You are viewing a plain text version of this content. The canonical link for it is here.
Posted to slide-user@jakarta.apache.org by Jarrah Hands <jh...@nd.edu.au> on 2005/08/11 10:37:01 UTC
Getting slide working with a Samba share and LDAP
G'day guys!
Lots of questions, I apologise if they have been asked thousands of times.
We have a LDAP server with all the student information required for
authentication and access to various services on it ie:
UID
userPassword
userEducationalAffilation (Student or Staff)
sambaPassword
homeDirectory
mailUsername
etc etc
The LDAP server is currently used to control access to Webmail
(https://www.nd.edu.au <https://www.nd.edu.au/> ), an online file server
(https://www.nd.edu.au/stf/) which allows access to user's home directory,
an online portal, lecture sign up etc. so it contains all the required info
we need for our current project. What we want to do is set up the users'
home directories with Slide so that they can be accessed from any where with
an internet connection using the functionality WebDAV provides, especially
using WebFolders (Windoze) and Macs implementation. We currently have Slide
running on Tomcat on a test server. We have it so that the users can connect
to the server and authenticate using LDAP. This works perfectly fine how
ever this is where the issues arise:
1. Users get a 403 when they access using IE/Firefox and their user ID
does not already exist in users.def.xml in \bin\store\metadata. Once the
user's UID is in this file the user can easily log into and read/write to
their hearts content. Unfortunately setting permissions on users Slide user
directory proves annoying (may have to script it)
2. We have about 3000-4000 students who will use the first
implementation and entering them into the users.def.xml file is not
practical (even if we use a script)
3. We currently can not work out how to get Slide to connect to and
use a Samba directory as the directory shared. We can work out how to
extract the user's sambaPassword and homeDirectory from LDAP and feed these
to Slide, but getting Slide to connect to this as the rootpath/workpath is
proving challenging (how do you set the values as the ones from LDAP in
Domain.xml?
SO what we are trying to achieve is:
1. Users sets up a Webfolder etc to https://www.nd.edu.au/ndmfs or
similar (Working)
2. User asked for username password (Working)
3. Username (uid) is authenticated using the password in LDAP
directory (working)
4. User's role extracted from LDAP directory (not sure if this is
working, is there a way for a user to check what their current role is?)
5. Once authenticated the users Samba password and path to home
directory is extracted from LDAP. (Working I think)
6. Home directory is loaded as the directory shared by Slide (Not
working)
7. User sees their home drive as a windows webfolder (or similar)
which they can read/write etc (working using Slide directory, but not Samba
home directory)
Current issues:
1. The extracted role (userEducationalAffilation) does not appear to
be used or set for users (any folder given permission for 'student' does not
appear to be accessible by students)
2. Can not work out how to use Samba shares as rootpath/workpath
3. User accounts need to be added to users.def.xml before a user can
successfully log in (is there a dynamic way I can load the users uid into
the user file so I don't need to add it manually/using a script?
4. Permissions are cumbersome to set / keep up to date.
Any suggestions?
Jarrah Hands
Software Engineer (Business Applications)
The University of Notre Dame Australia
19 Mouat Street (PO Box 1225)
Fremantle, Western Australia 6959
Tel: +61 9 9433 05287
Email: jhands@nd.edu.au
RE: Getting slide working with a Samba share and LDAP
Posted by Jarrah Hands <jh...@nd.edu.au>.
Jo,
I made the change. I now takes twice as long to start the server (not sure
if that means that it is doing SOMETHING or a change broke something....
My log hasn't changed. Still giving me:
2005-08-19 09:57:22 JNDIRealm[/slide]: lookupUser(jhands)
2005-08-19 09:57:22 JNDIRealm[/slide]:
dn=uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
2005-08-19 09:57:22 JNDIRealm[/slide]: validating credentials by binding
as the user
2005-08-19 09:57:22 JNDIRealm[/slide]: binding as
uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
2005-08-19 09:57:22 JNDIRealm[/slide]: Username jhands successfully
authenticated
2005-08-19 09:57:22 JNDIRealm[/slide]:
getRoles(uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp)
2005-08-19 09:57:22 JNDIRealm[/slide]: Searching role base
'ou=People,ou=Fremantle,o=nd.edu.au,o=isp' for attribute
'eduPersonAffiliation'
2005-08-19 09:57:22 JNDIRealm[/slide]: With filter expression
'(uid=jhands)'
2005-08-19 09:57:22 JNDIRealm[/slide]: retrieving values for attribute
eduPersonAffiliation
2005-08-19 09:57:22 JNDIRealm[/slide]: Returning 1 roles
2005-08-19 09:57:22 JNDIRealm[/slide]: Found role employee
Ideas?
