You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@jspwiki.apache.org by John Pimentel <jp...@ra.rockwell.com> on 2013/09/12 17:57:03 UTC
Re: ldaps authentication to jspwiki
hi Juan Pablo,
I finally resolved my issue, and would like to share my results on the
Wiki.
What is the best way for me to contribute it that way, just send the
details of my finding to the list?
I don't see a way to participate on the wiki site directly, and the docs
link (http://doc.jspwiki.org/) seems to be broken.
Regards,
John Pimentel
jpimentel@ra.rockwell.com
Office (414) 382-3354
Mobile (262) 501-4785
From: Juan Pablo Santos Rodríguez <ju...@gmail.com>
To: user@jspwiki.apache.org
Date: 08/28/2013 12:30 PM
Subject: Re: ldaps authentication to jspwiki
Hello John,
would you mind checking these links:
-
http://blog.davekoelmeyer.co.nz/2012/01/28/container-based-authentication-with-jspwiki-glassfish-and-opendj/
-
http://mail-archives.apache.org/mod_mbox/incubator-jspwiki-user/201306.mbox/%3CCAMufup7zBdGP-1J9mR4o8DT6CMYLaipDu63DEt7HB5k9d1Pk2w%40mail.gmail.com%3E
- http://www.ebel-computing.de/JSPWiki/Wiki.jsp?page=Ldap%20Integration
The first two discuss a similar issue as yours, but using glassfish and
OpenDJ. In any case, the ldap conifguration might give you a hint. The
last
one is another "Ldap Integration" page, which may be closer to your issue
HTH,
juan pablo
On Wed, Aug 28, 2013 at 4:04 PM, John Pimentel
<jp...@ra.rockwell.com>wrote:
> Thanks Jim, I will try that today
>
> Regards,
> John Pimentel
>
> [image: Description: Description: ralogo_web]
> *jpimentel@ra.rockwell.com* <jp...@ra.rockwell.com>
> Office (414) 382-3354
> *Mobile (262) 501-4785*
<2625014785@txt.att.net?subject=RA%20Text%204%20U>
>
>
>
>
> From: Jim Willeke <ji...@willeke.com>
> To: user@jspwiki.apache.org
> Date: 08/27/2013 05:35 PM
> Subject: Re: ldaps authentication to jspwiki
> ------------------------------
>
>
>
> You might try remove the:
> userPattern="uid={0},ou=people,dc=mydomain,dc=com"
>
> and use (what I am using):
>
> userBase="ou=people,dc=mydomain,dc=com"
> userSearch="(uid={0})"
> userSubtree="true"
>
> We found the LDAP search to be much more flexible using this than the
> pattern matching.
> You should also be able to get some error from tomcat if it is failing.
> You can turn on access logging:
> http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Access_Logs
>
>
> If you drop the LDAPS, You might also get a trace. (Not sure if SUN can
> show the ldap requests) but tcdump (or wireshark) will.
>
>
> --
> -jim
> Jim Willeke
>
>
> On Tue, Aug 27, 2013 at 1:18 PM, John Pimentel
<jpimentel@ra.rockwell.com
> >wrote:
>
> >
> > Hi Jim,
> >
> > Thanks for the response.
> >
> > We are using Sun LDAP. Let me give you an example from my user
account.
> > Under my group container
> > cn=UN_CTM_AdminGroup,ou=Control-M,ou=group,dc=mydomain,dc=com
> > I have a attribute called uniqueMember.
> > The value for my account is as follows:
> > uid=JPimen,ou=people,dc=mydomain,dc=com
> >
> > I of course substituted our actual domain for mydomain in this
example,
> but
> > everything else is verbatim.
> >
> > So our groups are nmed by cn but the users are named by uid.
> >
> > Unfortunately our LDAP server will not accept anything other than
ldaps
> > connections, so I am stuck there.
> >
> > Also if you have any recommendation on how to enable security specific
> > debug I would appreciate that.
> >
> > I found what appears to be a log level entry in my jspwiki.properties
> file.
> > I changed
> > log4j.rootCategory=INFO,FileLog
> > To read
> > log4j.rootCategory=DEBUG,FileLog
> >
> > Now, I do see debug entries in the /web1/dyscq/tomcat/logs/jspwiki.log
> > file, but no entries appear when I try (and fail) to log in.
> >
> > Thanks again for any ideas.
> >
> > Regards,
> > John Pimentel
> >
> > (Embedded image moved to file: pic11833.gif)Description: Description:
> > ralogo_web
> > jpimentel@ra.rockwell.com
> > Office (414) 382-3354
> > Mobile (262) 501-4785
> >
> >
> >
> >
> > From: Jim Willeke <ji...@willeke.com>
> > To: user@jspwiki.apache.org
> > Date: 08/27/2013 03:40 AM
> > Subject: Re: ldaps authentication to jspwiki
> >
> >
> >
> > I would guess, as you show no information on your LDAP setup, this
line
> is
> > wrong:
> > userPattern="uid={0},ou=people,dc=mydomain,dc=com"
> >
> > Are your users named by uid or cn?
> > You show roles as named by cn and since you show dc=,dc= I would guess
> this
> > is AD
> >
> > Also, try using LDAP vs LDAPS to help troubleshoot.
> >
> > -jim
> >
> > --
> > -jim
> > Jim Willeke
> >
> >
> > On Mon, Aug 26, 2013 at 10:47 AM, John Pimentel
> > <jp...@ra.rockwell.com>wrote:
> >
> > >
> > > Greetings,
> > >
> > > I am having difficulties getting LDAPS authentication to work and I
> think
> > I
> > > must be missing some fundamental configuration.
> > >
> > > My current state is that the Site loads and displays content
properly,
> > but
> > > when I go to edit content or I select the log in page directly, my
LDAP
> > > credentials do not authenticate, and I am repeatedly presented with
a
> > login
> > > page.
> > >
> > > I used the follwing information as my "How To" for this effort.
> > > http://www.ecyrd.com/JSPWiki/wiki/WebContainerAuthenticationViaLDAP
> > >
> > > This article is very good but appears to be incomplete.
> > >
> > > I have done the following configuration to get ldaps to work:
> > >
> > > 1. I have a previously configured LDAP Server and I stored /trusted
the
> > > cert for this Sun LDAP server into the central java keystore using
this
> > > command:
> > > /usr/lib64/jvm/jre/bin/keytool -import -alias sunldap
> > > -file /web1/sst/dysc/content/CA-RA-v3.crt
> > > -keystore /usr/lib64/jvm/jre/lib/security/cacerts
> > >
> > > 2. I have configured the realm and sorted out all the log errors
using
> > the
> > > following realm in the server.xml file. I believe tomcat is
> successfully
> > > connecting to my LDAP server.
> > >
> > > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > > connectionURL="ldaps://mkedsintp.ds.mydomain.com:636"
> > > connectionName="uid=[bind User
> > > UID],ou=admin,dc=rmydomain,dc=com"
> > > connectionPassword="[Password]"
> > > userPattern="uid={0},ou=people,dc=mydomain,dc=com"
> > > roleBase="ou=Control-M,ou=group,dc=mydomain,dc=com"
> > > roleSubtree="true"
> > > roleName="cn"
> > > roleSearch="(uniqueMember={0})"
> > > />
> > >
> > > 3. I uncommented the "CONTAINER-MANAGED AUTH" section
> > > from /web1/dyscq/webapps/apps/wiki/WEB-INF/web.xml
> > >
> > > There is a section at the bottom that says "Update JSPWiki security
> > policy"
> > > If you would like to set permissions to LDAP groups, you can simply
add
> > > policy entries on authorize.Role. The following is an entry for
> > wiki-admin
> > > group (from LDAP).
> > > grant principal com.ecyrd.jspwiki.auth.authorize.Role "wiki-admin" {
> > > permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> > > };
> > >
> > > I'm thinking it might go into web.xml, but I am not sure of that..
> > >
> > > this section of the xml looks like this:
> > >
> > > <security-constraint>
> > > <web-resource-collection>
> > > <web-resource-name>Authenticated area</web-resource-name>
> > > <url-pattern>/Edit.jsp</url-pattern>
> > > <url-pattern>/Comment.jsp</url-pattern>
> > > <url-pattern>/Login.jsp</url-pattern>
> > > <url-pattern>/NewGroup.jsp</url-pattern>
> > > <url-pattern>/Rename.jsp</url-pattern>
> > > <url-pattern>/Upload.jsp</url-pattern>
> > > <http-method>DELETE</http-method>
> > > <http-method>GET</http-method>
> > > <http-method>HEAD</http-method>
> > > <http-method>POST</http-method>
> > > <http-method>PUT</http-method>
> > > </web-resource-collection>
> > >
> > > <web-resource-collection>
> > > <web-resource-name>Read-only Area</web-resource-name>
> > > <url-pattern>/attach</url-pattern>
> > > <http-method>DELETE</http-method>
> > > <http-method>POST</http-method>
> > > <http-method>PUT</http-method>
> > > </web-resource-collection>
> > >
> > > <auth-constraint>
> > > <role-name>Admin</role-name>
> > > <role-name>Authenticated</role-name>
> > > </auth-constraint>
> > > <!-- > > <user-data-constraint>
> > > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > > </user-data-constraint>
> > > -->
> > >
> > > </security-constraint>
> > >
> > > <login-config>
> > > <auth-method>FORM</auth-method>
> > > <form-login-config>
> > > <form-login-page>/LoginForm.jsp</form-login-page>
> > > <form-error-page>/LoginForm.jsp</form-error-page>
> > > </form-login-config>
> > > </login-config>
> > >
> > > <security-role>
> > > <description>
> > > This logical role includes all authenticated users
> > > </description>
> > > <role-name>Authenticated</role-name>
> > > </security-role>
> > >
> > > <security-role>
> > > <description>
> > > This logical role includes all administrative users
> > > </description>
> > > <role-name>Admin</role-name>
> > > </security-role>
> > >
> > >
> > > Regards,
> > > John Pimentel
> > >
> > > (Embedded image moved to file: pic05844.gif)Description:
Description:
> > > ralogo_web
> > > jpimentel@ra.rockwell.com
> > > Office (414) 382-3354
> > > Mobile (262) 501-4785
> > >
> > >
> > >
> > >
> > > From: user-help@jspwiki.apache.org
> > > To: jpimentel@ra.rockwell.com
> > > Date: 08/26/2013 08:16 AM
> > > Subject: WELCOME to user@jspwiki.apache.org
> > >
> > >
> > >
> > > Hi! This is the ezmlm program. I'm managing the
> > > user@jspwiki.apache.org mailing list.
