You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lenya.apache.org by Apache Wiki <wi...@apache.org> on 2005/05/15 06:47:08 UTC
[Lenya Wiki] Update of "LDAPAuth" by GregorRothfuss

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Lenya Wiki" for change notification.

The following page has been changed by GregorRothfuss:
http://wiki.apache.org/lenya/LDAPAuth

The comment on the change is:
moved to lenya docs

------------------------------------------------------------------------------
- = How To Activate LDAP Authentication within a Lenya Publication =
+ deleted
  
- == Overview ==
- Lenya supports LDAP authentication, and was tested with OpenLDAP and MS Active Directory servers. 
- Note that only the authentication is done through LDAP; 
- the Lenya administrator still has to assign roles to the users within the Lenya Admin GUI.
- 
- == Configuring and activating LDAP in Lenya ==
-  1. Go to the directory {{{lenya/pubs/<your-publication-name>/config/ac}}}
-  1. Edit the file {{{ac.xconf}}} and uncomment the line regarding "LDAP support"
-  1. Go to the subdirectory {{{passwd}}} and copy the file {{{lenya/pubs/<your-publication-name>/config/ac/passwd/ldap.properties.sample}}} to the file {{{ldap.properties}}} in this directory. 
-  1. Edit the file {{{ldap.properties}}} with your settings (the sample file contains explanations for the entries)
-  1. Restart your servlet container, so that the changes take effect
-  1. Login as administrator. In the user's section, you can now add LDAP users: enter the LDAP id, and provide a Lenya id (which may be the same as the LDAP id). Now add group memberships for this id.
-  1. You should now be able to login with this LDAP user and password.
- 
- == Allowing LDAP users to login ==
- Once you have everything configured OK, you can tell Lenya to allow certain LDAP users. It is important to understand that, just because a user exists in LDAP, does not mean she has access to Lenya. The user needs to be explicitly added in Lenya, along with the group memberships. However, the authentication itself (password handling) is then completely handled through LDAP.
-  1. In the administration GUI, add the "LDAP user" in order to make this user known to Lenya. You can use the same id for Lenya as the existing LDAP id.
-  1. Click on the user and add group settings - if user belongs to no groups at all, she will not be able to login
-  1. Logout and login with the newly created id.
- 
- 
- == More technical information ==
-  * Lenya uses the Cocoon class LDAPTransformer : for documentation see, in your Lenya installation, the file {{{api/java/org/apache/cocoon/transformation/LDAPTransformer.html}}}; or within the Cocoon documentation on http://cocoon.apache.org
-  * This LDAPTransformer is included in Lenya's sitemap (sitemap.xmap)
-  * This implementation of LDAP Authentication in Lenya works, but might be replaced later by a more advanced implementation and / or by container managed security which would possibly provide these advantages:
-    * Maintainance of the groups in LDAP as well.
-    * Remove the need to separately enable each LDAP user in Lenya.
- 
- 
- 
- = Configuring and activating LDAP in older versions of Lenya =
- Read this section if you are using an older code base for Lenya, in which case the above instructions may not work.
- 
- Activating LDAP authentication within your publication means :
- 
-  1. Creating LDAP configuration file(s) with your LDAP settings; see below
-  1. Activating LDAP usage for the Administration GUI, as follows:
-     * If using Lenya version 1.2.1-dev or later, edit the access-controller configuration file (see below)
-     * If using Lenya version 1.2, editing the Administration GUI, in order to add LDAP relevant buttons
- 
- == LDAP Configuration file(s) ==
- The LDAP configuration file(s) are to be placed in this directory: {{{lenya/pubs/<your-publication-name>/config/ac/passwd}}}
- 
- In this directory, create a file called ldap.properties
- 
- Here is an example content (inspired by the "unizh" publication). Note that '''this format is deprecated''' and should only be used if running an old version of Lenya.
- 
- {{{
- # File: ldap.properties
- provider-url=ldap://ldap.foodomain.com:636/ou=FooOrg,dc=foodomain,dc=com
- 
- # Manager/user which is allowed to retrieve a list of "all" users (fullname) from LDAP server
- # This can be the LDAP admin, for instance, or can be left empty for anonymous bind
- mgr-dn=cn=proxyauth,ou=People,ou=FooOrg,dc=foodomain,dc=com
- # Password 
- mgr-pw=sekret
- 
- partial-user-dn=ou=People,ou=FooOrg,dc=foodomain,dc=com
- # keystore is taken relatively to the publication config/ac directory
- #key-store=.keystore
- #security-protocol=ssl
- security-protocol=none
- security-authentication=simple
- }}} 
- 
- Now, edit this file to suit your needs:
-  * use your settings for "provider-url" and "partial-user-dn"
-  * if you wish to use anonymous bind, set "mgr-dn" and "mgr-pw" to empty. If you do this, you will be able to use LDAP authentication, but users won't be able to change their LDAP passwords
-  * if you don't wish to use anonymous bind, set "mgr-dn" and "mgr-pw" to the relevant LDAP administrator settings of your LDAP server
