You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@roller.apache.org by leofreesand <yu...@hotmail.com> on 2014/01/26 15:45:58 UTC
How to enable LDAP authentication for Roller 5?
I want to enable LDAP user authentication
for Roller 5.0.3. There are some relating tutorials for Roller 4 but seems not
working on the new spring security framework. I find some spring security 2
configuration examples, trying to figure it out with no success. Hoping someone
will help me...
this is my progress so far: I'm using an
openldap server with some testing account and added some properties in roller
custom setting file:
users.sso.enabled=true
users.sso.autoProvision.enabled=true
users.sso.registry.ldap.attributes.name=uid
users.sso.registry.ldap.attributes.screenname=cn
then I modified the security.xml:
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg
value="ldap://localhost:389/dc=test,dc=com" />
<beans:property
name="userDn" value="cn=Manager,dc=test,dc=com" />
<beans:property
name="password" value="111111" />
</beans:bean>
<beans:bean
id="ldapAuthProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<custom-authentication-provider
/>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<beans:constructor-arg
ref="contextSource" />
<beans:property
name="userSearch" ref="userSearch" />
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg
ref="contextSource" />
<beans:constructor-arg
value="ou=Tester" />
<beans:property
name="searchSubtree" value="false" />
<beans:property
name="defaultRole" value="register" />
<beans:property
name="convertToUpperCase" value="false" />
<beans:property
name="groupRoleAttribute" value=""/>
<beans:property
name="rolePrefix" value="" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg
index="0" value="" />
<beans:constructor-arg
index="1" value="(uid={0})" />
<beans:constructor-arg
index="2" ref="contextSource" />
<beans:property
name="searchSubtree" value="true" />
</beans:bean>
(Deploying roller with this configuration
will get error message "java.lang.NoClassDefFoundError:
com.sun.jndi.ldap.ctl.ResponseControlFactory", I found a solution at
http://www.chrissearle.org/2007/08/30/spring-ldap_and_NoClassDefFoundError_com_sun_jndi_ldap_ctl_ResponseControlFactory/)
Now when using ldap username/password the
page will jump to roller_j_security_check and display following error message:
500
Filter execution
threw an exception
Roller has
encountered and logged an unexpected exception.
Using a wrong password will get the same
error message, If entering a non-existed username/password roller will display
"Wrong username and password combination".
There are relating search messages in
openldap.log, maybe I just need some tweak to fix the problem? Does anyone have
any suggestions for solutions? thanks in advance.
Re: How to enable LDAP authentication for Roller 5?
Posted by Glen Mazza <gl...@gmail.com>.
Thanks for letting us know, I created a JIRA item to track the matter:
https://issues.apache.org/jira/browse/ROL-1987
Glen
On 02/03/2014 06:16 AM, leofreesand wrote:
> I sovled this problem finally!
>
> First I checked tomcat logfile the above 500 error is caused by a
> java.lang.IllegalAccessError and found a solution there:
> http://osdir.com/ml/java.springframework.user/2008-10/msg00017.html
> (simply using spring-ldap-1.2.1.jar instead of spring-ldap-1.2.jar...)
>
> Then when using ldap username/password the page will jump to
> roller-ui/login-redirect.rol and display a '500
> java.lang.NullPointerException' error -- the same error mentioned by
> Andreas Heizenreder's wiki page comment:
> https://cwiki.apache.org/confluence/display/ROLLER/Roller+4.0+with+LDAP+and+CAS
>
>
> Then I added folling code in
> roller-weblogger-5.0.3-source\weblogger-web\src\main\java\org\apache\roller\weblogger\ui\core\security\BasicUserAutoProvision.java:
> public boolean execute(HttpServletRequest request) {
> User ud = CustomUserRegistry.getUserDetailsFromAuthentication(request);
> if(ud != null) {
> UserManager mgr;
> // leo--
> ud.setId(org.apache.roller.util.UUIDGenerator.generateUUID());
> // --leo
>
> Now rebuild source code to get a new roller-weblogger-web-5.0.3.jar,
> when a ldap user logged in the program will create same user in
> rollerdb automatically.
> (one more thing: the defaultRole for ldap user must be 'editor'
> instead of 'register', or you will get a '403 Access Denied' error.)
>
>
Re: How to enable LDAP authentication for Roller 5?
Posted by leofreesand <yu...@hotmail.com>.
I sovled this problem finally!
First I checked tomcat logfile the above 500 error is caused by a
java.lang.IllegalAccessError and found a solution there:
http://osdir.com/ml/java.springframework.user/2008-10/msg00017.html
(simply using spring-ldap-1.2.1.jar instead of spring-ldap-1.2.jar...)
Then when using ldap username/password the page will jump to
roller-ui/login-redirect.rol and display a '500
java.lang.NullPointerException' error -- the same error mentioned by Andreas
Heizenreder's wiki page comment:
https://cwiki.apache.org/confluence/display/ROLLER/Roller+4.0+with+LDAP+and+CAS
Then I added folling code in
roller-weblogger-5.0.3-source\weblogger-web\src\main\java\org\apache\roller\weblogger\ui\core\security\BasicUserAutoProvision.java:
public boolean execute(HttpServletRequest request) {
User ud = CustomUserRegistry.getUserDetailsFromAuthentication(request);
if(ud != null) {
UserManager mgr;
// leo--
ud.setId(org.apache.roller.util.UUIDGenerator.generateUUID());
// --leo
Now rebuild source code to get a new roller-weblogger-web-5.0.3.jar, when a
ldap user logged in the program will create same user in rollerdb
automatically.
(one more thing: the defaultRole for ldap user must be 'editor' instead of
'register', or you will get a '403 Access Denied' error.)