager"/> >>> <property name="objectDefinitionSource"> >>> <value> >>> org.appfuse.service.UserManager.getUsers=admin >>> org.appfuse.service.UserManager.removeUser=admin >>> </value> >>> </property> >>> </bean> >>> >>> <!-- SSL Switching: to use this, configure it in the >>> filterChainProxy bean --> >>> <bean id="channelProcessingFilter" >>> class="org.acegisecurity.securechannel.ChannelProcessingFilter"> >>> <property name="channelDecisionManager" >>> ref="channelDecisionManager"/> >>> <property name="filterInvocationDefinitionSource"> >>> <value> >>> PATTERN_TYPE_APACHE_ANT >>> /admin/**=REQUIRES_SECURE_CHANNEL >>> /login*=REQUIRES_SECURE_CHANNEL >>> /j_security_check*=REQUIRES_SECURE_CHANNEL >>> /editProfile.html*=REQUIRES_SECURE_CHANNEL >>> /signup.html*=REQUIRES_SECURE_CHANNEL >>> /saveUser.html*=REQUIRES_SECURE_CHANNEL >>> /**=REQUIRES_INSECURE_CHANNEL >>> </value> >>> </property> >>> </bean> >>> >>> <bean id="channelDecisionManager" >>> class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl"> >>> <property name="channelProcessors"> >>> <list> >>> <bean >>> class="org.acegisecurity.securechannel.SecureChannelProcessor"/> >>> <bean >>> class="org.acegisecurity.securechannel.InsecureChannelProcessor"/> >>> </list> >>> </property> >>> </bean> >>> </beans> >>> >>> //------------------- >>> >>> If anyone could give me help ? ^^ >>> >>> Thanks very much. >>> >>> -- >>> ChenRanHow >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Ldap-error%2C-exception%3A-Bad-credentials-tf3546459s2369.html#a10240309 Sent from the AppFuse - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
