You are viewing a plain text version of this content. The canonical link for it is here.
Posted to slide-user@jakarta.apache.org by Dmitry Beransky <db...@ucsd.edu> on 2001/12/06 05:18:57 UTC
problems authenticating against LDAP
Hi,
I'm trying to configure canned slide server to authenticate against a
LDAP. I've added the JNDI realm to the local host server of the Calalina
engine in server.xml file:
<Engine name="Catalina" defaultHost="localhost" debug="0">
<Host name="localhost" debug="0" appBase="webapps" unpackWARs="false"
configPath="slide" className="wrappers.catalina.SlideHost">
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionName="cn=Manager,dc=prod,dc=domain,dc=com"
connectionPassword="****************"
connectionURL="ldap://prod.domain.com:389"
roleBase="dc=roles,dc=roles,dc=prod,dc=domain,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
roleSubtree="true"
userPassword="userPassword"
userPattern="cn={0},dc=users,dc=prod,dc=domain,dc=com"
digest="SHA"
/>
.....
When the server starts up I can see it hit the LDAP server asking for info
on the connectionName entity. Then I point the browser to the slide
domain, I get the expected authentication dialog box, but when I enter
user/password combo, nothing happens. I don't see any activity on the LDAP
server at all. But there is an error in the log file:
Slide realm[/slide]: User null doesn't have his password property set :
can't authenticate
Any ideas as to what I'm doing wrong?
Thanks
Dmitry
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: problems authenticating against LDAP
Posted by Dmitry Beransky <db...@dembel.org>.
>At 10:39 PM 12/5/2001, Remy Maucherat wrote:
>
>Well, the problem is that the SlideHost is very aggressive about setting a
>SlideRealm on each of the contexts. I'm not too sure about what happens,
>though.
Remy,
After almost of week of digging through the mailing list and source code, I
finally understood the ramifications what you said: since SlideHost
explicitly sets SlideRealm on each context and the specificity of that
setting is much higher than whatever I can set within server.xml (engine or
host level realm), slide can never use JNDIRealm or any other realm for
that matter.
What's the work-around? Does SlideHost really need to be so aggressive in
setting realm handlers?
Thanks
Dmitry
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: How to 'separate' users ?
Posted by Remy Maucherat <re...@apache.org>.
> Remy Maucherat wrote:
>
> Thanks for the response
>
> But how can Slide make the difference between /users/companyA/login and
> /users/companyB/login when the user authenticate itself as login ?
My mistake, the login would also be companyA/login (a bit like what is used
for the logins to the ISPs in France) ...
I don't see how it could be done without that, since the WebdavServlet has
no way to know in which company the user works by just looking at his login
name (except maybe doing some guesses using getRemoteHost).
> And for the first solution, I can not understand how a node is
> associeted with a given namespace without a 'namespace' field into
> 'objects' table for JDBCStore.
Well, with the current JDBC store, it's supposed to be in a separate
database.
Remy
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: How to 'separate' users ?
Posted by Jean-Philippe Courson <co...@noos.fr>.
Remy Maucherat wrote:
>>Hi,
>>
>>Here is my need : I want to use Slide to manage content for several
>>companies and I can not just create SubjectNodes having uri like
>>/users/login because I would be exposed to login conflicts between
>>companies.
>>
>>It why I would like to know if there is a way with Slide to 'separate'
>>users to avoid these type of conflicts.
>>
>>I would like to be able to do this without having to change Slide's
>>config or restart Tomcat.
>>
>
> To get a real separation, I'd say you should create a separate namespace.
>
> If you don't want to do that, you can also do something like:
> /users/companyA/login
> /users/companyB/login
>
> Remy
>
Thanks for the response
But how can Slide make the difference between /users/companyA/login and
/users/companyB/login when the user authenticate itself as login ?
And for the first solution, I can not understand how a node is
associeted with a given namespace without a 'namespace' field into
'objects' table for JDBCStore.
I should have missed something
Regards
JP
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: How to 'separate' users ?
Posted by Remy Maucherat <re...@apache.org>.
> Hi,
>
> Here is my need : I want to use Slide to manage content for several
> companies and I can not just create SubjectNodes having uri like
> /users/login because I would be exposed to login conflicts between
> companies.
>
> It why I would like to know if there is a way with Slide to 'separate'
> users to avoid these type of conflicts.