Jarrah Hands
Software Engineer (Business Applications)
The University of Notre Dame Australia
19 Mouat Street (PO Box 1225)
Fremantle, Western Australia 6959
Tel: +61 9 9433 05287
Email: jhands@nd.edu.au
-----Original Message-----
From: Jo [mailto:jojada@speedlegal.com]
Sent: Friday, 19 August 2005 7:36 AM
To: Slide Users Mailing List
Subject: Re: Getting slide working with a Samba share and LDAP
Give the following parameters a try:
<parameter
name="jndi.container">ou=People,ou=Fremantle,o=nd.edu.au,o=isp</parameter>
<parameter name="jndi.attributes.rdn">eduPersonAffiliation</parameter>
<parameter name="jndi.attributes.groupmemberset">uid</parameter>-->
<parameter
name="jndi.search.filter">(&(objectClass=inetOrgPerson)(eduPersonAffiliation
=*))</parameter>
<parameter name="jndi.search.scope">ONELEVEL_SCOPE</parameter>
<parameter
name="jndi.search.attributes">uid,eduPersonAffiliation</parameter>
and check the log file after a user has logged in.
hth,
Jo.-
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: Getting slide working with a Samba share and LDAP
Posted by Jo <jo...@speedlegal.com>.
Give the following parameters a try:
<parameter
name="jndi.container">ou=People,ou=Fremantle,o=nd.edu.au,o=isp</parameter>
<parameter name="jndi.attributes.rdn">eduPersonAffiliation</parameter>
<parameter name="jndi.attributes.groupmemberset">uid</parameter>-->
<parameter
name="jndi.search.filter">(&(objectClass=inetOrgPerson)(eduPersonAffiliation=*))</parameter>
<parameter name="jndi.search.scope">ONELEVEL_SCOPE</parameter>
<parameter
name="jndi.search.attributes">uid,eduPersonAffiliation</parameter>
and check the log file after a user has logged in.
hth,
Jo.-
----- Original Message -----
From: "Jarrah Hands" <jh...@nd.edu.au>
To: "'Slide Users Mailing List'" <sl...@jakarta.apache.org>
Sent: Thursday, August 18, 2005 2:55 PM
Subject: RE: Getting slide working with a Samba share and LDAP
> Well, I finally got the JNDI store for users up and running, but I'm
> having
> a bit of trouble with the one for the roles. My log reveals that my
> JNDIRealm statement is extracting the roles correctly:
>
> Code:
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> debug="99"
> connectionName="cn=directory manager"
> connectionPassword="dirmanager"
> connectionURL="ldap://10.9.24.14:389"
>
> userPattern="uid={0},ou=People,ou=Fremantle,o=nd.edu.au,o=isp"
>
>
> roleBase="ou=People,ou=Fremantle,o=nd.edu.au,o=isp"
> roleName="eduPersonAffiliation"
> roleSearch="(uid={1})"
>
> />
>
> Log:
>
> 2005-08-18 12:44:57 JNDIRealm[/slide]: lookupUser(jhands)
> 2005-08-18 12:44:57 JNDIRealm[/slide]:
> dn=uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
> 2005-08-18 12:44:57 JNDIRealm[/slide]: validating credentials by binding
> as the user
> 2005-08-18 12:44:57 JNDIRealm[/slide]: binding as
> uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
> 2005-08-18 12:44:57 JNDIRealm[/slide]: Username jhands successfully
> authenticated
> 2005-08-18 12:44:57 JNDIRealm[/slide]:
> getRoles(uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp)
> 2005-08-18 12:44:57 JNDIRealm[/slide]: Searching role base
> 'ou=People,ou=Fremantle,o=nd.edu.au,o=isp' for attribute
> 'eduPersonAffiliation'
> 2005-08-18 12:44:57 JNDIRealm[/slide]: With filter expression
> '(uid=jhands)'
> 2005-08-18 12:44:57 JNDIRealm[/slide]: retrieving values for attribute
> eduPersonAffiliation
> 2005-08-18 12:44:57 JNDIRealm[/slide]: Returning 1 roles
> 2005-08-18 12:44:57 JNDIRealm[/slide]: Found role employee
>
> But it does not appear that this is associating it self with the extracted
> used (uid). Am I doing something wrong here?
>
> So I'm trying to get a JNDIPrincipalStore working to handle the roles/UID.
> This does not appear to be very successful. The user's role is stored in
> the
> LDAP directory in their user account under the attribute
> eduPersonAffiliation. I'm trying many different approaches, but none work.
> The code below is my latest approach. I'm attempting to get uid's be
> associated with roles.
