Need help on LDAP integration with Roller / Acegi

["Lihn, Steve" <ho...@merck.com>]

Hi, 
I am trying to integrate Roller / Acegi into our enterprise LDAP. It does
not seem to work. The log does not say anything. Does anybody know how to:

1. Turn on acegi or roller log level such that I can see the detail of
authentication requests. 
   I am not even sure whether Roller hits LDAP or not.

2. Need help on security.xml and roller-custom.properties. The documentation
is very little to guide me...    You can see the config changes below. Let
me explain how our LDAP works.

   First, the app has to bind the appid (I think it is managerDN) in order
to do the intial search on a user. The search clause is (uid=<user_id>) so I
put that in ldapUserSearch. The next step is to retrieve the DN of the user
and bind DN with his password. What I could not specify here is the DN of
the user. 

The way our LDAP works is different from described in the reference doc. The
DN of a user is cn=<a unique string>,ou=Merck,ou=People,dc=iM-2,dc=com. Cn
is machine-generated by combining the person's name and a random number to
make it unique. It is not uid (unfortunately, due to historical reason, uid
is not a unique identifier,therefore not used in DN). 

I would assume Acegi can use ldapUserSearch to find the DN, and then bind
the DN (and user's password) to authenticate. But there seems to be some
missing pieces...

I made the following changes to roller-custom.properties:

#----------------------------------
# Single-Sign-On
users.sso.enabled=true

# Set these properties for a custom LDAP schema (optional)
users.sso.registry.ldap.attributes.name=mrkdisplayname1
users.sso.registry.ldap.attributes.email=mail
#users.sso.registry.ldap.attributes.locale=locale
#users.sso.registry.ldap.attributes.timezone=timezone
#----------------------------------
   Since we don't have locale and timezone, I comment them out.
   And added the following to security.xml:

    <!-- Sample LDAP/RollerDB hybrid security configuration -->
    
    <bean id="initialDirContextFactory"
class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
      <constructor-arg
value="ldaps://dsdvm01:636/ou=People,dc=iM-2,dc=com"/>
	<property
name="managerDn"><value>cn=mrkwiki,ou=Applications,ou=Merck,ou=Services,dc=i
M-2,dc=com</value></property> 
	<property name="managerPassword"><value>***</value></property>
	<property name="extraEnvVars">
            <map>
                <entry>
                    <key>
                        <value>java.naming.referral</value>
                    </key>
                    <value>follow</value>
                </entry>
            </map>
        </property>
    </bean>
   
    <bean id="ldapUserSearch"
class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
      <constructor-arg index="0">
        <value></value>
      </constructor-arg>
      <constructor-arg index="1">
        <value>(uid={0})</value>
      </constructor-arg>
      <constructor-arg index="2">
        <ref local="initialDirContextFactory" />
      </constructor-arg>            
      <property name="searchSubtree">
        <value>true</value>
      </property>            
    </bean>     
    
    <bean id="ldapAuthProvider" 
 
class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
      <constructor-arg>
        <bean
class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
           <constructor-arg><ref
local="initialDirContextFactory"/></constructor-arg>
		   <property name="userSearch"><ref
bean="ldapUserSearch"/></property>
        </bean>
      </constructor-arg>
      <constructor-arg><ref
local="jdbcAuthoritiesPopulator"/></constructor-arg>
      <property name="userCache" ref="userCache"/>
    </bean>    
    
    <bean id="jdbcAuthoritiesPopulator"
class="org.apache.roller.ui.core.security.AuthoritiesPopulator">
        <property name="dataSource">
            <bean class="org.springframework.jndi.JndiObjectFactoryBean">
                <property name="jndiName"
value="java:comp/env/jdbc/rollerdb"/>
            </bean>
        </property>
        <property name="authoritiesByUsernameQuery">
            <value>SELECT username,rolename FROM userrole WHERE username =
?</value>
        </property>
	   <property name="defaultRole"><value>register</value></property>

    </bean>

    <!-- end of LDAP section -->     

  Steve Lihn, Enterprise Web Infrastructure, Merck & Co., Inc.,   
  Tel: (908) 423 - 4441

  


------------------------------------------------------------------------------
Notice:  This e-mail message, together with any attachments, contains
information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station,
New Jersey, USA 08889), and/or its affiliates (which may be known
outside the United States as Merck Frosst, Merck Sharp & Dohme or MSD
and in Japan, as Banyu - direct contact information for affiliates is 
available at http://www.merck.com/contact/contacts.html) that may be 
confidential, proprietary copyrighted and/or legally privileged. It is 
intended solely for the use of the individual or entity named on this 
message. If you are not the intended recipient, and have received this 
message in error, please notify us immediately by reply e-mail and then 
delete it from your system.

------------------------------------------------------------------------------