You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@jackrabbit.apache.org by Salinas, Jesús <js...@indra.es> on 2011/01/07 09:39:07 UTC

Ldap permissions

Hello all.

I want to sincronize my jackrabbit application whit an ldap authentication directory.

I have configured the security module of  my repository.xml in this way:

<Security appName="Jackrabbit">
<SecurityManager class="org.apache.jackrabbit.core.DefaultSecurityManager" workspaceName="security">

                               <!--
                              workspace access:
                                class: FQN of class implementing the WorkspaceAccessManager interface
                                -->
                               <!-- <WorkspaceAccessManager class="..."/> -->
                                <!-- <param name="config" value="${rep.home}/security.xml"/> -->
                </SecurityManager>



                <AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager">
                               <!-- <param name="config" value="${rep.home}/access.xml"/> -->
                </AccessManager>


                <LoginModule class="com.sun.security.auth.module.LdapLoginModule">
                                  <param name="userProvider" value="ldap://maquinaldap:10389/"/>
                                  <param name="authIdentity" value="uid={USERNAME}, ou=users, ou=system" />
                                  <param name="useSSL" value="false" />
                </LoginModule>

</Security>

I got to access ldap without problems, but now my problems are related to permission.

I have three workspaces, and the users of the ldap have not permission to access this workspaces.

How can I configure the permission for the ldap users?

Must I create a customAccessManager?

How can I indicate an admin or system user for the ldad users?


Thanks and regards.



________________________________
Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Si no es vd. el destinatario indicado, queda notificado que la lectura, utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente.
Evite imprimir este mensaje si no es estrictamente necesario.

This email and any file attached to it (when applicable) contain(s) confidential information that is exclusively addressed to its recipient(s). If you are not the indicated recipient, you are informed that reading, using, disseminating and/or copying it without authorisation is forbidden in accordance with the legislation in effect. If you have received this email by mistake, please immediately notify the sender of the situation by resending it to their email address.
Avoid printing this message if it is not absolutely necessary.

Re: Ldap permissions

Posted by Angela Schreiber <an...@adobe.com>.

hi

> I got to access ldap without problems, but now my problems are related to permission.
>
> I have three workspaces, and the users of the ldap have not permission to access this workspaces.

that's probably due to the default workspace-access-manager present
by default which requires that the root node is accessible by means
of the regular access control evaluation... you may change that
by configuring another workspace-accesscontrol-manager that fits your
needs or make sure the permissions defined/evaluated in the repository
apply to your users.

> How can I configure the permission for the ldap users?
> Must I create a customAccessManager?

you can, but you don't have to... if we want to use the access control
model present with jackrabbit, you have to make sure that you create
(and configure) a PrincipalProvider implementation that maps your
ldap users to principals used the access control editing.

> How can I indicate an admin or system user for the ldad users?

that depends on your access manager. if you are using the default
access control model present with jackrabbit, it should be sufficient
during the login-process in the loginmodule to populate the subject
with an AdminPrincipal in case of the admin-login. if you use your
custom access manager or a custom access control provider that may
vary obviously.

hope that helps
angela

> Thanks and regards.
>
>
>
> ________________________________
> Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Si no es vd. el destinatario indicado, queda notificado que la lectura, utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente.
> Evite imprimir este mensaje si no es estrictamente necesario.
>
> This email and any file attached to it (when applicable) contain(s) confidential information that is exclusively addressed to its recipient(s). If you are not the indicated recipient, you are informed that reading, using, disseminating and/or copying it without authorisation is forbidden in accordance with the legislation in effect. If you have received this email by mistake, please immediately notify the sender of the situation by resending it to their email address.
> Avoid printing this message if it is not absolutely necessary.

Re: Ldap permissions

Posted by AshokBS <as...@altimetrik.com>.

Any help from anyone? Pls suggest



--
View this message in context: http://jackrabbit.510166.n4.nabble.com/Ldap-permissions-tp3178789p4660369.html
Sent from the Jackrabbit - Users mailing list archive at Nabble.com.

Re: Ldap permissions

Posted by AshokBS <as...@altimetrik.com>.

Hi  ttemprano,

How did you setup the LDAP configuration? Can you please provide the details
& exact steps? I need this information ASAP. Pls help.




--
View this message in context: http://jackrabbit.510166.n4.nabble.com/Ldap-permissions-tp3178789p4660356.html
Sent from the Jackrabbit - Users mailing list archive at Nabble.com.

Re: Ldap permissions

Posted by ttemprano <tt...@Toyota.com.ve>.

Ok, after a lot of hours debugging and browsing the net I found this page:

https://spaces.internet2.edu/display/SHIB2/IdPADConfigIssues

Turns out that Microsoft's Active Directory needs special treatment, so I
configured the loginModule as follows and now I can bind the user to LDAP:

<LoginModule class="com.sun.security.auth.module.LdapLoginModule">
                                
                                
                                
                                
                                
                                
								
                </LoginModule> 

The 3268 port was the key issue!

Hopefully this will help anyone else.
-- 
View this message in context: http://jackrabbit.510166.n4.nabble.com/Ldap-permissions-tp3178789p3244700.html
Sent from the Jackrabbit - Users mailing list archive at Nabble.com.

Re: Ldap permissions

Posted by ttemprano <tt...@Toyota.com.ve>.

Hi Jesus.

How did you manage to get access to LDAP?

Everything I've tried gets me this error:

LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 525,

Wich means that it cannot fin the user.

I know the user is ok because the LDAP query seems fine...
-- 
View this message in context: http://jackrabbit.510166.n4.nabble.com/Ldap-permissions-tp3178789p3244617.html
Sent from the Jackrabbit - Users mailing list archive at Nabble.com.