You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by Eivinn Hustveit <ei...@fortiden.com> on 2006/03/08 19:05:36 UTC
Jetspeed LDAP
From: eivinn@fortiden.com
Subject: Jetspeed2 LDAP
Date: 8 March 2006 4:41:50 PM
To: jetspeed-dev@portals.apache.org
Hi,
We are currently trying to merge our Jetspeed2-M3 server over to
Jetspeed2.0-Final and OpenLDAP. Currently we have gotten Jetspeed to
use user authentication through LDAP.
Our steps to get so far was installing Jetspeed2 with the installer.
Fixing up jetspeed.war from that server to include LDAP specific
assembly files and deploying on our linux server.
The latest advancement is adding LdapGroupSecurityHandler to security-
spi-atz.xml but this is somewhat unsuccessful. When using Group
Manager to add a new group I get the exception:
-----
javax.naming.directory.SchemaViolationException: [LDAP: error code 65
- object class 'jetspeed-2-group' requires attribute 'uniqueMember'];
remaining name 'uid=ldap_eivinn,ou=groups'
-----
I have also been reading up on the LDAP threads from 3rd of February
which seem to conclude that by using the Jetspeed source we could get
full LDAP support. Is this correct? Will the
LdapSecurityMappingHandler etc be used with LDAP for groups, roles,
and encrypted user authentication if I build Jetspeed from source?
Are there any steps to produce the same result with a patch?
Sincerely
Eivinn Hustveit
System Manager
http://www.mobiletech.no
Re: Jetspeed LDAP error
Posted by Marky Goldstein <re...@rosa.com>.
Hi Eivinn,
Actually I am not the programmer behind LDAP in
Jetspeed, but I am currently reading a book for Java
LDAP programming, therefore my knowledge is completely
theoretical...
What I read from the message:
"Unable to create the role"
"object class 'jetspeed-2-group' requires attribute 'uniqueMember'"
In the Object Class definition it says that there must be an Attribute
"uniqueMember", and I guess also the value of this field must be given
when creating the "jetspeed-2-group" object class.
To also the uid=admin_group looks a bit strange...
is admin_group a group or a user?
Also look into this class which throws the exception..
org.apache.jetspeed.security.impl.GroupManagerImpl
Best regards,
Marky
Eivinn Hustveit schrieb:
> Hi Marky,
>
> Thanks for answering!
>
> We have only used the jetspeed.schema from HEAD so it should not have
> any problems to my knowledge. Could it be due to a not fully
> implemented LdapGroupSecurityHandler in the 2.0 installer?
>
> Here is a small bit of jetspeed.log:
> -------
> 2006-03-09 10:30:21,934 [http-11080-Processor25] ERROR
> org.apache.jetspeed.security.impl.GroupManagerImpl - Unable to create
> the role.
> org.apache.jetspeed.security.SecurityException:
> javax.naming.directory.SchemaViolationException: [LDAP: error code 65
> - object class 'jetspeed-2-group' requires attribute 'uniqueMember'];
> remaining name 'uid=admin_group,ou=groups'
> at
> org.apache.jetspeed.security.spi.impl.ldap.LdapPrincipalDaoImpl.create(LdapPrincipalDaoImpl.java:113)
>
> at
> org.apache.jetspeed.security.spi.impl.LdapGroupSecurityHandler.setGroupPrincipal(LdapGroupSecurityHandler.java:133)
>
> at
> org.apache.jetspeed.security.impl.GroupManagerImpl.addGroup(GroupManagerImpl.java:115)
>
> -------
>
> As for included schemas, this is the list from slapd.conf:
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/java.schema
> include /etc/openldap/schema/jetspeed.schema
>
>
> Any pointers would be very much apreciated.
>
>
> Sincerely
>
> Eivinn Hustveit
> System Manager
> http://www.mobiletech.no
>
>
> On 09/03/2006, at 6:10 AM, Marky Goldstein wrote:
>
>> Hi Eivinn,
>>
>> As the exception says there is a Schema Violation... did somebody,
>> something change the Schema? Read about LDAP Schema and you might
>> be able to understand..
>>
>> Best regards,
>> Marky Goldstein
>>
>> Eivinn Hustveit schrieb:
>>> From: eivinn@fortiden.com
>>> Subject: Jetspeed2 LDAP
>>> Date: 8 March 2006 4:41:50 PM
>>> To: jetspeed-dev@portals.apache.org
>>>
>>> Hi,
>>>
>>> We are currently trying to merge our Jetspeed2-M3 server over to
>>> Jetspeed2.0-Final and OpenLDAP. Currently we have gotten Jetspeed to
>>> use user authentication through LDAP.