> > >
> > > I'm working for my owner, who can be reached
> > > at user-owner@jspwiki.apache.org.
> > >
> > > Acknowledgment: I have added the address
> > >
> > > jpimentel@ra.rockwell.com
> > >
> > > to the user mailing list.
> > >
> > > Welcome to user@jspwiki.apache.org!
> > >
> > > Please save this message so that you know the address you are
> > > subscribed under, in case you later want to unsubscribe or change
your
> > > subscription address.
> > >
> > >
> > > --- Administrative commands for the user list ---
> > >
> > > I can handle administrative requests automatically. Please
> > > do not send them to the list address! Instead, send
> > > your message to the correct command address:
> > >
> > > To subscribe to the list, send a message to:
> > > <us...@jspwiki.apache.org>
> > >
> > > To remove your address from the list, send a message to:
> > > <us...@jspwiki.apache.org>
> > >
> > > Send mail to the following for info and FAQ for this list:
> > > <us...@jspwiki.apache.org>
> > > <us...@jspwiki.apache.org>
> > >
> > > Similar addresses exist for the digest list:
> > > <us...@jspwiki.apache.org>
> > > <us...@jspwiki.apache.org>
> > >
> > > To get messages 123 through 145 (a maximum of 100 per request),
mail:
> > > <us...@jspwiki.apache.org>
> > >
> > > To get an index with subject and author for messages 123-456 , mail:
> > > <us...@jspwiki.apache.org>
> > >
> > > They are always returned as sets of 100, max 2000 per request,
> > > so you'll actually get 100-499.
> > >
> > > To receive all messages with the same subject as message 12345,
> > > send a short message to:
> > > <us...@jspwiki.apache.org>
> > >
> > > The messages should contain one line or word of text to avoid being
> > > treated as sp@m, but I will ignore their content.
> > > Only the ADDRESS you send to is important.
> > >
> > > You can start a subscription for an alternate address,
> > > for example "john@host.domain", just add a hyphen and your
> > > address (with '=' instead of '@') after the command word:
> > > <us...@jspwiki.apache.org>
> > >
> > > To stop subscription for this address, mail:
> > > <us...@jspwiki.apache.org>
> > >
> > > In both cases, I'll send a confirmation message to that address.
When
> > > you receive it, simply reply to it to complete your subscription.
> > >
> > > If despite following these instructions, you do not get the
> > > desired results, please contact my owner at
> > > user-owner@jspwiki.apache.org. Please be patient, my owner is a
> > > lot slower than I am ;-)
> > >
> > > --- Enclosed is a copy of the request I received.
> > >
> > > Return-Path: <jp...@ra.rockwell.com>
> > > Received: (qmail 84748 invoked by uid 99); 26 Aug 2013 13:16:04
-0000
> > > Received: from athena.apache.org (HELO athena.apache.org)
> > (140.211.11.136)
> > > by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013
13:16:04
> > > +0000
> > > X-ASF-Spam-Status: No, hits=-0.0 required=5.0
> > > tests=SPF_PASS
> > > X-Spam-Check-By: apache.org
> > > Received-SPF: pass (athena.apache.org: local policy)
> > > Received: from [205.175.240.251] (HELO ramilwsmtp01.ra.rockwell.com)
> > > (205.175.240.251)
> > > by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013
13:16:00
> > > +0000
> > > In-Reply-To: <13...@jspwiki.apache.org>
> > > References: <13...@jspwiki.apache.org>
> > > Subject: Re: confirm subscribe to user@jspwiki.apache.org
> > > X-KeepSent: D7D57B0D:E2A05A18-86257BD3:0048D45A;
> > > type=4; name=$KeepSent
> > > To:
> > > user-sc.1377522681.pagaldeamkeafdeakcap-jpimentel=
> > > ra.rockwell.com@jspwiki.apache.org
> > >
> > > X-Mailer: Lotus Notes Release 8.5.2FP2 March 23, 2011
> > > Message-ID:
> > >
> > <
>
OFD7D57B0D.E2A05A18-ON86257BD3.0048D45A-86257BD3.0048D84D@ra.rockwell.com
> > > >
> > > From: John Pimentel <jp...@ra.rockwell.com>
> > > Date: Mon, 26 Aug 2013 08:15:38 -0500
> > > X-MIMETrack: Serialize by Router on
RAMilwSMTP01/Milwaukee/RA/Rockwell
> at
> > > 08/26/2013 08:15:59
> > > AM
> > > MIME-Version: 1.0
> > > Content-type: multipart/mixed;
> > >
> > > Boundary="0__=09BBF140DFDB52CA8f9e8a93df938690918c09BBF140DFDB52CA"
> > > Content-Disposition: inline
> > > X-Virus-Checked: Checked by ClamAV on apache.org
> > >
> > >
> >
>
>
Re: ldaps authentication to jspwiki
Posted by John Pimentel <jp...@ra.rockwell.com>.
Hi Henry / Juan Pablo,
I guess I will just post it to the list for now, you can move ot to your
new server in due time and as you see fit.
LDAP Authentication Configuration for jspwiki Using LDAP Security Groups.
Assumptions:
Using LDAPS.
LDAP Server is in place and cannot be tweaked other than adding security
groups and related ou/containers.
LDAP Server is SunOne or similar (not an Windows AD type) LDAP Server.
Using group based authentication since attributes cannot be tweaked.
Using bind mode authentication to LDAP Server
Starting with a single admin level role (more levels can be easily added
later as needed).
LDAP Server Structure looks like this:
User Container – All users are located at or below this level
ou=people,dc=mydomain.com,dc=com
Group OU – This is where your Security Groups will be nested
ou=WiKi,ou=group,dc=mydomain,dc=com
"Admin" Security Group Container
cn=AdminGroup,ou=WiKi,ou=group,dc=mydomain,dc=com
Procedure
1. Establish the trust between the Tomcat instance and the LDAP Server by
importing the cert for the LDAP Server into the central java keystore
something like this:
$JAVA_ROOT/bin/keytool -import -alias sunldap -file [Path to Cert File]
-keystore $JAVA_ROOT/lib/security/cacerts
2. Create JNDI Realm in $CATALINA_BASE/conf/server.xml that looks
something like this:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://server.mydomain.com:636"
connectionName="uid=wiki_bind,ou=admin,dc=mydomain,dc=com"
connectionPassword="********"
userBase="ou=people,dc=mydomain.com,dc=com"
userSearch="(uid={0})"
userSubtree="true"
roleBase="ou=WiKi,ou=group,dc=mydomain,dc=com"
roleSubtree="false"
roleName="cn"
roleSearch="(uniqueMember={0})"
/>
Where the following are true:
Realm className - should be left alone and unchanged
connectionURL - is the url and port for your LDAP server
connectionName - is the user name used to bind to LDAP
connectionPassword - is the password for the “connectionName” user above
userBase - is the base container for users in LDAP referenced in
assumptions above.
userSearch - is the search string for the user name plus the related
attribute (in this case “uid”). The “{0}” entry signifies the information
passed in to the realm from the login form.
userSubtree - is the search scope. Set to true if you wish to search the
entire subtree rooted at the “userBase” entry. The default value of false
requests a single-level search including only the top level.
roleBase – is the base ou where other Security Groups will be nested
roleSubtree - the search scope. Set to true if you wish to search the
entire subtree rooted at the “roleBase” entry. The default value of false
requests a single-level search including the top level only.
roleName – the LDAP attribute for the Security Group. Pay attention to
this. The group name in LDAP will be passed to the role name value used
in security constraints below.
roleSearch – is similar to “userSearch” but the attribute in this case is
the one that LDAP uses in the Security Group for the user, in this case
“uniqueMember”
Reference:
http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JNDIRealm
3. Create or uncomment the CONTAINER-MANAGED AUTHENTICATION &
AUTHORIZATION section of the jspwiki web.xml. When you are finished it
should look something like this. Note: the "role-name" value below should
match the Security Group that contains members you want to authenticate.
