You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by je...@bnf.fr on 2011/09/26 17:29:25 UTC
ldap advanced configuration: changing ldap model
I'm still working on ldap, not far from the end :-)
I am currenlty mapping our ldap definition with jetspeed. Indeed, we have
our proper ldap schema that I have to use.
It works fine, but I have a question about ldap beans mechanisms.
For instance, we don't use uid.
Our id is BnfIdentifiant, we use also cn attribute (not mandatory)
First I've changed override.properties file to construct the appropriate
filter to retrieve ldap user (search on attribute BnFIdentifier).
That 's a classic stuff.
After that, Icouldn't login so I've changed security-ldap.xml file. In
particular, I've changed
_ relationships between role and users, groups and users... (We don't use
member, but bnfmember, don't ask me why :-)
_ UserDaoConfiguration: It contains a list of attributes mapping on ldap
(cn, sn uid...)
I've changed to BnFIdentifiant, and login works !!! (Yes !!!!)
But Is that not dangerous, will jetspeed will still work? Is there an
unexpected side effect?
Original one definition of UserDaoConfiguration
<property name="ldapIdAttribute" value="uid" />
<property name="objectClasses"
value="inetOrgPerson,organizationalPerson,person,top"/>
<property name="attributeDefinitions">
<set>
<bean
class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
<constructor-arg index="0" value="uid" />
<constructor-arg index="1" value="false" />
<constructor-arg index="2" value="false" />
<property name="required" value="true"/>
<property name="idAttribute" value="true"/>
</bean>
<bean
class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
<constructor-arg index="0" value="cn" />
<constructor-arg index="1" value="false" />
<constructor-arg index="2" value="false" />
<property name="required" value="true"/>
<property name="idAttribute" value="true"/>
</bean>
...
Modified one:
<property name="ldapIdAttribute" value="BnFIdentifiant" />
<property name="objectClasses"
value="inetOrgPerson,organizationalPerson,person,top"/>
<property name="attributeDefinitions">
<set>
<bean
class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
<constructor-arg index="0" value="BnFIdentifiant" />
<constructor-arg index="1" value="false" />
<constructor-arg index="2" value="false" />
<property name="required" value="true"/>
<property name="idAttribute" value="true"/>
</bean>
<bean
class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
<constructor-arg index="0" value="cn" />
<constructor-arg index="1" value="false" />
<constructor-arg index="2" value="false" />
<property name="required" value="true"/>
<property name="idAttribute" value="true"/>
</bean>
<bean
class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
<constructor-arg index="0" value="BnFIdentifiant" />
<constructor-arg index="1" value="false" />
<constructor-arg index="2" value="false" />
<property name="required" value="true"/>
<property name="idAttribute" value="true"/>
</bean>
...
Cordialement,
-----------------------------------------------
Jérôme Dupont
Bibliothèque Nationale de France
Département des Systèmes d'Information
Tour T3 - Quai François Mauriac
75706 Paris Cedex 13
téléphone: 33 (0)1 53 79 45 40
e-mail: jerome.dupont@bnf.fr
-----------------------------------------------
Exposition Vogue : l'aventure d'une maison de disque - jusqu'au13 novembre 2011 - BnF - François-Mitterrand / Allée Julien Cain Avant d'imprimer, pensez à l'environnement.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: ldap advanced configuration: changing ldap model
Posted by je...@bnf.fr.
Hello,
Thanks very much for these clear explanations. which enlightens me.
I will clear the duplicate attribute.
This week or next week, I will customize also role entity and role<->user
relationship. I guess that the role entity work the same as the user one.
And for the relationship, I've done once before, that should not be a
problem.
For everyone, is that interesting to summarize and publish (on the mailing
list, somewhere else) all the change to apply to use a customized ldap?
Cordialement,
-----------------------------------------------
Jérôme Dupont
Bibliothèque Nationale de France
Département des Systèmes d'Information
Tour T3 - Quai François Mauriac
75706 Paris Cedex 13
téléphone: 33 (0)1 53 79 45 40
e-mail: jerome.dupont@bnf.fr
-----------------------------------------------
|----------->
| |
| |
| |
| |
| |
|----------->
>--------------------------------------------------------------------------------------------------------------------------------------------|
| |
| |
| Message de : Ate Douma <at...@douma.nu> |
| 26/09/2011 21:56 |
| |
| |
| |
| |
| |
| Veuillez répondre à "Jetspeed Users List" <je...@portals.apache.org> |
| |
| |
| |
| |
| |
| |
| |
| Pour|
| Jetspeed Users List <je...@portals.apache.org> |
| Copie|
| |
| Objet|
| Re: ldap advanced configuration: changing ldap model |
| |
>--------------------------------------------------------------------------------------------------------------------------------------------|
On 09/26/2011 05:29 PM, jerome.dupont@bnf.fr wrote:
>
>
> I'm still working on ldap, not far from the end :-)
>
> I am currenlty mapping our ldap definition with jetspeed. Indeed, we have
> our proper ldap schema that I have to use.