>>>
>>> Our steps to get so far was installing Jetspeed2 with the installer.
>>> Fixing up jetspeed.war from that server to include LDAP specific
>>> assembly files and deploying on our linux server.
>>>
>>> The latest advancement is adding LdapGroupSecurityHandler to
>>> security-spi-atz.xml but this is somewhat unsuccessful. When using
>>> Group Manager to add a new group I get the exception:
>>> -----
>>> javax.naming.directory.SchemaViolationException: [LDAP: error code
>>> 65 - object class 'jetspeed-2-group' requires attribute
>>> 'uniqueMember']; remaining name 'uid=ldap_eivinn,ou=groups'
>>> -----
>>>
>>> I have also been reading up on the LDAP threads from 3rd of February
>>> which seem to conclude that by using the Jetspeed source we could
>>> get full LDAP support. Is this correct? Will the
>>> LdapSecurityMappingHandler etc be used with LDAP for groups, roles,
>>> and encrypted user authentication if I build Jetspeed from source?
>>> Are there any steps to produce the same result with a patch?
>>>
>>>
>>>
>>> Sincerely
>>>
>>> Eivinn Hustveit
>>> System Manager http://www.mobiletech.no
>>>
>>>
>>
>>
>> --R.Ø.S.A.
>> Identity: Marky Goldstein
>> E-Mail: ready@rosa.com
>> Task: Managing Director, Product & Strategy
>>
>> R.Ø.S.A. Creation. Technology. Intelligence. AG
>> Seefeldstrasse 231, 8008 Zurich, Switzerland
>> Phone: +41 1 389 63 33
>> Fax: +41 1 389 63 30
>> URL: http://www.rosa.com/
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>
--
R.Ø.S.A.
Identity: Marky Goldstein
E-Mail: ready@rosa.com
Task: Managing Director, Product & Strategy
R.Ø.S.A. Creation. Technology. Intelligence. AG
Seefeldstrasse 231, 8008 Zurich, Switzerland
Phone: +41 1 389 63 33
Fax: +41 1 389 63 30
URL: http://www.rosa.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
Re: Jetspeed LDAP
Posted by Eivinn Hustveit <ei...@fortiden.com>.
Hi Marky,
Thanks for answering!
We have only used the jetspeed.schema from HEAD so it should not have
any problems to my knowledge. Could it be due to a not fully
implemented LdapGroupSecurityHandler in the 2.0 installer?
Here is a small bit of jetspeed.log:
-------
2006-03-09 10:30:21,934 [http-11080-Processor25] ERROR
org.apache.jetspeed.security.impl.GroupManagerImpl - Unable to create
the role.
org.apache.jetspeed.security.SecurityException:
javax.naming.directory.SchemaViolationException: [LDAP: error code 65
- object class 'jetspeed-2-group' requires attribute 'uniqueMember'];
remaining name 'uid=admin_group,ou=groups'
at
org.apache.jetspeed.security.spi.impl.ldap.LdapPrincipalDaoImpl.create
(LdapPrincipalDaoImpl.java:113)
at
org.apache.jetspeed.security.spi.impl.LdapGroupSecurityHandler.setGroupP
rincipal(LdapGroupSecurityHandler.java:133)
at
org.apache.jetspeed.security.impl.GroupManagerImpl.addGroup
(GroupManagerImpl.java:115)
-------
As for included schemas, this is the list from slapd.conf:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/jetspeed.schema
Any pointers would be very much apreciated.
Sincerely
Eivinn Hustveit
System Manager
http://www.mobiletech.no
On 09/03/2006, at 6:10 AM, Marky Goldstein wrote:
> Hi Eivinn,
>
> As the exception says there is a Schema Violation... did somebody,
> something change the Schema? Read about LDAP Schema and you might
> be able to understand..
>
> Best regards,
> Marky Goldstein
>
> Eivinn Hustveit schrieb:
>> From: eivinn@fortiden.com
>> Subject: Jetspeed2 LDAP
>> Date: 8 March 2006 4:41:50 PM
>> To: jetspeed-dev@portals.apache.org
>>
>> Hi,
>>
>> We are currently trying to merge our Jetspeed2-M3 server over to
>> Jetspeed2.0-Final and OpenLDAP. Currently we have gotten Jetspeed
>> to use user authentication through LDAP.
>>
>> Our steps to get so far was installing Jetspeed2 with the
>> installer. Fixing up jetspeed.war from that server to include LDAP
>> specific assembly files and deploying on our linux server.
