You are viewing a plain text version of this content. The canonical link for it is here.
Posted to slide-user@jakarta.apache.org by Ryan Yanchuleff <ry...@dharbor.com> on 2005/09/09 15:28:57 UTC
ACL Roles versus Groups concerning LDAP
Hey all,
I am trying to configure my SLIDE implementation to run against LDAP. I
can't afford to configure all of my LDAP users directly in my domain.xml
file. I was under the impression that I could have SLIDE recognize my
LDAP roles. Is this a true statement?
For instance:
I have allowed the role "/roles/Administrator" to have "all" access in
my domain.xml
<permission action="all" subject="/roles/Administrator"
inheritable="true"/>
I have a user in LDAP, myUser, who is a
memberOf=CN=Administrator,OU=Pie,OU=Groups,OU=Special Users and
Groups,OU=ABC,DC=devl,DC=org
But when I attempt to login, I get a 403 Forbidden message. It appears
SLIDE is not recognizing that my user has the Administrator role. And
this is where I think my fundamental misunderstanding of the difference
between roles and groups might be an issue.
Can anyone help clear up this confusion and perhaps recommend a solution
for my dilemma?
Thanks!
-Ryan
I have my domain.xml connecting to my LDAP server via:
<store name="users">
<nodestore
classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
<parameter
name="jndi.container">ou=ABC,dc=devl,dc=org</parameter>
<parameter name="jndi.attributes.rdn">cn</parameter>
<parameter
name="jndi.search.filter">(objectClass=user)</parameter>
<parameter
name="jndi.search.scope">SUBTREE_SCOPE</parameter>
<parameter
name="jndi.search.attributes">cn</parameter>
<parameter
name="java.naming.provider.url">ldap://my.ldap.org:389</parameter>
<parameter
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</par
ameter>
<parameter
name="java.naming.security.principal">eAdmin</parameter>
<parameter
name="java.naming.security.authentication">simple</parameter>
<parameter
name="java.naming.security.credentials">p1</parameter>
</nodestore>
<sequencestore
classname="org.apache.slide.store.txfile.FileSequenceStore">
<parameter
name="rootpath">store/sequence</parameter>
</sequencestore>
<securitystore
classname="org.apache.slide.store.txfile.TxXMLFileDescriptorsStore">
<parameter
name="rootpath">users/store/metadata</parameter>
<parameter
name="workpath">users/work/metadata</parameter>
<parameter name="defer-saving">true</parameter>
<parameter name="timeout">120</parameter>
</securitystore>
<lockstore>
<reference store="securitystore"/>
</lockstore>
<revisiondescriptorsstore>
<reference store="nodestore"/>
</revisiondescriptorsstore>
<revisiondescriptorstore>
<reference store="nodestore"/>
</revisiondescriptorstore>
<contentstore>
<reference store="nodestore"/>
</contentstore>
</store>
<store name="roles">
<nodestore
classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
<parameter
name="jndi.container">ou=ABC,dc=devl,dc=org</parameter>
<parameter name="jndi.attributes.rdn">cn</parameter>
<parameter
name="jndi.attribute.groupmemberset">member</parameter>
<parameter
name="jndi.search.filter">(objectClass=group)</parameter>
<parameter
name="jndi.search.scope">SUBTREE_SCOPE</parameter>
<parameter
name="jndi.search.attributes">cn</parameter>
<parameter
name="java.naming.provider.url">ldap://my.ldap.org:389</parameter>
<parameter
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</par
ameter>
<parameter
name="java.naming.security.principal">eAdmin</parameter>
<parameter
name="java.naming.security.authentication">simple</parameter>
<parameter
name="java.naming.security.credentials">p1</parameter>
</nodestore>
<sequencestore
classname="org.apache.slide.store.txfile.FileSequenceStore">
<parameter
name="rootpath">store/sequence</parameter>
</sequencestore>
<securitystore
classname="org.apache.slide.store.txfile.TxXMLFileDescriptorsStore">
<parameter
name="rootpath">roles/store/metadata</parameter>
<parameter
name="workpath">roles/work/metadata</parameter>
<parameter name="defer-saving">true</parameter>
<parameter name="timeout">120</parameter>
</securitystore>
<lockstore>
<reference store="securitystore"/>
</lockstore>
<revisiondescriptorsstore>
<reference store="nodestore"/>
</revisiondescriptorsstore>
<revisiondescriptorstore>
<reference store="nodestore"/>
</revisiondescriptorstore>
<contentstore>
<reference store="nodestore"/>
</contentstore>
</store>
Re: ACL Roles versus Groups concerning LDAP
Posted by Jeroen Reijn <j....@hippo.nl>.
Hi Ryan,
I'm looking at slide authentication with LDAP as well.
Looking at the javadoc you cannot directly authenticate with Slide, but you will
need something like Tomcat or Jetty in front.