> It works fine, but I have a question about ldap beans mechanisms.
>
> For instance, we don't use uid.
> Our id is BnfIdentifiant, we use also cn attribute (not mandatory)
>
> First I've changed override.properties file to construct the appropriate
> filter to retrieve ldap user (search on attribute BnFIdentifier).
> That 's a classic stuff.
> After that, Icouldn't login so I've changed security-ldap.xml file. In
> particular, I've changed
> _ relationships between role and users, groups and users... (We don't use
> member, but bnfmember, don't ask me why :-)
> _ UserDaoConfiguration: It contains a list of attributes mapping on ldap
> (cn, sn uid...)
> I've changed to BnFIdentifiant, and login works !!! (Yes !!!!)
> But Is that not dangerous, will jetspeed will still work? Is there an
> unexpected side effect?
>
I think you changes are fine, at least I see no issues from the information
you
gave. Just note: I think you copy/pasted the attribute definition for
"BnFIdentifiant" twice in your modified configuration.
Specifying a different ldapIdAttribute is fine (its why its configurable in
the
first place). It means that attribute (BnFIdentifier) will be used to
uniquely
"identify" your "entity" and thus used for user lookup (login) and
searching etc.
It also means that if you allow creation of new LDAP users through
Jetspeed, it
will be this attribute name which will be added to the ldap.user.searchBase
to
create the new dn for a new LDAP user (see:
SpringLDAPEntityDAO#internalAdd).
As value for the ldapIdAttribute value the new user its (Jetspeed) user
name
will be used. Furthermore, every other attribute marked as idAttribute
(true)
will also be filled with the same value.
And if you allow updating LDAP users through Jetspeed, all attributes
marked as
idAttribute (true) are considered unmodifiable so will not be taken into
account
for any update (see: SpringLDAPEntityDAO#update).
HTH, Ate
> Original one definition of UserDaoConfiguration
> <property name="ldapIdAttribute" value="uid" />
> <property name="objectClasses"
> value="inetOrgPerson,organizationalPerson,person,top"/>
> <property name="attributeDefinitions">
> <set>
> <bean
> class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
> <constructor-arg index="0" value="uid" />
> <constructor-arg index="1" value="false" />
> <constructor-arg index="2" value="false" />
> <property name="required" value="true"/>
> <property name="idAttribute" value="true"/>
> </bean>
> <bean
> class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
> <constructor-arg index="0" value="cn" />
> <constructor-arg index="1" value="false" />
> <constructor-arg index="2" value="false" />
> <property name="required" value="true"/>
> <property name="idAttribute" value="true"/>
> </bean>
> ...
> Modified one:
> <property name="ldapIdAttribute" value="BnFIdentifiant" />
> <property name="objectClasses"
> value="inetOrgPerson,organizationalPerson,person,top"/>
> <property name="attributeDefinitions">
> <set>
> <bean
> class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
> <constructor-arg index="0" value="BnFIdentifiant" />
> <constructor-arg index="1" value="false" />
> <constructor-arg index="2" value="false" />
> <property name="required" value="true"/>
> <property name="idAttribute" value="true"/>
> </bean>
> <bean
> class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
> <constructor-arg index="0" value="cn" />
> <constructor-arg index="1" value="false" />
> <constructor-arg index="2" value="false" />
> <property name="required" value="true"/>
> <property name="idAttribute" value="true"/>
> </bean>
> <bean
> class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
> <constructor-arg index="0" value="BnFIdentifiant" />
> <constructor-arg index="1" value="false" />
> <constructor-arg index="2" value="false" />
> <property name="required" value="true"/>
> <property name="idAttribute" value="true"/>
> </bean>
> ...
>
>
> Cordialement,
> -----------------------------------------------
> Jérôme Dupont
> Bibliothèque Nationale de France
> Département des Systèmes d'Information
> Tour T3 - Quai François Mauriac
> 75706 Paris Cedex 13
> téléphone: 33 (0)1 53 79 45 40
> e-mail: jerome.dupont@bnf.fr
> -----------------------------------------------
>
>
> Exposition Vogue : l'aventure d'une maison de disque - jusqu'au13
novembre 2011 - BnF - François-Mitterrand / Allée Julien Cain Avant
d'imprimer, pensez à l'environnement.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Exposition Boris Vian - du 18 octobre 2011 au 15 janvier 2012 - BnF - François-Mitterrand / Galerie François 1 er Avant d'imprimer, pensez à l'environnement.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: ldap advanced configuration: changing ldap model
Posted by Ate Douma <at...@douma.nu>.