>>
>> The latest advancement is adding LdapGroupSecurityHandler to
>> security-spi-atz.xml but this is somewhat unsuccessful. When using
>> Group Manager to add a new group I get the exception:
>> -----
>> javax.naming.directory.SchemaViolationException: [LDAP: error code
>> 65 - object class 'jetspeed-2-group' requires attribute
>> 'uniqueMember']; remaining name 'uid=ldap_eivinn,ou=groups'
>> -----
>>
>> I have also been reading up on the LDAP threads from 3rd of
>> February which seem to conclude that by using the Jetspeed source
>> we could get full LDAP support. Is this correct? Will the
>> LdapSecurityMappingHandler etc be used with LDAP for groups,
>> roles, and encrypted user authentication if I build Jetspeed from
>> source? Are there any steps to produce the same result with a patch?
>>
>>
>>
>> Sincerely
>>
>> Eivinn Hustveit
>> System Manager http://www.mobiletech.no
>>
>>
>
>
> --
> R.Ø.S.A.
> Identity: Marky Goldstein
> E-Mail: ready@rosa.com
> Task: Managing Director, Product & Strategy
>
> R.Ø.S.A. Creation. Technology. Intelligence. AG
> Seefeldstrasse 231, 8008 Zurich, Switzerland
> Phone: +41 1 389 63 33
> Fax: +41 1 389 63 30
> URL: http://www.rosa.com/
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
Re: Jetspeed LDAP
Posted by Marky Goldstein <re...@rosa.com>.
Hi Eivinn,
As the exception says there is a Schema Violation... did somebody,
something change the Schema? Read about LDAP Schema and you might
be able to understand..
Best regards,
Marky Goldstein
Eivinn Hustveit schrieb:
> From: eivinn@fortiden.com
> Subject: Jetspeed2 LDAP
> Date: 8 March 2006 4:41:50 PM
> To: jetspeed-dev@portals.apache.org
>
> Hi,
>
> We are currently trying to merge our Jetspeed2-M3 server over to
> Jetspeed2.0-Final and OpenLDAP. Currently we have gotten Jetspeed to
> use user authentication through LDAP.
>
> Our steps to get so far was installing Jetspeed2 with the installer.
> Fixing up jetspeed.war from that server to include LDAP specific
> assembly files and deploying on our linux server.
>
> The latest advancement is adding LdapGroupSecurityHandler to
> security-spi-atz.xml but this is somewhat unsuccessful. When using
> Group Manager to add a new group I get the exception:
> -----
> javax.naming.directory.SchemaViolationException: [LDAP: error code 65
> - object class 'jetspeed-2-group' requires attribute 'uniqueMember'];
> remaining name 'uid=ldap_eivinn,ou=groups'
> -----
>
> I have also been reading up on the LDAP threads from 3rd of February
> which seem to conclude that by using the Jetspeed source we could get
> full LDAP support. Is this correct? Will the
> LdapSecurityMappingHandler etc be used with LDAP for groups, roles,
> and encrypted user authentication if I build Jetspeed from source? Are
> there any steps to produce the same result with a patch?
>
>
>
> Sincerely
>
> Eivinn Hustveit
> System Manager
> http://www.mobiletech.no
>
>
--
R.Ø.S.A.
Identity: Marky Goldstein
E-Mail: ready@rosa.com
Task: Managing Director, Product & Strategy
R.Ø.S.A. Creation. Technology. Intelligence. AG
Seefeldstrasse 231, 8008 Zurich, Switzerland
Phone: +41 1 389 63 33
Fax: +41 1 389 63 30
URL: http://www.rosa.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
Re: Jetspeed LDAP (error)
Posted by Raphaël Luta <ra...@apache.org>.
Eivinn Hustveit wrote:
> Thanks Raphaël and Marky!
>
> This almost worked... I tried to remove cn from MUST in core.schema as
> well :
>
> objectclass ( 2.5.6.17 NAME 'groupOfUniqueNames'
> DESC 'RFC2256: a group of unique names (DN and Unique Identifier)'
> SUP top STRUCTURAL
> MAY ( uniqueMember $ businessCategory $ cn $ seeAlso $ owner $
> ou $ o $ description ) )
>
> A group is then inserted into the LDAP directory (verified in
> JXplorer). The problem now is that while Jetspeed list the group (ex:
> ldap_admin_group), which I just created, it keep telling me that "The
> group ldap_admin_group does not exist." when I try to add a user to the
> group.
>
If the group are keyed to uid in the DN, ie uid=mygroup, ou=groups. You need
to make sure the group objectClass will allow the uid attribute for this group.
You need to add uid in the MAY section of the group objectclass definition.
--
Raphaël Luta - raphael@apache.org
Apache Portals - Enterprise Portal in Java
http://portals.apache.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
Re: Jetspeed LDAP (error)
Posted by Eivinn Hustveit <ei...@fortiden.com>.