>
> I would like to be able to do this without having to change Slide's
> config or restart Tomcat.
To get a real separation, I'd say you should create a separate namespace.
If you don't want to do that, you can also do something like:
/users/companyA/login
/users/companyB/login
Remy
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
How to 'separate' users ?
Posted by Jean-Philippe Courson <co...@noos.fr>.
Hi,
Here is my need : I want to use Slide to manage content for several
companies and I can not just create SubjectNodes having uri like
/users/login because I would be exposed to login conflicts between
companies.
It why I would like to know if there is a way with Slide to 'separate'
users to avoid these type of conflicts.
I would like to be able to do this without having to change Slide's
config or restart Tomcat.
Any help would be appreciated
JP
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: problems authenticating against LDAP
Posted by Dmitry Beransky <db...@ucsd.edu>.
Does this mean that I can't have slide use anything but it's own
realm? This doesn't sound right. I thought I've seen other people on this
list use non-slide realms (e.g. JDBCRealm).
Dmitry
At 10:39 PM 12/5/2001, Remy Maucherat wrote:
>Well, the problem is that the SlideHost is very aggressive about setting a
>SlideRealm on each of the contexts. I'm not too sure about what happens,
>though.
>
>Remy
> > Hi,
> >
> > I'm trying to configure canned slide server to authenticate against a
> > LDAP. I've added the JNDI realm to the local host server of the Calalina
> > engine in server.xml file:
> >
> > <Engine name="Catalina" defaultHost="localhost" debug="0">
> > <Host name="localhost" debug="0" appBase="webapps"
>unpackWARs="false"
> > configPath="slide" className="wrappers.catalina.SlideHost">
> > <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
> > connectionName="cn=Manager,dc=prod,dc=domain,dc=com"
> > connectionPassword="****************"
> > connectionURL="ldap://prod.domain.com:389"
> > roleBase="dc=roles,dc=roles,dc=prod,dc=domain,dc=com"
> > roleName="cn"
> > roleSearch="(uniqueMember={0})"
> > roleSubtree="true"
> > userPassword="userPassword"
> > userPattern="cn={0},dc=users,dc=prod,dc=domain,dc=com"
> > digest="SHA"
> > />
> > .....
> >
> > When the server starts up I can see it hit the LDAP server asking for info
> > on the connectionName entity. Then I point the browser to the slide
> > domain, I get the expected authentication dialog box, but when I enter
> > user/password combo, nothing happens. I don't see any activity on the
>LDAP
> > server at all. But there is an error in the log file:
> >
> > Slide realm[/slide]: User null doesn't have his password property set
>:
> > can't authenticate
> >
> > Any ideas as to what I'm doing wrong?
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: problems authenticating against LDAP
Posted by Remy Maucherat <re...@apache.org>.
> Hi,
>
> I'm trying to configure canned slide server to authenticate against a
> LDAP. I've added the JNDI realm to the local host server of the Calalina
> engine in server.xml file:
>
> <Engine name="Catalina" defaultHost="localhost" debug="0">
> <Host name="localhost" debug="0" appBase="webapps"
unpackWARs="false"
> configPath="slide" className="wrappers.catalina.SlideHost">
> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
> connectionName="cn=Manager,dc=prod,dc=domain,dc=com"
> connectionPassword="****************"
> connectionURL="ldap://prod.domain.com:389"
> roleBase="dc=roles,dc=roles,dc=prod,dc=domain,dc=com"
> roleName="cn"
> roleSearch="(uniqueMember={0})"
> roleSubtree="true"
> userPassword="userPassword"
> userPattern="cn={0},dc=users,dc=prod,dc=domain,dc=com"
> digest="SHA"
> />
> .....
>
> When the server starts up I can see it hit the LDAP server asking for info
> on the connectionName entity. Then I point the browser to the slide
> domain, I get the expected authentication dialog box, but when I enter
> user/password combo, nothing happens. I don't see any activity on the
LDAP
> server at all. But there is an error in the log file:
>
> Slide realm[/slide]: User null doesn't have his password property set
:
> can't authenticate
>
> Any ideas as to what I'm doing wrong?
Well, the problem is that the SlideHost is very aggressive about setting a
SlideRealm on each of the contexts. I'm not too sure about what happens,
though.
The WebDAV servlet calls getUserPrincipal to get a Principal object
representing the authenticated pricipal. Here, it doesn't look like it did
work.
Remy
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>