You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@jspwiki.apache.org by Juan Pablo Santos Rodríguez <ju...@gmail.com> on 2013/06/25 23:53:01 UTC
Re: Regression with LDAP group lookups in JSPWiki 2.9.1-svn-31
Hi Dave,
almost a a month later, but finally got time to look into this issue. The
good news: I was able to setup JSPWiki with container based authentication
and LDAP group lookups.
I followed your blog post [#1], but with some tiny differences as I've used
some different versions:
* OpenDJ 2.5.0-Xpress1
- no-brainer installation, for testing purposes
- base DN: dc=example, dc=com,
- No groups OU, no Users OU (this shouldn't matter, it should only affect
the base DN on GlassFish configuration)
- one wiki-admin group and one wiki-users group
- one wikiadmin user (cn, givenName, sn, uid, password, all of them with
the same value, wikiadmin), member of wiki-admin
- one wikiuser user (cn, givenName, sn, uid, password, all of them with
the same value, wikiuser), member of wiki-users
* GlassFish Server Open Source Edition 3.1.2.2
- Configurations -> server-config -> Security : JACC = simple
- Configurations -> server-config -> Security -> Realms -> JSPWikiUsers
(c.s.e.s.a.r.l.LDAPRealm)
+ JAAS Context : ldapRealm
+ Directory : ldap://localhost:389
+ Base DN : dc=example,dc=com
+ (additional property) group-search-filter : uniqueMember=%d
+ (additional property) group-base-dn : dc=example,dc=com
+ (additional property) search-filter : cn=%s
- Once the config is made, server restart
* JSPWiki v2.10.0-svn-11 (current trunk, almost 100% sure no modifications
on auth code since 2.9.1-svn-31)
- followed the steps described at [#1]
- mvn clean install
- deployed the war on GlassFish
Did you see any exceptions regarding JSPWiki? Until I had my GlassFish
Realm config fine, I stumbled upon a lot of GlassFish exceptions regarding
LDAP auth (user not found, and similar ones), but they never were JSPWiki
specific. Also, I had to restart GlassFish every time I had to save the
Realm configuration, in order to ensure the configuration was saved and
loaded.
HTH,
juan pablo
[#1]
http://blog.davekoelmeyer.co.nz/2012/01/28/container-based-authentication-with-jspwiki-glassfish-and-opendj/
On Sun, May 26, 2013 at 2:05 PM, Juan Pablo Santos Rodríguez <
juanpablo.santos@gmail.com> wrote:
> Hi Dave,
>
> skimming through ChangeLog and ChangeLog, there hasn't been specific work
> on the auth area since 2.8.3, so it seems that we've inadvertently
> introduced a change that hasn't been caught by unit tests. Could you please
> open a JIRA for this issue? Also, could you set the logs to debug level to
> see if there's something unusual?
>
> I'd like to turn trunk into multimodule, but will take a look at this
> afterwards
>
> thanks,
> juan pablo
>
>
> On Sat, May 25, 2013 at 3:43 PM, Dave Koelmeyer <
> dave.koelmeyer@davekoelmeyer.co.nz> wrote:
>
>> Hi All,
>>
>> Looks like there has been a change in JSPWiki 2.9.1-svn-31 with container
>> based authentication and LDAP group lookups.
>>
>> I've previously blogged my configuration using JSPWiki 2.8.3 and
>> GlassFish 3.1 which worked fine:
>>
>> http://blog.davekoelmeyer.co.**nz/2012/01/28/container-based-**
>> authentication-with-jspwiki-**glassfish-and-opendj/<http://blog.davekoelmeyer.co.nz/2012/01/28/container-based-authentication-with-jspwiki-glassfish-and-opendj/>
>> Using this same configuration on JSPWiki 2.9.1-svn-31, LDAP group
>> memberships are not retrieved.
>>
>> I have gone so far as to configure a fresh installation of JSPWiki 2.8.3
>> in a GlassFish domain with the above configuration, then duplicated
>> settings exactly in another GlassFish domain using JSPWiki 2.9.1-svn-31.
>> Version 2.8.3 will retrieve LDAP groups fine, JSPWiki 2.9.1-svn-31 will not.
>>
>> The behaviour I see on v2.9.1-svn-31 is the same as if I change the JACC
>> provider from "simple" to "default" in GlassFish using JSPWiki 2.8.3: LDAP
>> lookups are fine, but LDAP groups aren't. Can anyone offer some pointers on
>> what might have changed between JSPWiki versions to break this?
>>
>> Cheers,
>> Dave
>>
>> --
>> Dave Koelmeyer
>> http://blog.davekoelmeyer.co.**nz <http://blog.davekoelmeyer.co.nz>
>>
>>
>
Re: Regression with LDAP group lookups in JSPWiki 2.9.1-svn-31 -
solved
Posted by Dave Koelmeyer <da...@davekoelmeyer.co.nz>.
On 29/06/13 09:49 PM, Dave Koelmeyer wrote:
> On 26/06/13 09:53 AM, Juan Pablo Santos Rodríguez wrote:
>> Hi Dave,
>>
>> almost a a month later, but finally got time to look into this issue.
>> The
>> good news: I was able to setup JSPWiki with container based
>> authentication
>> and LDAP group lookups.
>>
> Hi Juan Pablo,
>
> Thanks heaps for looking into this - I had been meaning to open a JIRA
> issue and perform more testing but haven't quite had the time. I'll
> follow your steps and see if this is still a problem on my system &
> check for any GlassFish exceptions - hopefully this is a simple
> omission or error on my part
Hi Juan Pablo,
Turns out this was an error on my part. Something had changed with
JSPWiki between versions but it's a completely obvious change which I
should have picked up on. In my jspwiki.policy files I was still using
the old values of "permission com.ecyrd.jspwiki.auth" instead of
"permission org.apache.wiki.auth". Changing my settings to the latter
value of course now results in group lookups working fine.
Thanks again for taking the time to look into this,
Dave
--
Dave Koelmeyer
http://blog.davekoelmeyer.co.nz
Re: Regression with LDAP group lookups in JSPWiki 2.9.1-svn-31
Posted by Dave Koelmeyer <da...@davekoelmeyer.co.nz>.
On 26/06/13 09:53 AM, Juan Pablo Santos Rodríguez wrote:
> Hi Dave,
>
> almost a a month later, but finally got time to look into this issue. The
> good news: I was able to setup JSPWiki with container based authentication
> and LDAP group lookups.
>
Hi Juan Pablo,
Thanks heaps for looking into this - I had been meaning to open a JIRA
issue and perform more testing but haven't quite had the time. I'll
follow your steps and see if this is still a problem on my system &
check for any GlassFish exceptions - hopefully this is a simple omission
or error on my part.
Cheers,
Dave
--
Dave Koelmeyer
http://blog.davekoelmeyer.co.nz