Thanks Raphaël and Marky!
This almost worked... I tried to remove cn from MUST in core.schema
as well :
objectclass ( 2.5.6.17 NAME 'groupOfUniqueNames'
DESC 'RFC2256: a group of unique names (DN and Unique
Identifier)'
SUP top STRUCTURAL
MAY ( uniqueMember $ businessCategory $ cn $ seeAlso $ owner
$ ou $ o $ description ) )
A group is then inserted into the LDAP directory (verified in
JXplorer). The problem now is that while Jetspeed list the group (ex:
ldap_admin_group), which I just created, it keep telling me that "The
group ldap_admin_group does not exist." when I try to add a user to
the group.
I also tried to add the group-name to the cn-field as indicated from
the original schema file, but that does not help. After the change to
groupOfUniqueNames I end up with 3x objectClass and 1x uid as the
only required attribute of the groups element in OpenLDAP.
I would like to try out Jetspeed 2.1-Dev to see if that version is
compatible but I keep running into trouble when trying to run
(jetspeed.version=2.0 in build.properties):
maven -DartifactId=maven-jetspeed2-plugin -
DgroupId=org.apache.portals.jetspeed-2 -Dversion=2.0 plugin:download,
where the build cannot continue because of the unsatisfied dependency
jetspeed-webapp-logging-2.0.jar. If I try to use jetspeed.version=2.1-
Dev it fails on all org.apache.portals.jetspeed-2 downloads because
it cannot find any 2.1-Dev versions.
At this point I'm uncertain how to approach the situation as I cannot
get any further with my current class-files nor can I build the 2.1-
Dev branch at this point.
As always any pointers would be appreciated.
Sincerely
Eivinn Hustveit
System Manager
http://www.mobiletech.no
On 09/03/2006, at 2:01 PM, Raphaël Luta wrote:
>>
>
> The above error messages indicates that your LDAP server always wants
> at least one member in a group. You've tried to create and empty group
> hence the message. In believe the jetspeed-2-group objectclass
> inherits
> this definition from the core groupOfUniqueNames objectclass so you
> have
> 2 solutions:
> - either follow the schema and always have at least 1 member in a
> given
> group
> - modify the core OpenLDAP schema and change the groupOfUniqueNames
> definition in your core.schema to:
>
> objectclass ( 2.5.6.17 NAME 'groupOfUniqueNames'
> DESC 'RFC2256: a group of unique names (DN and Unique
> Identifier)'
> SUP top STRUCTURAL
> MUST ( cn )
> MAY ( uniqueMember $ businessCategory $ seeAlso $ owner $
> ou $ o $
> description ) )
>
> (ie move the uniqueMember attribute from MUST to MAY)
>
> After restarting your LDAP server, everything should work.
>
> --
> Raphaël Luta - raphael@apache.org
> Apache Portals - Enterprise Portal in Java
> http://portals.apache.org/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>
Re: Jetspeed LDAP
Posted by Raphaël Luta <ra...@apache.org>.
Eivinn Hustveit wrote:
> From: eivinn@fortiden.com
> Subject: Jetspeed2 LDAP
> Date: 8 March 2006 4:41:50 PM
> To: jetspeed-dev@portals.apache.org
>
> Hi,
>
> We are currently trying to merge our Jetspeed2-M3 server over to
> Jetspeed2.0-Final and OpenLDAP. Currently we have gotten Jetspeed to
> use user authentication through LDAP.
>
> -----
> javax.naming.directory.SchemaViolationException: [LDAP: error code 65 -
> object class 'jetspeed-2-group' requires attribute 'uniqueMember'];
> remaining name 'uid=ldap_eivinn,ou=groups'
> -----
>
The above error messages indicates that your LDAP server always wants
at least one member in a group. You've tried to create and empty group
hence the message. In believe the jetspeed-2-group objectclass inherits
this definition from the core groupOfUniqueNames objectclass so you have
2 solutions:
- either follow the schema and always have at least 1 member in a given
group
- modify the core OpenLDAP schema and change the groupOfUniqueNames
definition in your core.schema to:
objectclass ( 2.5.6.17 NAME 'groupOfUniqueNames'
DESC 'RFC2256: a group of unique names (DN and Unique Identifier)'
SUP top STRUCTURAL
MUST ( cn )
MAY ( uniqueMember $ businessCategory $ seeAlso $ owner $ ou $ o $
description ) )
(ie move the uniqueMember attribute from MUST to MAY)
After restarting your LDAP server, everything should work.
--
Raphaël Luta - raphael@apache.org
Apache Portals - Enterprise Portal in Java
http://portals.apache.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org