On 09/26/2011 05:29 PM, jerome.dupont@bnf.fr wrote:
>
>
> I'm still working on ldap, not far from the end :-)
>
> I am currenlty mapping our ldap definition with jetspeed. Indeed, we have
> our proper ldap schema that I have to use.
> It works fine, but I have a question about ldap beans mechanisms.
>
> For instance, we don't use uid.
> Our id is BnfIdentifiant, we use also cn attribute (not mandatory)
>
> First I've changed override.properties file to construct the appropriate
> filter to retrieve ldap user (search on attribute BnFIdentifier).
> That 's a classic stuff.
> After that, Icouldn't login so I've changed security-ldap.xml file. In
> particular, I've changed
> _ relationships between role and users, groups and users... (We don't use
> member, but bnfmember, don't ask me why :-)
> _ UserDaoConfiguration: It contains a list of attributes mapping on ldap
> (cn, sn uid...)
> I've changed to BnFIdentifiant, and login works !!! (Yes !!!!)
> But Is that not dangerous, will jetspeed will still work? Is there an
> unexpected side effect?
>
I think you changes are fine, at least I see no issues from the information you
gave. Just note: I think you copy/pasted the attribute definition for
"BnFIdentifiant" twice in your modified configuration.
Specifying a different ldapIdAttribute is fine (its why its configurable in the
first place). It means that attribute (BnFIdentifier) will be used to uniquely
"identify" your "entity" and thus used for user lookup (login) and searching etc.
It also means that if you allow creation of new LDAP users through Jetspeed, it
will be this attribute name which will be added to the ldap.user.searchBase to
create the new dn for a new LDAP user (see: SpringLDAPEntityDAO#internalAdd).
As value for the ldapIdAttribute value the new user its (Jetspeed) user name
will be used. Furthermore, every other attribute marked as idAttribute (true)
will also be filled with the same value.
And if you allow updating LDAP users through Jetspeed, all attributes marked as
idAttribute (true) are considered unmodifiable so will not be taken into account
for any update (see: SpringLDAPEntityDAO#update).
HTH, Ate
> Original one definition of UserDaoConfiguration
> <property name="ldapIdAttribute" value="uid" />
> <property name="objectClasses"
> value="inetOrgPerson,organizationalPerson,person,top"/>
> <property name="attributeDefinitions">
> <set>
> <bean
> class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
> <constructor-arg index="0" value="uid" />
> <constructor-arg index="1" value="false" />
> <constructor-arg index="2" value="false" />
> <property name="required" value="true"/>
> <property name="idAttribute" value="true"/>
> </bean>
> <bean
> class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
> <constructor-arg index="0" value="cn" />
> <constructor-arg index="1" value="false" />
> <constructor-arg index="2" value="false" />
> <property name="required" value="true"/>
> <property name="idAttribute" value="true"/>
> </bean>
> ...
> Modified one:
> <property name="ldapIdAttribute" value="BnFIdentifiant" />
> <property name="objectClasses"
> value="inetOrgPerson,organizationalPerson,person,top"/>
> <property name="attributeDefinitions">
> <set>
> <bean
> class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
> <constructor-arg index="0" value="BnFIdentifiant" />
> <constructor-arg index="1" value="false" />
> <constructor-arg index="2" value="false" />
> <property name="required" value="true"/>
> <property name="idAttribute" value="true"/>
> </bean>
> <bean
> class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
> <constructor-arg index="0" value="cn" />
> <constructor-arg index="1" value="false" />
> <constructor-arg index="2" value="false" />
> <property name="required" value="true"/>
> <property name="idAttribute" value="true"/>
> </bean>
> <bean
> class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
> <constructor-arg index="0" value="BnFIdentifiant" />
> <constructor-arg index="1" value="false" />
> <constructor-arg index="2" value="false" />
> <property name="required" value="true"/>
> <property name="idAttribute" value="true"/>
> </bean>
> ...
>
>
> Cordialement,
> -----------------------------------------------
> Jérôme Dupont
> Bibliothèque Nationale de France
> Département des Systèmes d'Information
> Tour T3 - Quai François Mauriac
> 75706 Paris Cedex 13
> téléphone: 33 (0)1 53 79 45 40
> e-mail: jerome.dupont@bnf.fr
> -----------------------------------------------
>
>
> Exposition Vogue : l'aventure d'une maison de disque - jusqu'au13 novembre 2011 - BnF - François-Mitterrand / Allée Julien Cain Avant d'imprimer, pensez à l'environnement.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org