>
> Code:
> <!-- Use a JNDIPrincipalStore for roles -->
> <store name="roles">
> <nodestore
> classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
> <parameter
> name="jndi.container">ou=People,ou=Fremantle,o=nd.edu.au,o=isp</parameter>
> <parameter
> name="jndi.attributes.rdn">uid</parameter>
> <parameter
> name="jndi.attributes.groupmemberset">eduPersonAffiliation</parameter>-->
> <!--<parameter
> name="jndi.attributes.userprincipalname">uid</parameter>-->
> <parameter
> name="jndi.search.filter">(objectClass=inetOrgPerson)</parameter>
> <parameter
> name="jndi.search.scope">ONELEVEL_SCOPE</parameter>
> <parameter
> name="jndi.search.attributes">uid,eduPersonAffiliation</parameter>
> <parameter
> name="java.naming.provider.url">ldap://10.9.24.14:389</parameter>
> <parameter
> name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</paramet
> er>
> <parameter
> name="java.naming.security.principal">cn=directory manager</parameter>
> <parameter
> name="java.naming.security.authentication">simple</parameter>
> <parameter
> name="java.naming.security.credentials">dirmanager</parameter>
>
> <parameter
> name="cache.refresh.checkrate">15</parameter>
> <parameter
> name="cache.refresh.rate">800</parameter>
> <parameter
> name="cache.refresh.threshold">3600000</parameter>
> </nodestore>
>
> <!-- Use a Tx Store to store security and lock
> information -->
> <securitystore
> classname="org.apache.slide.store.txfile.TxXMLFileDescriptorsStore">
> <parameter
> name="rootpath">roles/store/metadata</parameter>
> <parameter
> name="workpath">roles/work/metadata</parameter>
> </securitystore>
> <lockstore>
> <reference store="securitystore"/>
> </lockstore>
> <revisiondescriptorsstore>
> <reference store="nodestore"/>
> </revisiondescriptorsstore>
> <revisiondescriptorstore>
> <reference store="nodestore"/>
> </revisiondescriptorstore>
> <contentstore>
> <reference store="nodestore"/>
> </contentstore>
> </store>
>
> <scope match="/" store="tx"/>
> <scope match="/users" store="users"/>
> <scope match="/roles" store="roles"/>
>
> I'm most likely overlooking something which is really simple. Any ideas?
>
> Jarrah Hands
> Software Engineer (Business Applications)
> The University of Notre Dame Australia
> 19 Mouat Street (PO Box 1225)
> Fremantle, Western Australia 6959
> Tel: +61 9 9433 05287
> Email: jhands@nd.edu.au
> -----Original Message-----
> From: Jo [mailto:jojada@speedlegal.com]
> Sent: Tuesday, 16 August 2005 9:10 AM
> To: Slide Users Mailing List
> Subject: Re: Getting slide working with a Samba share and LDAP
>
> Hi Jarrah,
>
> I browsed
> http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html#JNDIRealm
> and found its content was very straightforward and informative.
> It can be very useful for you. I didn't read carefully but it seems you
> have
>
> to set roleBase, roleName and roleSearch parameters in the <Realm>
> element.
>
>> When you say that JNDI extracts straight from the LDAP directory you mean
>> with the line ' userRoleName="eduPersonAffiliation" '?
>>
>> If so, does this mean that the log has the extracted Role/s associated
>> with
>> their login whilst that user is logged in, as such no configuration of
>> slide
>> roles for each user is required?
> As far as tomcat's authentication with JNDIRealm is concerned, yes, no
> configuration of slide roles is involved.
>
>> How do you suggest I check if my stores have been successfully populated?
>> I
>> can't find any data which has been saved with the store data.
> What tool did you use to find out that you couldn't find any data ?
> DAVExplorer is a good tool.
>
>> Am I missing a parameter in my user/role config. I currently have the
>> user/role schema in
>> my domain.xml. Is this the correct place?
> What sort of user/role schema ?
>
> I guess what you can do now is firstly, make sure that your JNDIRealm
> works
> then check whether your stores are populated.
>
> Jo.-
>
>
> ----- Original Message -----
> From: "Jarrah Hands" <jh...@nd.edu.au>
> To: "'Slide Users Mailing List'" <sl...@jakarta.apache.org>
> Sent: Monday, August 15, 2005 5:49 PM
> Subject: RE: Getting slide working with a Samba share and LDAP
>
>
>> Jo,
>>
>> I tried changing the userRoleName="eduPersonAffiliation" to other values
>> to
>> see what effect it would have on the operation of our slide server.
>> Changing
>> it to legit values such as 'uid' resulting in access being denied. Sam
>> with
>> non legit entries. This makes me think that maybe the role is being
>> extracted from the LDAP directory (is there a way to find out?)
