Hello list,
For a project I'm trying to login to an LDAP server through Cocoon 2.1. In
doing so I run into some problems.
I would have like to use Tomcat's JNDIRealm and BASIC authentications to
take care of matters. But since the LDAP Server we talk to is collocated
with Netware's eDirectory this presents a problem for cleartext passwords.
Novell strives for C2 security compliance, therefor they do not expose the
userpassword.
However the collocated eDirectory/LDAP Server does not preclude the (non C2
compliant) following scenario:
1. get user distinguished name from user's common name.
2. bind with the user's distinguished name and password.
So we decided to change over to FORM based authentication. In Cocoon we want
to create on or more pipelines that perform LDAP queries. I would have like
to use the LDAPTransformer supplied with Cocoon. This transformer however
doesn't return the distinguished name of objects it finds. I've modified it
to return the distinguished name as an attribute ldap:dn of the row element.
I've called my transformer nps-ldap. If anybody is interested in the change
please let me know.
Here's what I've come up so far:
First an partial pipeline from my sitemap:
<!-- sitemap.xmap -->
...
<map:match pattern="ldapLogin">
<map:generate src="context://dummy.xml"/>
<map:transform type='xslt' src='files/ldap/userContext.xsl'>
<map:parameter name="username" value="request-param:username"/>
</map:transform>
<map:transform type='nps-ldap'/>
<map:transform type='xslt' src='files/ldap/bindUser.xsl'>
<map:parameter name="qualified-username"
value="{../ldap:execute-query-results/ldap:execute-query-object/@ldap:dn}"/>
<map:parameter name="password" value="request-param:password"/>
</map:transform>
<map:transform type='nps-ldap'/>
<map:serialize type="xml"/>
</map:match>
...
And the contents of files/ldap/userContext.xsl and files/ldap/bindUser.xsl.
<!-- files/ldap/userContext.xsl -->
<?xml version='1.0' encoding='UTF-8'?>
<xsl:transform
version='1.0'
xmlns:xsl='http://www.w3.org/1999/XSL/Transform'
xmlns='http://apache.org/cocoon/LDAP/1.0'>
<xsl:output type='xml'/>
<xsl:param name='username'></xsl:param>
<xsl:template match='/'>
<execute-query>
<initializer>com.sun.jndi.ldap.LdapCtxFactory</initializer>
<authentication>simple</authentication>
<version>2</version>
<serverurl>ldap://localhost</serverurl>
<port>389</port>
<scope>SUBTREE_SCOPE</scope>
<searchbase>o=Acme</searchbase>
<rootdn>cn=admin,o=Acme</rootdn>
<password>secret</password>
<filter>(& (objectClass=inetOrgPerson)(cn=<xsl:value-of
select='$username'/>))</filter>
<debug>TRUE</debug>
<deref-link>TRUE</deref-link>
<count-limit>1</count-limit>
<time-limit>0</time-limit>
<show-attribute>TRUE</show-attribute>
<doc-element>ldap:execute-query-results</doc-element>
<row-element>ldap:execute-query-object</row-element>
<error-element>ldap:execute-query-error</error-element>
<sax-error>FALSE</sax-error>
<attribute/>
</execute-query>
</xsl:template>
</xsl:transform>
<!-- files/ldap/bindUser.xsl -->
<?xml version='1.0' encoding='UTF-8'?>
<xsl:transform
version='1.0'
xmlns:xsl='http://www.w3.org/1999/XSL/Transform'
xmlns:ldap='http://apache.org/cocoon/LDAP/1.0'>
<xsl:output type='xml'/>
<xsl:param name='qualified-username'/>
<xsl:param name='password'/>
<xsl:template match='/'>
<execute-query>
<initializer>com.sun.jndi.ldap.LdapCtxFactory</initializer>
<authentication>simple</authentication>
<version>2</version>
<serverurl>ldap://localhost</serverurl>
<port>389</port>
<scope>SUBTREE_SCOPE</scope>
<!-- Parametrize searchbase, rootdn and password -->
<searchbase><xsl:value-of select='$qualified-username'/></searchbase>
<rootdn><xsl:value-of select='$qualified-username'/></rootdn>
<password><xsl:value-of select='$password'/></password>
<filter>(objectclass=inetOrgPerson)</filter>
<debug>TRUE</debug>
<deref-link>TRUE</deref-link>
<count-limit>0</count-limit>
<time-limit>0</ltime-limit>
<show-attribute>TRUE</show-attribute>
<doc-element>ldap:execute-query-results</doc-element>
<row-element>ldap:execute-query-object</row-element>
<error-element>ldap:execute-query-error</error-element>
<sax-error>FALSE</sax-error>
<attribute/>
</execute-query>
</xsl:template>
</xsl:transform>
The generator in the sitemap doesn't do anything in this setup. The sitemap
doesn't allow to have no generator. So I just supply a bogus one.
Result after the first 2 transforms is:
<?xml version='1.0' encoding='utf-8'?>
<ldap:execute-query-results xmlns:ldap='http://apache.org/cocoon/LDAP/1.0'>
<ldap:execute-query-object ldap:dn='Jane Doe,ou=Sales,o=Acme'/>
</ldap:execute-query-results>
I would like to use the value of the ldap:dn attribute as a parameter in the
third transformation. But I can't seem to get it right. Cocoon give 'ldap:'
some special meaning. It looks like it it not treated as an xml-namespace.
I've been reading the source PreparedVariableResolver.java, but I can't
figure out how to accomplish this. I suspect input modules to come into the
picture somewhere.
Can somebody explain this mechanisme to me?
With kind regards,
Peter Paulus
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