This must match what is returned from LDAP. The default section looks
like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrative Area</web-resource-name>
<url-pattern>/Delete.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Authenticated area</web-resource-name>
<url-pattern>/Edit.jsp</url-pattern>
<url-pattern>/Comment.jsp</url-pattern>
<url-pattern>/Login.jsp</url-pattern>
<url-pattern>/NewGroup.jsp</url-pattern>
<url-pattern>/Rename.jsp</url-pattern>
<url-pattern>/Upload.jsp</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Read-only Area</web-resource-name>
<url-pattern>/attach</url-pattern>
<http-method>DELETE</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>Authenticated</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/LoginForm.jsp</form-login-page>
<form-error-page>/LoginForm.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>
This logical role includes all authenticated users
</description>
<role-name>Authenticated</role-name>
</security-role>
<security-role>
<description>
This logical role includes all administrative users
</description>
<role-name>Admin</role-name>
</security-role>
I only had to make a few edits to the default section to get this to work
on my system.
First since we run the wiki behind an SSL enabled apache instance. I saw
no need to enable SSL on tomcat. So I commented out all instances of this
directive:
<!--
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
-->
Additionally, inside the second security constraint statement, I changed
the text in Red to correspond to my LDAP security group.
From the default of:
<auth-constraint>
<role-name>Admin</role-name>
<role-name>Authenticated</role-name>
</auth-constraint>
To
<auth-constraint>
<role-name>AdminGroup</role-name>
</auth-constraint>
The final change to jspwiki web.xml was to remove the first security-role
and edited the second as follows.
From this:
<security-role>
<description>
This logical role includes all authenticated users
</description>
<role-name>Authenticated</role-name>
</security-role>
<security-role>
<description>
This logical role includes all administrative users
</description>
<role-name>Admin</role-name>
</security-role>
To this:
<security-role>
<description>
This logical role includes all administrative users
</description>
<role-name>AdminGroup</role-name>
</security-role>
4. The last modification for me was in the jspwiki.policy file.
If you want to restrict access to only authenticated users Create a file
that only has the following lines in it:
grant principal org.apache.wiki.auth.authorize.Role "AdminGroup" {
permission org.apache.wiki.auth.permissions.AllPermission "*";
};
The net effect being only authenticated users will be allowed to browse
the site.
Alternatively, if you want to allow anonymous browse access simply append
that same directive to the bottom of the policy file.
In the above example "AdminGroup" matches the “role-name” used in the
web.xml "roll-name" fields, as well as the LDAP Security group I used.
At this point I restarted Tomcat and was able to log into and edit my Wiki
site using my LDAP credentials.
Enjoy,
Regards,
John Pimentel
From: Juan Pablo Santos Rodríguez <ju...@gmail.com>
To: user@jspwiki.apache.org
Date: 09/15/2013 03:17 PM
Subject: Re: ldaps authentication to jspwiki
Hi John,
glad to read you finally managed to resolve your issue :-) As Harry has
pointed out, the new VM to hold jspwiki.org is nearly there, so you may
either wait a little more or just post it on this thread
regards,
juan pablo
On Fri, Sep 13, 2013 at 6:47 PM, Harry Metske
<ha...@gmail.com>wrote:
> John,
>
> we are currently waiting for our Linux virtual machine where we will
host
> the new jspwiki.org, that would be the place to share it.
> You could wait for it to become available [#1], we will definitily post
and
> tweet that, but if you don't want to wait for that, you could also post
it
> on the mail list here.
>
> thanks !
>
> Harry
>
> [1] - https://issues.apache.org/jira/browse/INFRA-5588
>
>
> On 12 September 2013 17:57, John Pimentel <jp...@ra.rockwell.com>
> wrote:
>
> > hi Juan Pablo,
> >
> > I finally resolved my issue, and would like to share my results on the
> > Wiki.
> > What is the best way for me to contribute it that way, just send the
> > details of my finding to the list?
> > I don't see a way to participate on the wiki site directly, and the
docs
> > link (http://doc.jspwiki.org/) seems to be broken.
> >
> > Regards,
> > John Pimentel
> >
> > [image: Description: Description: ralogo_web]
> > *jpimentel@ra.rockwell.com* <jp...@ra.rockwell.com>
> > Office (414) 382-3354
> > *Mobile (262) 501-4785* <
> 2625014785@txt.att.net?subject=RA%20Text%204%20U>
> >
> >
> >
> >
> > From: Juan Pablo Santos Rodríguez <ju...@gmail.com>
> > To: user@jspwiki.apache.org
> > Date: 08/28/2013 12:30 PM
> > Subject: Re: ldaps authentication to jspwiki
> > ------------------------------
> >
> >
> >
> > Hello John,
> >
> > would you mind checking these links:
> > -
> >
> >
>
http://blog.davekoelmeyer.co.nz/2012/01/28/container-based-authentication-with-jspwiki-glassfish-and-opendj/
> > -
> >
> >
>
http://mail-archives.apache.org/mod_mbox/incubator-jspwiki-user/201306.mbox/%3CCAMufup7zBdGP-1J9mR4o8DT6CMYLaipDu63DEt7HB5k9d1Pk2w%40mail.gmail.com%3E
> > -
http://www.ebel-computing.de/JSPWiki/Wiki.jsp?page=Ldap%20Integration
> >
> > The first two discuss a similar issue as yours, but using glassfish
and
> > OpenDJ. In any case, the ldap conifguration might give you a hint. The
> last
> > one is another "Ldap Integration" page, which may be closer to your
issue
> >
> >
> > HTH,
> > juan pablo
> >
> >
> > On Wed, Aug 28, 2013 at 4:04 PM, John Pimentel <
> jpimentel@ra.rockwell.com
> > >wrote:
> >
> > > Thanks Jim, I will try that today
> > >
> > > Regards,
> > > John Pimentel
> > >
> > > [image: Description: Description: ralogo_web]
> > > *jpimentel@ra.rockwell.com* <jp...@ra.rockwell.com>
> > > Office (414) 382-3354
> > > *Mobile (262) 501-4785* <
> > 2625014785@txt.att.net?subject=RA%20Text%204%20U>
> > >
> > >
> > >
> > >
> > > From: Jim Willeke <ji...@willeke.com>
> > > To: user@jspwiki.apache.org
> > > Date: 08/27/2013 05:35 PM
> > > Subject: Re: ldaps authentication to jspwiki
> > > ------------------------------
> > >
> > >
> > >
> > > You might try remove the:
> > > userPattern="uid={0},ou=people,dc=mydomain,dc=com"
> > >
> > > and use (what I am using):
> > >
> > > userBase="ou=people,dc=mydomain,dc=com"
> > > userSearch="(uid={0})"
> > > userSubtree="true"
> > >
> > > We found the LDAP search to be much more flexible using this than
the
> > > pattern matching.
> > > You should also be able to get some error from tomcat if it is
failing.
> > > You can turn on access logging:
> > > http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Access_Logs
> > >
> > >
> > > If you drop the LDAPS, You might also get a trace. (Not sure if SUN
can
> > > show the ldap requests) but tcdump (or wireshark) will.
> > >
> > >
> > > --
> > > -jim
> > > Jim Willeke
> > >
> > >
> > > On Tue, Aug 27, 2013 at 1:18 PM, John Pimentel <
> > jpimentel@ra.rockwell.com
> > > >wrote:
> > >
> > > >
> > > > Hi Jim,
> > > >
> > > > Thanks for the response.
> > > >
> > > > We are using Sun LDAP. Let me give you an example from my user
> > account.
> > > > Under my group container
> > > > cn=UN_CTM_AdminGroup,ou=Control-M,ou=group,dc=mydomain,dc=com
> > > > I have a attribute called uniqueMember.
> > > > The value for my account is as follows:
> > > > uid=JPimen,ou=people,dc=mydomain,dc=com
> > > >
> > > > I of course substituted our actual domain for mydomain in this
> example,
> > > but
> > > > everything else is verbatim.
> > > >
> > > > So our groups are nmed by cn but the users are named by uid.
> > > >
> > > > Unfortunately our LDAP server will not accept anything other than
> ldaps
> > > > connections, so I am stuck there.
> > > >
> > > > Also if you have any recommendation on how to enable security
> specific
> > > > debug I would appreciate that.
> > > >
> > > > I found what appears to be a log level entry in my
jspwiki.properties
> > > file.
> > > > I changed
> > > > log4j.rootCategory=INFO,FileLog
> > > > To read
> > > > log4j.rootCategory=DEBUG,FileLog
> > > >
> > > > Now, I do see debug entries in the
> /web1/dyscq/tomcat/logs/jspwiki.log
> > > > file, but no entries appear when I try (and fail) to log in.
> > > >
> > > > Thanks again for any ideas.
> > > >
> > > > Regards,
> > > > John Pimentel
> > > >
> > > > (Embedded image moved to file: pic11833.gif)Description:
> Description:
> > > > ralogo_web
> > > > jpimentel@ra.rockwell.com
> > > > Office (414) 382-3354
> > > > Mobile (262) 501-4785
> > > >
> > > >
> > > >
> > > >
> > > > From: Jim Willeke <ji...@willeke.com>
> > > > To: user@jspwiki.apache.org
> > > > Date: 08/27/2013 03:40 AM
> > > > Subject: Re: ldaps authentication to jspwiki
> > > >
> > > >
> > > >
> > > > I would guess, as you show no information on your LDAP setup, this
> line
> > > is
> > > > wrong:
> > > > userPattern="uid={0},ou=people,dc=mydomain,dc=com"
> > > >
> > > > Are your users named by uid or cn?
> > > > You show roles as named by cn and since you show dc=,dc= I would
> guess
> > > this
> > > > is AD
> > > >
> > > > Also, try using LDAP vs LDAPS to help troubleshoot.