See for more information:
(http://www.jsourcery.com/output/apache/jakarta/slide/server/2.1/org/apache/slide/store/txjndi/JNDIPrincipalStore.html)
Greetz,
Jeroen
Ryan Yanchuleff wrote:
> Hey all,
>
>
>
> I am trying to configure my SLIDE implementation to run against LDAP. I
> can't afford to configure all of my LDAP users directly in my domain.xml
> file. I was under the impression that I could have SLIDE recognize my
> LDAP roles. Is this a true statement?
>
>
>
> For instance:
>
>
>
> I have allowed the role "/roles/Administrator" to have "all" access in
> my domain.xml
>
> <permission action="all" subject="/roles/Administrator"
> inheritable="true"/>
>
>
>
> I have a user in LDAP, myUser, who is a
> memberOf=CN=Administrator,OU=Pie,OU=Groups,OU=Special Users and
> Groups,OU=ABC,DC=devl,DC=org
>
>
>
> But when I attempt to login, I get a 403 Forbidden message. It appears
> SLIDE is not recognizing that my user has the Administrator role. And
> this is where I think my fundamental misunderstanding of the difference
> between roles and groups might be an issue.
>
>
>
> Can anyone help clear up this confusion and perhaps recommend a solution
> for my dilemma?
>
>
>
> Thanks!
>
>
>
> -Ryan
>
>
>
> I have my domain.xml connecting to my LDAP server via:
>
> <store name="users">
> <nodestore
> classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
> <parameter
> name="jndi.container">ou=ABC,dc=devl,dc=org</parameter>
> <parameter name="jndi.attributes.rdn">cn</parameter>
> <parameter
> name="jndi.search.filter">(objectClass=user)</parameter>
> <parameter
> name="jndi.search.scope">SUBTREE_SCOPE</parameter>
> <parameter
> name="jndi.search.attributes">cn</parameter>
> <parameter
> name="java.naming.provider.url">ldap://my.ldap.org:389</parameter>
> <parameter
> name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</par
> ameter>
> <parameter
> name="java.naming.security.principal">eAdmin</parameter>
> <parameter
> name="java.naming.security.authentication">simple</parameter>
> <parameter
> name="java.naming.security.credentials">p1</parameter>
> </nodestore>
> <sequencestore
> classname="org.apache.slide.store.txfile.FileSequenceStore">
> <parameter
> name="rootpath">store/sequence</parameter>
> </sequencestore>
> <securitystore
> classname="org.apache.slide.store.txfile.TxXMLFileDescriptorsStore">
> <parameter
> name="rootpath">users/store/metadata</parameter>
> <parameter
> name="workpath">users/work/metadata</parameter>
> <parameter name="defer-saving">true</parameter>
> <parameter name="timeout">120</parameter>
> </securitystore>
> <lockstore>
> <reference store="securitystore"/>
> </lockstore>
> <revisiondescriptorsstore>
> <reference store="nodestore"/>
> </revisiondescriptorsstore>
> <revisiondescriptorstore>
> <reference store="nodestore"/>
> </revisiondescriptorstore>
> <contentstore>
> <reference store="nodestore"/>
> </contentstore>
> </store>
> <store name="roles">
> <nodestore
> classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
> <parameter
> name="jndi.container">ou=ABC,dc=devl,dc=org</parameter>
> <parameter name="jndi.attributes.rdn">cn</parameter>
> <parameter
> name="jndi.attribute.groupmemberset">member</parameter>
> <parameter
> name="jndi.search.filter">(objectClass=group)</parameter>
> <parameter
> name="jndi.search.scope">SUBTREE_SCOPE</parameter>
> <parameter
> name="jndi.search.attributes">cn</parameter>
> <parameter
> name="java.naming.provider.url">ldap://my.ldap.org:389</parameter>
> <parameter
> name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</par
> ameter>
> <parameter
> name="java.naming.security.principal">eAdmin</parameter>
> <parameter
> name="java.naming.security.authentication">simple</parameter>
> <parameter
> name="java.naming.security.credentials">p1</parameter>
> </nodestore>
> <sequencestore
> classname="org.apache.slide.store.txfile.FileSequenceStore">
> <parameter
> name="rootpath">store/sequence</parameter>
> </sequencestore>
> <securitystore
> classname="org.apache.slide.store.txfile.TxXMLFileDescriptorsStore">
> <parameter
> name="rootpath">roles/store/metadata</parameter>
> <parameter
> name="workpath">roles/work/metadata</parameter>
> <parameter name="defer-saving">true</parameter>
> <parameter name="timeout">120</parameter>
> </securitystore>
> <lockstore>
> <reference store="securitystore"/>
> </lockstore>
> <revisiondescriptorsstore>
> <reference store="nodestore"/>
> </revisiondescriptorsstore>
> <revisiondescriptorstore>
> <reference store="nodestore"/>
> </revisiondescriptorstore>
> <contentstore>
> <reference store="nodestore"/>
> </contentstore>
> </store>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org