-  * if you wish to use unencrypted LDAP, set "security-protocol" to the value none
-  * if you wish to use encrypted LDAP, you need to have a .keystore file (see below)
- 
- == Encrypted LDAP ==
-  *  in the file ldap.properties, set security-protocol to the value ssl and set key-store to the name of your keystore file
-  * add the LDAP server certificate file to the local keystore using this command:
- {{{
-       keytool -import -keystore .keystore -file <ca_cert_file> -alias <yourdomain.com>
- }}}
- 
- == Notes ==
-  * If you modify {{{ldap.properties}}}, it may be necessary to restart your servlet container or at least to reload your webapp in order for the changes to take effect.
-  * Lenya expects the users to be in container called {{{ou=People}}} that needs to be nested into the container you provide in the {{{provider-url}}} parameter in {{{ldap.properties}}}. (Example: {{{provider-url=ldap://your.ldap.server/ou=intern,dc=example,dc=com}}} will look for users in {{{ou=People,ou=intern,dc=example,dc=com}}})
- 
- 
- == An example publication using LDAP Authentication: the University of Zurich Lenya Publication ==
- The "University of Zurich Publication" is an example of a publication which uses LDAP authentication. You may wish to install and configure it to authenticate against your LDAP server: this way, you can check whether LDAP authentication is working, before proceeding to activate it in another application.
- 
- Note: this HOW-TO was tested using the "University of Zurich Publication" state on May 26th, 2004. If another version is incompatible with your Lenya installation, don't despair, you will probably still be able to use the LDAP relevant stuff.
-  1. Retrieve the University of Zurich Lenya publications (unitemplate, unizh) described on http://wyona.org/
-  1. Go to the {{{unitemplate/config/ac/passwd}}} directory and edit {{{ldap.properties}}} as described above
-  1. if secure LDAP is required, add the server certificate to the keystore as described above
-  1. Deploy the publications (see DeployPublicationHowTo)
-  1. In your browser, refresh your Lenya start page. You should now see, on the left hand side, a link to the "Unitemplate" publication. Login as lenya / levi user and go the Admin area to add a user.
-  1. Click on "Add University User" (this means LDAP user). In the field "UniAccessID", use the LDAP userid. In the field "CMS User", use the id with which you want to user to log in to Lenya. This may be the same id as for LDAP.
-  1. Add the desired groups for this user and log out of Lenya.
-  1. You should now be able to login to Lenya using this new user and his/her LDAP password.
- 
- 
- == Activating LDAP Authentication in Lenya version 1.2.1-dev ==
- Edit the access-controller configuration file, {{{lenya/pubs/<your-publication-name>/config/ac.xconf}}}
- 
- If you are using the default publication, you simply need to uncomment the line regarding "LDAP support". If you do not have this line, here is the complete section:
- {{{
-   <accreditable-manager type="file">
-     <parameter name="directory" value="context:///lenya/pubs/default/config/ac/passwd"/>
- 
-     <user-manager>
-        <user-type class="org.apache.lenya.ac.file.FileUser" create-use-case="userAddUser">Local User</user-type>
-        <user-type class="org.apache.lenya.ac.ldap.LDAPUser" create-use-case="userAddUserLdap">LDAP User</user-type>
-     </user-manager>
-   </accreditable-manager>
- }}}
- 
- You may need to restart your servlet container in order for the changes to take effect.
- 
- == Activating LDAP Authentication in Lenya version 1.2  ==
- We will use the "default publication" as an example. 
- 
- First, as described above, ensure you have placed the correct LDAP configuration file(s) into the {{{lenya/pubs/default/config/ac/passwd}}} directory of your Lenya installation.
- 
- Now, add LDAP relevant stuff to your Administration GUI. The simplest way to achieve this is to copy the relevant Administration GUI components from the "University of Zurich Lenya Publication".
-  1. Go to the {{{lenya/pubs/default/lenya/xslt}}} subdirectory of your Lenya installation (careful, don't confuse this with the lenya/pubs/default/xslt subdirectory)
-  1. Create a subdirectory called {{{admin}}}, then within the {{{admin}}} subdirectory, a new subdirectory {{{users}}}
-  1. Copy, into this new subdirectory, the 2 .xsl files called {{{profile.xsl}}} and {{{users.xsl}}} from the corresponding directory of the "University of Zurich Lenya Publication" (in {{{lenya/pubs/unitemplate/lenya/xslt/admin/users}}})
-  1. Login to the "default publication" as administrator (lenya/levi) and go the Admin area to add a user. You should now see a "Add University User" button - this actually refers to the LDAP users.
-  1. In the field "UniAccessID", use the LDAP userid. In the field "CMS User", use the id with which you want to user to log in to Lenya. This may be the same id as for LDAP.
-  1. Add the desired groups for this user and log out of Lenya.
-  1. You should now be able to login to Lenya using this new user and his/her LDAP password.
-  1. (this was tested on Lenya 1.2 state in CVS on July 9th, 2004)
- 
- 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org