> > > >
> > > > -jim
> > > >
> > > > --
> > > > -jim
> > > > Jim Willeke
> > > >
> > > >
> > > > On Mon, Aug 26, 2013 at 10:47 AM, John Pimentel
> > > > <jp...@ra.rockwell.com>wrote:
> > > >
> > > > >
> > > > > Greetings,
> > > > >
> > > > > I am having difficulties getting LDAPS authentication to work
and I
> > > think
> > > > I
> > > > > must be missing some fundamental configuration.
> > > > >
> > > > > My current state is that the Site loads and displays content
> > properly,
> > > > but
> > > > > when I go to edit content or I select the log in page directly,
my
> > LDAP
> > > > > credentials do not authenticate, and I am repeatedly presented
> with a
> > > > login
> > > > > page.
> > > > >
> > > > > I used the follwing information as my "How To" for this effort.
> > > > >
> http://www.ecyrd.com/JSPWiki/wiki/WebContainerAuthenticationViaLDAP
> > > > >
> > > > > This article is very good but appears to be incomplete.
> > > > >
> > > > > I have done the following configuration to get ldaps to work:
> > > > >
> > > > > 1. I have a previously configured LDAP Server and I stored
/trusted
> > the
> > > > > cert for this Sun LDAP server into the central java keystore
using
> > this
> > > > > command:
> > > > > /usr/lib64/jvm/jre/bin/keytool -import -alias sunldap
> > > > > -file /web1/sst/dysc/content/CA-RA-v3.crt
> > > > > -keystore /usr/lib64/jvm/jre/lib/security/cacerts
> > > > >
> > > > > 2. I have configured the realm and sorted out all the log errors
> > using
> > > > the
> > > > > following realm in the server.xml file. I believe tomcat is
> > > successfully
> > > > > connecting to my LDAP server.
> > > > >
> > > > > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > > > > connectionURL="ldaps://mkedsintp.ds.mydomain.com:636"
> > > > > connectionName="uid=[bind User
> > > > > UID],ou=admin,dc=rmydomain,dc=com"
> > > > > connectionPassword="[Password]"
> > > > > userPattern="uid={0},ou=people,dc=mydomain,dc=com"
> > > > > roleBase="ou=Control-M,ou=group,dc=mydomain,dc=com"
> > > > > roleSubtree="true"
> > > > > roleName="cn"
> > > > > roleSearch="(uniqueMember={0})"
> > > > > />
> > > > >
> > > > > 3. I uncommented the "CONTAINER-MANAGED AUTH" section
> > > > > from /web1/dyscq/webapps/apps/wiki/WEB-INF/web.xml
> > > > >
> > > > > There is a section at the bottom that says "Update JSPWiki
security
> > > > policy"
> > > > > If you would like to set permissions to LDAP groups, you can
simply
> > add
> > > > > policy entries on authorize.Role. The following is an entry for
> > > > wiki-admin
> > > > > group (from LDAP).
> > > > > grant principal com.ecyrd.jspwiki.auth.authorize.Role
"wiki-admin"
> {
> > > > > permission com.ecyrd.jspwiki.auth.permissions.AllPermission
> "*";
> > > > > };
> > > > >
> > > > > I'm thinking it might go into web.xml, but I am not sure of
that..
> > > > >
> > > > > this section of the xml looks like this:
> > > > >
> > > > > <security-constraint>
> > > > > <web-resource-collection>
> > > > > <web-resource-name>Authenticated
> area</web-resource-name>
> > > > > <url-pattern>/Edit.jsp</url-pattern>
> > > > > <url-pattern>/Comment.jsp</url-pattern>
> > > > > <url-pattern>/Login.jsp</url-pattern>
> > > > > <url-pattern>/NewGroup.jsp</url-pattern>
> > > > > <url-pattern>/Rename.jsp</url-pattern>
> > > > > <url-pattern>/Upload.jsp</url-pattern>
> > > > > <http-method>DELETE</http-method>
> > > > > <http-method>GET</http-method>
> > > > > <http-method>HEAD</http-method>
> > > > > <http-method>POST</http-method>
> > > > > <http-method>PUT</http-method>
> > > > > </web-resource-collection>
> > > > >
> > > > > <web-resource-collection>
> > > > > <web-resource-name>Read-only Area</web-resource-name>
> > > > > <url-pattern>/attach</url-pattern>
> > > > > <http-method>DELETE</http-method>
> > > > > <http-method>POST</http-method>
> > > > > <http-method>PUT</http-method>
> > > > > </web-resource-collection>
> > > > >
> > > > > <auth-constraint>
> > > > > <role-name>Admin</role-name>
> > > > > <role-name>Authenticated</role-name>
> > > > > </auth-constraint>
> > > > > <!-- > > <user-data-constraint>
> > > > > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > > > > </user-data-constraint>
> > > > > -->
> > > > >
> > > > > </security-constraint>
> > > > >
> > > > > <login-config>
> > > > > <auth-method>FORM</auth-method>
> > > > > <form-login-config>
> > > > > <form-login-page>/LoginForm.jsp</form-login-page>
> > > > > <form-error-page>/LoginForm.jsp</form-error-page>
> > > > > </form-login-config>
> > > > > </login-config>
> > > > >
> > > > > <security-role>
> > > > > <description>
> > > > > This logical role includes all authenticated users
> > > > > </description>
> > > > > <role-name>Authenticated</role-name>
> > > > > </security-role>
> > > > >
> > > > > <security-role>
> > > > > <description>
> > > > > This logical role includes all administrative users
> > > > > </description>
> > > > > <role-name>Admin</role-name>
> > > > > </security-role>
> > > > >
> > > > >
> > > > > Regards,
> > > > > John Pimentel
> > > > >
> > > > > (Embedded image moved to file: pic05844.gif)Description:
> > Description:
> > > > > ralogo_web
> > > > > jpimentel@ra.rockwell.com
> > > > > Office (414) 382-3354
> > > > > Mobile (262) 501-4785
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > From: user-help@jspwiki.apache.org
> > > > > To: jpimentel@ra.rockwell.com
> > > > > Date: 08/26/2013 08:16 AM
> > > > > Subject: WELCOME to user@jspwiki.apache.org
> > > > >
> > > > >
> > > > >
> > > > > Hi! This is the ezmlm program. I'm managing the
> > > > > user@jspwiki.apache.org mailing list.
> > > > >
> > > > > I'm working for my owner, who can be reached
> > > > > at user-owner@jspwiki.apache.org.
> > > > >
> > > > > Acknowledgment: I have added the address
> > > > >
> > > > > jpimentel@ra.rockwell.com
> > > > >
> > > > > to the user mailing list.
> > > > >
> > > > > Welcome to user@jspwiki.apache.org!
> > > > >
> > > > > Please save this message so that you know the address you are
> > > > > subscribed under, in case you later want to unsubscribe or
change
> > your
> > > > > subscription address.
> > > > >
> > > > >
> > > > > --- Administrative commands for the user list ---
> > > > >
> > > > > I can handle administrative requests automatically. Please
> > > > > do not send them to the list address! Instead, send
> > > > > your message to the correct command address:
> > > > >
> > > > > To subscribe to the list, send a message to:
> > > > > <us...@jspwiki.apache.org>
> > > > >
> > > > > To remove your address from the list, send a message to:
> > > > > <us...@jspwiki.apache.org>
> > > > >
> > > > > Send mail to the following for info and FAQ for this list:
> > > > > <us...@jspwiki.apache.org>
> > > > > <us...@jspwiki.apache.org>
> > > > >
> > > > > Similar addresses exist for the digest list:
> > > > > <us...@jspwiki.apache.org>
> > > > > <us...@jspwiki.apache.org>
> > > > >
> > > > > To get messages 123 through 145 (a maximum of 100 per request),
> mail:
> > > > > <us...@jspwiki.apache.org>
> > > > >
> > > > > To get an index with subject and author for messages 123-456 ,
> mail:
> > > > > <us...@jspwiki.apache.org>
> > > > >
> > > > > They are always returned as sets of 100, max 2000 per request,
> > > > > so you'll actually get 100-499.
> > > > >
> > > > > To receive all messages with the same subject as message 12345,
> > > > > send a short message to:
> > > > > <us...@jspwiki.apache.org>
> > > > >
> > > > > The messages should contain one line or word of text to avoid
being
> > > > > treated as sp@m, but I will ignore their content.
> > > > > Only the ADDRESS you send to is important.
> > > > >
> > > > > You can start a subscription for an alternate address,
> > > > > for example "john@host.domain", just add a hyphen and your
> > > > > address (with '=' instead of '@') after the command word:
> > > > > <us...@jspwiki.apache.org>
> > > > >
> > > > > To stop subscription for this address, mail:
> > > > > <us...@jspwiki.apache.org>
> > > > >
> > > > > In both cases, I'll send a confirmation message to that address.
> When
> > > > > you receive it, simply reply to it to complete your
subscription.
> > > > >
> > > > > If despite following these instructions, you do not get the
> > > > > desired results, please contact my owner at
> > > > > user-owner@jspwiki.apache.org. Please be patient, my owner is a
> > > > > lot slower than I am ;-)
> > > > >
> > > > > --- Enclosed is a copy of the request I received.
