Thanks Angela I placed my Admin user on the root ACL, because I couldn't figure out how to get the Sun LDAPLoginModule to provide Group principals. I also use an Admin user with an identical ID to the default.
I was still getting errors on startup, but these turned out to be due to a lot of Session being created at Sling startup, and my local OpenLDAP was not handling all the concurrent logins. Once these startup tasks complete, the setup works fine. I think I'll just stick with the default Jackrabbit LoginModule for now, since it handles the concurrent logins far better. Thanks for your help Regards, Rory On Fri, Jan 16, 2009 at 4:12 AM, Angela Schreiber <[email protected]> wrote: > hi > > Does anyone have an insight into this problem? Are there people on this >> list using pre-built JAAS LoginModules with Jackrabbit? >> > > i didn't up to now. > > basically the access evaluation should work even if > there is not admin/system principal. the workspace > access if i'm not mistaken just uses it as shortcut > (and so does the the access control provider) and > otherwise starts the general access evaluation process. > > If I start with a working configuration (using DefaultAccessManager and >> DefaultLoginModule), and add a login.conf file that configures the Sun >> LdapLoginModule, my Session logins throw exceptions "Unable to access >> workspace 'default'". >> > > but i'd say that this is not primarily caused by > the principal classes but rather by the fact that your > user doesn't have any acl-entries set thus isn't > allowed anything. > > what happens is: > - default security manager retrieves adminId from > config (or uses default values) > - .. and creates system users: > > admin, anonymous and administrators > > adds admin to administrators group > - acl provider creates minimal acls on the root > > allowing read for everybody > > allowing all permissions for the admins > > now, with your custom login-module i assume that you > - don't pass the adminId to the security manager > - don't have everybody principal added to the set of > principals present with the subject. > > consequently, the ac-evaluation will not find any > matching aces for your set of principals. > > regards > angela > > > > >
