You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@roller.apache.org by Dave <sn...@gmail.com> on 2010/02/02 20:35:17 UTC
Re: LDAP authentication and automation of user creation
Yes to both questions. Externalized User Management is in trunk and I
can help you get started with it by answering your questions (but as
you've seen I can't guarantee quick response ;-)
- Dave
On Wed, Jan 27, 2010 at 4:32 PM, jason mayer <ja...@gmail.com> wrote:
> I was looking into the feasability of automating the creation of user
> entries into the rolleruser db table, when I came across a post saying
> that roller 5.0 was "coming soon". Investigating further I found a
> proposal that had been implemented and was wondering if it was already
> in trunk.
>
> http://cwiki.apache.org/confluence/display/ROLLER/Proposal+Externalize+User+And+Permissions+Management
>
> I suppose my questions are,
>
> Is there a planned release date for 5.0?
> If I build from subversion will I be able to play with this functionality?
>
> Thanks
>
Re: LDAP authentication and automation of user creation
Posted by jason mayer <ja...@gmail.com>.
Ok I can verify at this point that I'm not attempting to communicate
via ldap at all. I set up a proxy (don's proxy on sourceforge) to
listen in on requests. I verified that it was working correctly by
telneting to localhost 11389 and I could see my transmitted data. I
updated my security.xml config to use spring security 2.0 mappings.
I'll include the config in case anyone has any recommendations.
I also tried to write a unit test to validate the Authentication
Object, but I had problems getting one set up because of sax parser
errors (http://www.springframework.org/schema/security/spring-security-2.0.1-openidfix.xsd
does not resolve). The guides on springsource reference
http://www.springframework.org/schema/security/spring-security-2.0.4.xsd,
and it appears to have the fix to the problem mentioned in ROL-1733.
If anyone has any suggestions at this point, I'm definitely open to
ideas.
<http> <!--snipped for brevity -->
<intercept-url pattern="/roller-ui/user.do*" access="register"/>
</http>
<beans:bean id="authenticationManager"
class="org.springframework.security.providers.ProviderManager"
name="authenticationManagerAlias">
<beans:property name="providers">
<beans:list>
<beans:ref local="ldapAuthProvider" />
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg index="0" value="ldap://localhost:11389" />
<beans:property name="userDn" value="username"/>
<beans:property name="password" value="password"/>
</beans:bean>
<beans:bean id="ldapUserSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="CN=Users,DC=blah,DC=com"/>
<beans:constructor-arg index="1" value="sAMAccountName={0}"/>
<beans:constructor-arg index="2" ref="contextSource"/>
<beans:property name="searchSubtree" value="true"/>
</beans:bean>
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="ldapUserSearch"/>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.populator.UserDetailsServiceLdapAuthoritiesPopulator">
<beans:constructor-arg ref="rollerUserService" />
</beans:bean>
</beans:constructor-arg>
<!-- I tried this alternate populator as well, it also did not work -->
<!--
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource" />
<beans:constructor-arg index="1"
value="CN=Users,DC=blah,DC=com"/>
</beans:bean>
</beans:constructor-arg>
-->
</beans:bean>
Re: LDAP authentication and automation of user creation
Posted by jason mayer <ja...@gmail.com>.
I may be just failing to understand how to configure the security.xml
file. I do not seem to be authenticating against LDAP at all. I
realize that this is more of a spring question, but how do you specify
that you want to use LDAP instead of jdbc? I'm currently not even
attempting to authenticate over LDAP - it's still hitting the database
for authentication.
In the security.xml file are two entries that I guess I don't fully understand.
<authentication-manager alias='authenticationManagerAlias'/>
<authentication-provider user-service-ref="rollerUserService"/>
I read some documentation on Spring-security 2.0,
(http://static.springsource.org/spring-security/site/docs/2.0.x/reference/ldap.html),
but I'm afraid I don't understand why I am failing to authenticate via
ldap.
I thought I could modify the authentication manager to specify the
ldapAuthProvider in the example security.xml file, but that didn't
seem to work. Here's what I tried.
I commented out
<!-- <authentication-manager alias='authenticationManagerAlias'/> -->
and added
<beans:bean id="authenticationManager"
class="org.springframework.security.providers.ProviderManager"
name="authenticationManagerAlias">
<beans:property name="providers">
<beans:list>
<beans:ref local="ldapAuthProvider"/>
<beans:ref local="openIDAuthProvider"/>
</beans:list>
</beans:property>
</beans:bean>
I also tried at one point adding in things like this: (like in the
example documentation)
<ldap-server url="ldap://springframework.org:389/dc=springframework,dc=org" />
but there wasn't any change and so I took those out. Before this week
I hadn't done anything with spring, so I apologize if this is a newbie
question. I imagine (based on the roller dev archives) that this will
be a fairly popular question after the 5.0 release. Well, thanks in
advance for any help you can offer.
On Tue, Feb 2, 2010 at 1:35 PM, Dave <sn...@gmail.com> wrote:
> Yes to both questions. Externalized User Management is in trunk and I
> can help you get started with it by answering your questions (but as
> you've seen I can't guarantee quick response ;-)
>
> - Dave