> > > > >
> > > > > Return-Path: <jp...@ra.rockwell.com>
> > > > > Received: (qmail 84748 invoked by uid 99); 26 Aug 2013 13:16:04
> -0000
> > > > > Received: from athena.apache.org (HELO athena.apache.org)
> > > > (140.211.11.136)
> > > > > by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013
> > 13:16:04
> > > > > +0000
> > > > > X-ASF-Spam-Status: No, hits=-0.0 required=5.0
> > > > > tests=SPF_PASS
> > > > > X-Spam-Check-By: apache.org
> > > > > Received-SPF: pass (athena.apache.org: local policy)
> > > > > Received: from [205.175.240.251] (HELO
> ramilwsmtp01.ra.rockwell.com)
> > > > > (205.175.240.251)
> > > > > by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013
> > 13:16:00
> > > > > +0000
> > > > > In-Reply-To: <13...@jspwiki.apache.org>
> > > > > References: <13...@jspwiki.apache.org>
> > > > > Subject: Re: confirm subscribe to user@jspwiki.apache.org
> > > > > X-KeepSent: D7D57B0D:E2A05A18-86257BD3:0048D45A;
> > > > > type=4; name=$KeepSent
> > > > > To:
> > > > > user-sc.1377522681.pagaldeamkeafdeakcap-jpimentel=
> > > > > ra.rockwell.com@jspwiki.apache.org
> > > > >
> > > > > X-Mailer: Lotus Notes Release 8.5.2FP2 March 23, 2011
> > > > > Message-ID:
> > > > >
> > > > <
> > >
> >
>
OFD7D57B0D.E2A05A18-ON86257BD3.0048D45A-86257BD3.0048D84D@ra.rockwell.com
> > > > > >
> > > > > From: John Pimentel <jp...@ra.rockwell.com>
> > > > > Date: Mon, 26 Aug 2013 08:15:38 -0500
> > > > > X-MIMETrack: Serialize by Router on
> > RAMilwSMTP01/Milwaukee/RA/Rockwell
> > > at
> > > > > 08/26/2013 08:15:59
> > > > > AM
> > > > > MIME-Version: 1.0
> > > > > Content-type: multipart/mixed;
> > > > >
> > > > >
Boundary="0__=09BBF140DFDB52CA8f9e8a93df938690918c09BBF140DFDB52CA"
> > > > > Content-Disposition: inline
> > > > > X-Virus-Checked: Checked by ClamAV on apache.org
> > > > >
> > > > >
> > > >
> > >
> > >
> >
> >
>
Re: ldaps authentication to jspwiki
Posted by Juan Pablo Santos Rodríguez <ju...@gmail.com>.
Hi John,
glad to read you finally managed to resolve your issue :-) As Harry has
pointed out, the new VM to hold jspwiki.org is nearly there, so you may
either wait a little more or just post it on this thread
regards,
juan pablo
On Fri, Sep 13, 2013 at 6:47 PM, Harry Metske <ha...@gmail.com>wrote:
> John,
>
> we are currently waiting for our Linux virtual machine where we will host
> the new jspwiki.org, that would be the place to share it.
> You could wait for it to become available [#1], we will definitily post and
> tweet that, but if you don't want to wait for that, you could also post it
> on the mail list here.
>
> thanks !
>
> Harry
>
> [1] - https://issues.apache.org/jira/browse/INFRA-5588
>
>
> On 12 September 2013 17:57, John Pimentel <jp...@ra.rockwell.com>
> wrote:
>
> > hi Juan Pablo,
> >
> > I finally resolved my issue, and would like to share my results on the
> > Wiki.
> > What is the best way for me to contribute it that way, just send the
> > details of my finding to the list?
> > I don't see a way to participate on the wiki site directly, and the docs
> > link (http://doc.jspwiki.org/) seems to be broken.
> >
> > Regards,
> > John Pimentel
> >
> > [image: Description: Description: ralogo_web]
> > *jpimentel@ra.rockwell.com* <jp...@ra.rockwell.com>
> > Office (414) 382-3354
> > *Mobile (262) 501-4785* <
> 2625014785@txt.att.net?subject=RA%20Text%204%20U>
> >
> >
> >
> >
> > From: Juan Pablo Santos Rodríguez <ju...@gmail.com>
> > To: user@jspwiki.apache.org
> > Date: 08/28/2013 12:30 PM
> > Subject: Re: ldaps authentication to jspwiki
> > ------------------------------
> >
> >
> >
> > Hello John,
> >
> > would you mind checking these links:
> > -
> >
> >
> http://blog.davekoelmeyer.co.nz/2012/01/28/container-based-authentication-with-jspwiki-glassfish-and-opendj/
> > -
> >
> >
> http://mail-archives.apache.org/mod_mbox/incubator-jspwiki-user/201306.mbox/%3CCAMufup7zBdGP-1J9mR4o8DT6CMYLaipDu63DEt7HB5k9d1Pk2w%40mail.gmail.com%3E
> > - http://www.ebel-computing.de/JSPWiki/Wiki.jsp?page=Ldap%20Integration
> >
> > The first two discuss a similar issue as yours, but using glassfish and
> > OpenDJ. In any case, the ldap conifguration might give you a hint. The
> last
> > one is another "Ldap Integration" page, which may be closer to your issue
> >
> >
> > HTH,
> > juan pablo
> >
> >
> > On Wed, Aug 28, 2013 at 4:04 PM, John Pimentel <
> jpimentel@ra.rockwell.com
> > >wrote:
> >
> > > Thanks Jim, I will try that today
> > >
> > > Regards,
> > > John Pimentel
> > >
> > > [image: Description: Description: ralogo_web]
> > > *jpimentel@ra.rockwell.com* <jp...@ra.rockwell.com>
> > > Office (414) 382-3354
> > > *Mobile (262) 501-4785* <
> > 2625014785@txt.att.net?subject=RA%20Text%204%20U>
> > >
> > >
> > >
> > >
> > > From: Jim Willeke <ji...@willeke.com>
> > > To: user@jspwiki.apache.org
> > > Date: 08/27/2013 05:35 PM
> > > Subject: Re: ldaps authentication to jspwiki
> > > ------------------------------
> > >
> > >
> > >
> > > You might try remove the:
> > > userPattern="uid={0},ou=people,dc=mydomain,dc=com"
> > >
> > > and use (what I am using):
> > >
> > > userBase="ou=people,dc=mydomain,dc=com"
> > > userSearch="(uid={0})"
> > > userSubtree="true"
> > >
> > > We found the LDAP search to be much more flexible using this than the
> > > pattern matching.
> > > You should also be able to get some error from tomcat if it is failing.
> > > You can turn on access logging:
> > > http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Access_Logs
> > >
> > >
> > > If you drop the LDAPS, You might also get a trace. (Not sure if SUN can
> > > show the ldap requests) but tcdump (or wireshark) will.
> > >
> > >
> > > --
> > > -jim
> > > Jim Willeke
> > >
> > >
> > > On Tue, Aug 27, 2013 at 1:18 PM, John Pimentel <
> > jpimentel@ra.rockwell.com
> > > >wrote:
> > >
> > > >
> > > > Hi Jim,
> > > >
> > > > Thanks for the response.
> > > >
> > > > We are using Sun LDAP. Let me give you an example from my user
> > account.
> > > > Under my group container
> > > > cn=UN_CTM_AdminGroup,ou=Control-M,ou=group,dc=mydomain,dc=com
> > > > I have a attribute called uniqueMember.
> > > > The value for my account is as follows:
> > > > uid=JPimen,ou=people,dc=mydomain,dc=com
> > > >
> > > > I of course substituted our actual domain for mydomain in this
> example,
> > > but
> > > > everything else is verbatim.
> > > >
> > > > So our groups are nmed by cn but the users are named by uid.
> > > >
> > > > Unfortunately our LDAP server will not accept anything other than
> ldaps
> > > > connections, so I am stuck there.
> > > >
> > > > Also if you have any recommendation on how to enable security
> specific
> > > > debug I would appreciate that.
> > > >
> > > > I found what appears to be a log level entry in my jspwiki.properties
> > > file.
> > > > I changed
> > > > log4j.rootCategory=INFO,FileLog
> > > > To read
> > > > log4j.rootCategory=DEBUG,FileLog
> > > >
> > > > Now, I do see debug entries in the
> /web1/dyscq/tomcat/logs/jspwiki.log
> > > > file, but no entries appear when I try (and fail) to log in.
> > > >
> > > > Thanks again for any ideas.
> > > >
> > > > Regards,
> > > > John Pimentel
> > > >
> > > > (Embedded image moved to file: pic11833.gif)Description:
> Description:
> > > > ralogo_web
> > > > jpimentel@ra.rockwell.com
> > > > Office (414) 382-3354
> > > > Mobile (262) 501-4785
> > > >
> > > >
> > > >
> > > >
> > > > From: Jim Willeke <ji...@willeke.com>
> > > > To: user@jspwiki.apache.org
> > > > Date: 08/27/2013 03:40 AM
> > > > Subject: Re: ldaps authentication to jspwiki
> > > >
> > > >
> > > >
> > > > I would guess, as you show no information on your LDAP setup, this
> line
> > > is
> > > > wrong:
> > > > userPattern="uid={0},ou=people,dc=mydomain,dc=com"
> > > >
> > > > Are your users named by uid or cn?
> > > > You show roles as named by cn and since you show dc=,dc= I would
> guess
> > > this
> > > > is AD
> > > >
> > > > Also, try using LDAP vs LDAPS to help troubleshoot.
> > > >
> > > > -jim
> > > >
> > > > --
> > > > -jim
> > > > Jim Willeke
> > > >
> > > >
> > > > On Mon, Aug 26, 2013 at 10:47 AM, John Pimentel
> > > > <jp...@ra.rockwell.com>wrote:
> > > >
> > > > >
> > > > > Greetings,
> > > > >
> > > > > I am having difficulties getting LDAPS authentication to work and I
> > > think
> > > > I
> > > > > must be missing some fundamental configuration.
> > > > >
> > > > > My current state is that the Site loads and displays content
> > properly,
> > > > but
> > > > > when I go to edit content or I select the log in page directly, my
> > LDAP
> > > > > credentials do not authenticate, and I am repeatedly presented
> with a
> > > > login
> > > > > page.
> > > > >
> > > > > I used the follwing information as my "How To" for this effort.
> > > > >
> http://www.ecyrd.com/JSPWiki/wiki/WebContainerAuthenticationViaLDAP
> > > > >
> > > > > This article is very good but appears to be incomplete.
> > > > >
> > > > > I have done the following configuration to get ldaps to work:
> > > > >
> > > > > 1. I have a previously configured LDAP Server and I stored /trusted
> > the
> > > > > cert for this Sun LDAP server into the central java keystore using
> > this
> > > > > command:
> > > > > /usr/lib64/jvm/jre/bin/keytool -import -alias sunldap
> > > > > -file /web1/sst/dysc/content/CA-RA-v3.crt
> > > > > -keystore /usr/lib64/jvm/jre/lib/security/cacerts
> > > > >
> > > > > 2. I have configured the realm and sorted out all the log errors
> > using
> > > > the
> > > > > following realm in the server.xml file. I believe tomcat is
> > > successfully
> > > > > connecting to my LDAP server.
> > > > >
> > > > > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > > > > connectionURL="ldaps://mkedsintp.ds.mydomain.com:636"
> > > > > connectionName="uid=[bind User
> > > > > UID],ou=admin,dc=rmydomain,dc=com"
> > > > > connectionPassword="[Password]"
> > > > > userPattern="uid={0},ou=people,dc=mydomain,dc=com"
> > > > > roleBase="ou=Control-M,ou=group,dc=mydomain,dc=com"
> > > > > roleSubtree="true"
> > > > > roleName="cn"
> > > > > roleSearch="(uniqueMember={0})"
> > > > > />
> > > > >
> > > > > 3. I uncommented the "CONTAINER-MANAGED AUTH" section
> > > > > from /web1/dyscq/webapps/apps/wiki/WEB-INF/web.xml
> > > > >
> > > > > There is a section at the bottom that says "Update JSPWiki security
> > > > policy"
> > > > > If you would like to set permissions to LDAP groups, you can simply
> > add
> > > > > policy entries on authorize.Role. The following is an entry for
> > > > wiki-admin
> > > > > group (from LDAP).
> > > > > grant principal com.ecyrd.jspwiki.auth.authorize.Role "wiki-admin"
> {
> > > > > permission com.ecyrd.jspwiki.auth.permissions.AllPermission
> "*";
> > > > > };
> > > > >
> > > > > I'm thinking it might go into web.xml, but I am not sure of that..
> > > > >
> > > > > this section of the xml looks like this:
> > > > >
> > > > > <security-constraint>
> > > > > <web-resource-collection>
> > > > > <web-resource-name>Authenticated
> area</web-resource-name>
> > > > > <url-pattern>/Edit.jsp</url-pattern>
> > > > > <url-pattern>/Comment.jsp</url-pattern>
> > > > > <url-pattern>/Login.jsp</url-pattern>
> > > > > <url-pattern>/NewGroup.jsp</url-pattern>
> > > > > <url-pattern>/Rename.jsp</url-pattern>
> > > > > <url-pattern>/Upload.jsp</url-pattern>
> > > > > <http-method>DELETE</http-method>
> > > > > <http-method>GET</http-method>
> > > > > <http-method>HEAD</http-method>
> > > > > <http-method>POST</http-method>
> > > > > <http-method>PUT</http-method>
> > > > > </web-resource-collection>
> > > > >
> > > > > <web-resource-collection>
> > > > > <web-resource-name>Read-only Area</web-resource-name>
> > > > > <url-pattern>/attach</url-pattern>
> > > > > <http-method>DELETE</http-method>
> > > > > <http-method>POST</http-method>
> > > > > <http-method>PUT</http-method>
> > > > > </web-resource-collection>
> > > > >
> > > > > <auth-constraint>
> > > > > <role-name>Admin</role-name>
> > > > > <role-name>Authenticated</role-name>
> > > > > </auth-constraint>
> > > > > <!-- > > <user-data-constraint>
> > > > > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > > > > </user-data-constraint>
> > > > > -->
> > > > >
> > > > > </security-constraint>
> > > > >
> > > > > <login-config>
> > > > > <auth-method>FORM</auth-method>
> > > > > <form-login-config>
> > > > > <form-login-page>/LoginForm.jsp</form-login-page>
> > > > > <form-error-page>/LoginForm.jsp</form-error-page>
> > > > > </form-login-config>
> > > > > </login-config>
> > > > >
> > > > > <security-role>
> > > > > <description>
> > > > > This logical role includes all authenticated users
> > > > > </description>
> > > > > <role-name>Authenticated</role-name>
> > > > > </security-role>
> > > > >
> > > > > <security-role>
> > > > > <description>
> > > > > This logical role includes all administrative users
> > > > > </description>
> > > > > <role-name>Admin</role-name>
> > > > > </security-role>
> > > > >
> > > > >
> > > > > Regards,
> > > > > John Pimentel
> > > > >
> > > > > (Embedded image moved to file: pic05844.gif)Description:
> > Description:
> > > > > ralogo_web
> > > > > jpimentel@ra.rockwell.com
> > > > > Office (414) 382-3354
> > > > > Mobile (262) 501-4785
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > From: user-help@jspwiki.apache.org
> > > > > To: jpimentel@ra.rockwell.com
> > > > > Date: 08/26/2013 08:16 AM
> > > > > Subject: WELCOME to user@jspwiki.apache.org
> > > > >
> > > > >
> > > > >
> > > > > Hi! This is the ezmlm program. I'm managing the
> > > > > user@jspwiki.apache.org mailing list.
> > > > >
> > > > > I'm working for my owner, who can be reached
> > > > > at user-owner@jspwiki.apache.org.
> > > > >
> > > > > Acknowledgment: I have added the address
> > > > >
> > > > > jpimentel@ra.rockwell.com
> > > > >
> > > > > to the user mailing list.
> > > > >
> > > > > Welcome to user@jspwiki.apache.org!
> > > > >
> > > > > Please save this message so that you know the address you are
> > > > > subscribed under, in case you later want to unsubscribe or change
> > your
> > > > > subscription address.
> > > > >
> > > > >
> > > > > --- Administrative commands for the user list ---
> > > > >
> > > > > I can handle administrative requests automatically. Please
> > > > > do not send them to the list address! Instead, send
> > > > > your message to the correct command address:
> > > > >
> > > > > To subscribe to the list, send a message to:
> > > > > <us...@jspwiki.apache.org>
> > > > >
> > > > > To remove your address from the list, send a message to:
> > > > > <us...@jspwiki.apache.org>
> > > > >
> > > > > Send mail to the following for info and FAQ for this list:
> > > > > <us...@jspwiki.apache.org>
> > > > > <us...@jspwiki.apache.org>
> > > > >
> > > > > Similar addresses exist for the digest list:
> > > > > <us...@jspwiki.apache.org>
> > > > > <us...@jspwiki.apache.org>
> > > > >
> > > > > To get messages 123 through 145 (a maximum of 100 per request),
> mail:
> > > > > <us...@jspwiki.apache.org>
> > > > >
> > > > > To get an index with subject and author for messages 123-456 ,
> mail:
> > > > > <us...@jspwiki.apache.org>
> > > > >
> > > > > They are always returned as sets of 100, max 2000 per request,
> > > > > so you'll actually get 100-499.
> > > > >
> > > > > To receive all messages with the same subject as message 12345,
> > > > > send a short message to:
> > > > > <us...@jspwiki.apache.org>
> > > > >
> > > > > The messages should contain one line or word of text to avoid being
> > > > > treated as sp@m, but I will ignore their content.
> > > > > Only the ADDRESS you send to is important.
> > > > >
> > > > > You can start a subscription for an alternate address,
> > > > > for example "john@host.domain", just add a hyphen and your
> > > > > address (with '=' instead of '@') after the command word:
> > > > > <us...@jspwiki.apache.org>
> > > > >
> > > > > To stop subscription for this address, mail:
> > > > > <us...@jspwiki.apache.org>
> > > > >
> > > > > In both cases, I'll send a confirmation message to that address.
> When
> > > > > you receive it, simply reply to it to complete your subscription.
> > > > >
> > > > > If despite following these instructions, you do not get the
> > > > > desired results, please contact my owner at
> > > > > user-owner@jspwiki.apache.org. Please be patient, my owner is a
> > > > > lot slower than I am ;-)
> > > > >
> > > > > --- Enclosed is a copy of the request I received.
> > > > >
> > > > > Return-Path: <jp...@ra.rockwell.com>
> > > > > Received: (qmail 84748 invoked by uid 99); 26 Aug 2013 13:16:04
> -0000
> > > > > Received: from athena.apache.org (HELO athena.apache.org)
> > > > (140.211.11.136)
> > > > > by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013
> > 13:16:04
> > > > > +0000
> > > > > X-ASF-Spam-Status: No, hits=-0.0 required=5.0
> > > > > tests=SPF_PASS
> > > > > X-Spam-Check-By: apache.org
> > > > > Received-SPF: pass (athena.apache.org: local policy)
> > > > > Received: from [205.175.240.251] (HELO
> ramilwsmtp01.ra.rockwell.com)
> > > > > (205.175.240.251)
> > > > > by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013
> > 13:16:00
> > > > > +0000
> > > > > In-Reply-To: <13...@jspwiki.apache.org>
> > > > > References: <13...@jspwiki.apache.org>
> > > > > Subject: Re: confirm subscribe to user@jspwiki.apache.org
> > > > > X-KeepSent: D7D57B0D:E2A05A18-86257BD3:0048D45A;
> > > > > type=4; name=$KeepSent
> > > > > To:
> > > > > user-sc.1377522681.pagaldeamkeafdeakcap-jpimentel=
> > > > > ra.rockwell.com@jspwiki.apache.org
> > > > >
> > > > > X-Mailer: Lotus Notes Release 8.5.2FP2 March 23, 2011
> > > > > Message-ID:
> > > > >
> > > > <
> > >
> >
> OFD7D57B0D.E2A05A18-ON86257BD3.0048D45A-86257BD3.0048D84D@ra.rockwell.com
> > > > > >
> > > > > From: John Pimentel <jp...@ra.rockwell.com>
> > > > > Date: Mon, 26 Aug 2013 08:15:38 -0500
> > > > > X-MIMETrack: Serialize by Router on
> > RAMilwSMTP01/Milwaukee/RA/Rockwell
> > > at
> > > > > 08/26/2013 08:15:59
> > > > > AM
> > > > > MIME-Version: 1.0
> > > > > Content-type: multipart/mixed;
> > > > >
> > > > > Boundary="0__=09BBF140DFDB52CA8f9e8a93df938690918c09BBF140DFDB52CA"
> > > > > Content-Disposition: inline
> > > > > X-Virus-Checked: Checked by ClamAV on apache.org
> > > > >
> > > > >
> > > >
> > >
> > >
> >
> >
>
Re: ldaps authentication to jspwiki
Posted by Harry Metske <ha...@gmail.com>.
John,
we are currently waiting for our Linux virtual machine where we will host
the new jspwiki.org, that would be the place to share it.
You could wait for it to become available [#1], we will definitily post and
tweet that, but if you don't want to wait for that, you could also post it
on the mail list here.
thanks !
Harry
[1] - https://issues.apache.org/jira/browse/INFRA-5588
On 12 September 2013 17:57, John Pimentel <jp...@ra.rockwell.com> wrote:
> hi Juan Pablo,
>
> I finally resolved my issue, and would like to share my results on the
> Wiki.
> What is the best way for me to contribute it that way, just send the
> details of my finding to the list?
> I don't see a way to participate on the wiki site directly, and the docs
> link (http://doc.jspwiki.org/) seems to be broken.
>
> Regards,
> John Pimentel
>
> [image: Description: Description: ralogo_web]
> *jpimentel@ra.rockwell.com* <jp...@ra.rockwell.com>
> Office (414) 382-3354
> *Mobile (262) 501-4785* <2625014785@txt.att.net?subject=RA%20Text%204%20U>
>
>
>
>
> From: Juan Pablo Santos Rodríguez <ju...@gmail.com>
> To: user@jspwiki.apache.org
> Date: 08/28/2013 12:30 PM
> Subject: Re: ldaps authentication to jspwiki
> ------------------------------
>
>
>
> Hello John,
>
> would you mind checking these links:
> -
>
> http://blog.davekoelmeyer.co.nz/2012/01/28/container-based-authentication-with-jspwiki-glassfish-and-opendj/
> -
>
> http://mail-archives.apache.org/mod_mbox/incubator-jspwiki-user/201306.mbox/%3CCAMufup7zBdGP-1J9mR4o8DT6CMYLaipDu63DEt7HB5k9d1Pk2w%40mail.gmail.com%3E
> - http://www.ebel-computing.de/JSPWiki/Wiki.jsp?page=Ldap%20Integration
>
> The first two discuss a similar issue as yours, but using glassfish and
> OpenDJ. In any case, the ldap conifguration might give you a hint. The last
> one is another "Ldap Integration" page, which may be closer to your issue
>
>
> HTH,
> juan pablo
>
>
> On Wed, Aug 28, 2013 at 4:04 PM, John Pimentel <jpimentel@ra.rockwell.com
> >wrote:
>
> > Thanks Jim, I will try that today
> >
> > Regards,
> > John Pimentel
> >
> > [image: Description: Description: ralogo_web]
> > *jpimentel@ra.rockwell.com* <jp...@ra.rockwell.com>
> > Office (414) 382-3354
> > *Mobile (262) 501-4785* <
> 2625014785@txt.att.net?subject=RA%20Text%204%20U>
> >
> >
> >
> >
> > From: Jim Willeke <ji...@willeke.com>
> > To: user@jspwiki.apache.org
> > Date: 08/27/2013 05:35 PM
> > Subject: Re: ldaps authentication to jspwiki
> > ------------------------------
> >
> >
> >
> > You might try remove the:
> > userPattern="uid={0},ou=people,dc=mydomain,dc=com"
> >
> > and use (what I am using):
> >
> > userBase="ou=people,dc=mydomain,dc=com"
> > userSearch="(uid={0})"
> > userSubtree="true"
> >
> > We found the LDAP search to be much more flexible using this than the
> > pattern matching.
> > You should also be able to get some error from tomcat if it is failing.
> > You can turn on access logging:
> > http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Access_Logs
> >
> >
> > If you drop the LDAPS, You might also get a trace. (Not sure if SUN can
> > show the ldap requests) but tcdump (or wireshark) will.
> >
> >
> > --
> > -jim
> > Jim Willeke
> >
> >
> > On Tue, Aug 27, 2013 at 1:18 PM, John Pimentel <
> jpimentel@ra.rockwell.com
> > >wrote:
> >
> > >
> > > Hi Jim,
> > >
> > > Thanks for the response.
> > >
> > > We are using Sun LDAP. Let me give you an example from my user
> account.
> > > Under my group container
> > > cn=UN_CTM_AdminGroup,ou=Control-M,ou=group,dc=mydomain,dc=com
> > > I have a attribute called uniqueMember.
> > > The value for my account is as follows:
> > > uid=JPimen,ou=people,dc=mydomain,dc=com
> > >
> > > I of course substituted our actual domain for mydomain in this example,
> > but
> > > everything else is verbatim.
> > >
> > > So our groups are nmed by cn but the users are named by uid.
> > >
> > > Unfortunately our LDAP server will not accept anything other than ldaps
> > > connections, so I am stuck there.
> > >
> > > Also if you have any recommendation on how to enable security specific
> > > debug I would appreciate that.
> > >
> > > I found what appears to be a log level entry in my jspwiki.properties
> > file.
> > > I changed
> > > log4j.rootCategory=INFO,FileLog
> > > To read
> > > log4j.rootCategory=DEBUG,FileLog
> > >
> > > Now, I do see debug entries in the /web1/dyscq/tomcat/logs/jspwiki.log
> > > file, but no entries appear when I try (and fail) to log in.
> > >
> > > Thanks again for any ideas.
> > >
> > > Regards,
> > > John Pimentel
> > >
> > > (Embedded image moved to file: pic11833.gif)Description: Description:
> > > ralogo_web
> > > jpimentel@ra.rockwell.com
> > > Office (414) 382-3354
> > > Mobile (262) 501-4785
> > >
> > >
> > >
> > >
> > > From: Jim Willeke <ji...@willeke.com>
> > > To: user@jspwiki.apache.org
> > > Date: 08/27/2013 03:40 AM
> > > Subject: Re: ldaps authentication to jspwiki
> > >
> > >
> > >
> > > I would guess, as you show no information on your LDAP setup, this line
> > is
> > > wrong:
> > > userPattern="uid={0},ou=people,dc=mydomain,dc=com"
> > >
> > > Are your users named by uid or cn?
> > > You show roles as named by cn and since you show dc=,dc= I would guess
> > this
> > > is AD
> > >
> > > Also, try using LDAP vs LDAPS to help troubleshoot.
> > >
> > > -jim
> > >
> > > --
> > > -jim
> > > Jim Willeke
> > >
> > >
> > > On Mon, Aug 26, 2013 at 10:47 AM, John Pimentel
> > > <jp...@ra.rockwell.com>wrote:
> > >
> > > >
> > > > Greetings,
> > > >
> > > > I am having difficulties getting LDAPS authentication to work and I
> > think
> > > I
> > > > must be missing some fundamental configuration.
> > > >
> > > > My current state is that the Site loads and displays content
> properly,
> > > but
> > > > when I go to edit content or I select the log in page directly, my
> LDAP
> > > > credentials do not authenticate, and I am repeatedly presented with a
> > > login
> > > > page.
> > > >
> > > > I used the follwing information as my "How To" for this effort.
> > > > http://www.ecyrd.com/JSPWiki/wiki/WebContainerAuthenticationViaLDAP
> > > >
> > > > This article is very good but appears to be incomplete.
> > > >
> > > > I have done the following configuration to get ldaps to work:
> > > >
> > > > 1. I have a previously configured LDAP Server and I stored /trusted
> the
> > > > cert for this Sun LDAP server into the central java keystore using
> this
> > > > command:
> > > > /usr/lib64/jvm/jre/bin/keytool -import -alias sunldap
> > > > -file /web1/sst/dysc/content/CA-RA-v3.crt
> > > > -keystore /usr/lib64/jvm/jre/lib/security/cacerts
> > > >
> > > > 2. I have configured the realm and sorted out all the log errors
> using
> > > the
> > > > following realm in the server.xml file. I believe tomcat is
> > successfully
> > > > connecting to my LDAP server.
> > > >
> > > > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > > > connectionURL="ldaps://mkedsintp.ds.mydomain.com:636"
> > > > connectionName="uid=[bind User
> > > > UID],ou=admin,dc=rmydomain,dc=com"
> > > > connectionPassword="[Password]"
> > > > userPattern="uid={0},ou=people,dc=mydomain,dc=com"
> > > > roleBase="ou=Control-M,ou=group,dc=mydomain,dc=com"
> > > > roleSubtree="true"
> > > > roleName="cn"
> > > > roleSearch="(uniqueMember={0})"
> > > > />
> > > >
> > > > 3. I uncommented the "CONTAINER-MANAGED AUTH" section
> > > > from /web1/dyscq/webapps/apps/wiki/WEB-INF/web.xml
> > > >
> > > > There is a section at the bottom that says "Update JSPWiki security
> > > policy"
> > > > If you would like to set permissions to LDAP groups, you can simply
> add
> > > > policy entries on authorize.Role. The following is an entry for
> > > wiki-admin
> > > > group (from LDAP).
> > > > grant principal com.ecyrd.jspwiki.auth.authorize.Role "wiki-admin" {
> > > > permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> > > > };
> > > >
> > > > I'm thinking it might go into web.xml, but I am not sure of that..
> > > >
> > > > this section of the xml looks like this:
> > > >
> > > > <security-constraint>
> > > > <web-resource-collection>
> > > > <web-resource-name>Authenticated area</web-resource-name>
> > > > <url-pattern>/Edit.jsp</url-pattern>
> > > > <url-pattern>/Comment.jsp</url-pattern>
> > > > <url-pattern>/Login.jsp</url-pattern>
> > > > <url-pattern>/NewGroup.jsp</url-pattern>
> > > > <url-pattern>/Rename.jsp</url-pattern>
> > > > <url-pattern>/Upload.jsp</url-pattern>
> > > > <http-method>DELETE</http-method>
> > > > <http-method>GET</http-method>
> > > > <http-method>HEAD</http-method>
> > > > <http-method>POST</http-method>
> > > > <http-method>PUT</http-method>
> > > > </web-resource-collection>
> > > >
> > > > <web-resource-collection>
> > > > <web-resource-name>Read-only Area</web-resource-name>
> > > > <url-pattern>/attach</url-pattern>
> > > > <http-method>DELETE</http-method>
> > > > <http-method>POST</http-method>
> > > > <http-method>PUT</http-method>
> > > > </web-resource-collection>
> > > >
> > > > <auth-constraint>
> > > > <role-name>Admin</role-name>
> > > > <role-name>Authenticated</role-name>
> > > > </auth-constraint>
> > > > <!-- > > <user-data-constraint>
> > > > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > > > </user-data-constraint>
> > > > -->
> > > >
> > > > </security-constraint>
> > > >
> > > > <login-config>
> > > > <auth-method>FORM</auth-method>
> > > > <form-login-config>
> > > > <form-login-page>/LoginForm.jsp</form-login-page>
> > > > <form-error-page>/LoginForm.jsp</form-error-page>
> > > > </form-login-config>
> > > > </login-config>
> > > >
> > > > <security-role>
> > > > <description>
> > > > This logical role includes all authenticated users
> > > > </description>
> > > > <role-name>Authenticated</role-name>
> > > > </security-role>
> > > >
> > > > <security-role>
> > > > <description>
> > > > This logical role includes all administrative users
> > > > </description>
> > > > <role-name>Admin</role-name>
> > > > </security-role>
> > > >
> > > >
> > > > Regards,
> > > > John Pimentel
> > > >
> > > > (Embedded image moved to file: pic05844.gif)Description:
> Description:
> > > > ralogo_web
> > > > jpimentel@ra.rockwell.com
> > > > Office (414) 382-3354
> > > > Mobile (262) 501-4785
> > > >
> > > >
> > > >
> > > >
> > > > From: user-help@jspwiki.apache.org
> > > > To: jpimentel@ra.rockwell.com
> > > > Date: 08/26/2013 08:16 AM
> > > > Subject: WELCOME to user@jspwiki.apache.org
> > > >
> > > >
> > > >
> > > > Hi! This is the ezmlm program. I'm managing the
> > > > user@jspwiki.apache.org mailing list.
> > > >
> > > > I'm working for my owner, who can be reached
> > > > at user-owner@jspwiki.apache.org.
> > > >
> > > > Acknowledgment: I have added the address
> > > >
> > > > jpimentel@ra.rockwell.com
> > > >
> > > > to the user mailing list.
> > > >
> > > > Welcome to user@jspwiki.apache.org!
> > > >
> > > > Please save this message so that you know the address you are
> > > > subscribed under, in case you later want to unsubscribe or change
> your
> > > > subscription address.
> > > >
> > > >
> > > > --- Administrative commands for the user list ---
> > > >
> > > > I can handle administrative requests automatically. Please
> > > > do not send them to the list address! Instead, send
> > > > your message to the correct command address:
> > > >
> > > > To subscribe to the list, send a message to:
> > > > <us...@jspwiki.apache.org>
> > > >
> > > > To remove your address from the list, send a message to:
> > > > <us...@jspwiki.apache.org>
> > > >
> > > > Send mail to the following for info and FAQ for this list:
> > > > <us...@jspwiki.apache.org>
> > > > <us...@jspwiki.apache.org>
> > > >
> > > > Similar addresses exist for the digest list:
> > > > <us...@jspwiki.apache.org>
> > > > <us...@jspwiki.apache.org>
> > > >
> > > > To get messages 123 through 145 (a maximum of 100 per request), mail:
> > > > <us...@jspwiki.apache.org>
> > > >
> > > > To get an index with subject and author for messages 123-456 , mail:
> > > > <us...@jspwiki.apache.org>
> > > >
> > > > They are always returned as sets of 100, max 2000 per request,
> > > > so you'll actually get 100-499.
> > > >
> > > > To receive all messages with the same subject as message 12345,
> > > > send a short message to:
> > > > <us...@jspwiki.apache.org>
> > > >
> > > > The messages should contain one line or word of text to avoid being
> > > > treated as sp@m, but I will ignore their content.
> > > > Only the ADDRESS you send to is important.
> > > >
> > > > You can start a subscription for an alternate address,
> > > > for example "john@host.domain", just add a hyphen and your
> > > > address (with '=' instead of '@') after the command word:
> > > > <us...@jspwiki.apache.org>
> > > >
> > > > To stop subscription for this address, mail:
> > > > <us...@jspwiki.apache.org>
> > > >
> > > > In both cases, I'll send a confirmation message to that address. When
> > > > you receive it, simply reply to it to complete your subscription.
> > > >
> > > > If despite following these instructions, you do not get the
> > > > desired results, please contact my owner at
> > > > user-owner@jspwiki.apache.org. Please be patient, my owner is a
> > > > lot slower than I am ;-)
> > > >
> > > > --- Enclosed is a copy of the request I received.
> > > >
> > > > Return-Path: <jp...@ra.rockwell.com>
> > > > Received: (qmail 84748 invoked by uid 99); 26 Aug 2013 13:16:04 -0000
> > > > Received: from athena.apache.org (HELO athena.apache.org)
> > > (140.211.11.136)
> > > > by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013
> 13:16:04
> > > > +0000
> > > > X-ASF-Spam-Status: No, hits=-0.0 required=5.0
> > > > tests=SPF_PASS
> > > > X-Spam-Check-By: apache.org
> > > > Received-SPF: pass (athena.apache.org: local policy)
> > > > Received: from [205.175.240.251] (HELO ramilwsmtp01.ra.rockwell.com)
> > > > (205.175.240.251)
> > > > by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013
> 13:16:00
> > > > +0000
> > > > In-Reply-To: <13...@jspwiki.apache.org>
> > > > References: <13...@jspwiki.apache.org>
> > > > Subject: Re: confirm subscribe to user@jspwiki.apache.org
> > > > X-KeepSent: D7D57B0D:E2A05A18-86257BD3:0048D45A;
> > > > type=4; name=$KeepSent
> > > > To:
> > > > user-sc.1377522681.pagaldeamkeafdeakcap-jpimentel=
> > > > ra.rockwell.com@jspwiki.apache.org
> > > >
> > > > X-Mailer: Lotus Notes Release 8.5.2FP2 March 23, 2011
> > > > Message-ID:
> > > >
> > > <
> >
> OFD7D57B0D.E2A05A18-ON86257BD3.0048D45A-86257BD3.0048D84D@ra.rockwell.com
> > > > >
> > > > From: John Pimentel <jp...@ra.rockwell.com>
> > > > Date: Mon, 26 Aug 2013 08:15:38 -0500
> > > > X-MIMETrack: Serialize by Router on
> RAMilwSMTP01/Milwaukee/RA/Rockwell
> > at
> > > > 08/26/2013 08:15:59
> > > > AM
> > > > MIME-Version: 1.0
> > > > Content-type: multipart/mixed;
> > > >
> > > > Boundary="0__=09BBF140DFDB52CA8f9e8a93df938690918c09BBF140DFDB52CA"
> > > > Content-Disposition: inline
> > > > X-Virus-Checked: Checked by ClamAV on apache.org
> > > >
> > > >
> > >
> >
> >
>
>