>>
>> <Realm className="org.apache.catalina.realm.JNDIRealm"
>> debug="99"
>> connectionName="cn=root"
>> connectionPassword="rootpass"
>> connectionURL="ldap://10.9.24.14:389"
>>
>> userPattern="uid={0},ou=People,ou=Fremantle,o=nd.edu.au,o=isp"
>>
>> userRoleName="eduPersonAffiliation"
>> />
>>
>> When you say that JNDI extracts straight from the LDAP directory you mean
>> with the line ' userRoleName="eduPersonAffiliation" '?
>>
>> If so, does this mean that the log has the extracted Role/s associated
>> with
>> their login whilst that user is logged in, as such no configuration of
>> slide
>> roles for each user is required?
>>
>> As for my roles config:
>>
>> <!-- Use a JNDIPrincipalStore for roles -->
>> <store name="roles">
>> <nodestore
>> classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
>> <!-- See javadoc for JNDIPrincipalStore for description of
>> parameters -->
>> <parameter name="cache.refresh.checkrate">15</parameter>
>> <parameter name="cache.refresh.rate">600</parameter>
>> <parameter name="cache.refresh.threshold">500</parameter>
>> <parameter
>> name="jndi.container">ou=People,ou=Fremantle,o=nd.edu.au,o=isp</parameter>
>> <parameter name="jndi.attributes.rdn">uid</parameter>
>> <parameter
>> name="jndi.search.filter">(objectClass=*)</parameter>
>> <parameter name="jndi.search.scope">ONELEVEL_SCOPE</parameter>
>> <parameter
>> name="jndi.search.attributes">eduPersonAffiliation</parameter>
>> <!-- Parameters to connect to LDAP Store -->
>> <parameter
>> name="java.naming.provider.url">ldap://10.9.24.14:389</parameter>
>> <parameter
>>
> name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</paramet
>> er>
>> <parameter name="java.naming.security.principal">cn=directory
>> manager,o=isp</parameter>
>> <parameter
>> name="java.naming.security.authentication">simple</parameter>
>> <parameter name="java.naming.security.credentials">directory
>> manager</parameter>
>> </nodestore>
>> <securitystore>
>> <reference store="nodestore"/>
>> </securitystore>
>> <lockstore>
>> <reference store="nodestore"/>
>> </lockstore>
>> <revisiondescriptorsstore>
>> <reference store="nodestore"/>
>> </revisiondescriptorsstore>
>> <revisiondescriptorstore>
>> <reference store="nodestore"/>
>> </revisiondescriptorstore>
>> <contentstore>
>> <reference store="nodestore"/>
>> </contentstore>
>> </store>
>>
>> How do you suggest I check if my stores have been successfully populated?
>> I
>> can't find any data which has been saved with the store data. Am I
>> missing
>
>> a
>> parameter in my user/role config. I currently have the user/role schema
>> in
>> my domain.xml. Is this the correct place?
>>
>>
>> Jarrah Hands
>> Software Engineer (Business Applications)
>> The University of Notre Dame Australia
>> 19 Mouat Street (PO Box 1225)
>> Fremantle, Western Australia 6959
>> Tel: +61 9 9433 05287
>> Email: jhands@nd.edu.au
>>
>> -----Original Message-----
>> From: Jo [mailto:jojada@speedlegal.com]
>> Sent: Monday, 15 August 2005 12:22 PM
>> To: Slide Users Mailing List
>> Subject: Re: Getting slide working with a Samba share and LDAP
>>
>> JNDIRealm retrieves usernames, passwords, and roles directly from an LDAP
>> directory and hence, its success or failure issues should have nothing to
>> do
>>
>> with Slide configuration.
>> The tomcat's documentation on JNDIRealm may help.
>>
>> Regarding the /users and /roles store setup, some parameter values depend
>> on
>>
>> your LDAP schema.
>> Before we go down that path by trying different values, it's worth
>> checking
>> whether based on the current configuration any of those two stores have
>> been
>>
>> successfully populated.
>> Please attach your /roles store configuration as well in next mail.
>>
>> Jo.-
>>
>>
>> ----- Original Message -----
>> From: "Jarrah Hands" <jh...@nd.edu.au>
>> To: "'Slide Users Mailing List'" <sl...@jakarta.apache.org>
>> Sent: Monday, August 15, 2005 1:07 PM
>> Subject: RE: Getting slide working with a Samba share and LDAP
>>
>>
>>> Update:
>>>
>>> If the user is hard coded in as an already existing user then I get this
>>> in
>>> my log:
>>>
>>> 2005-08-15 11:04:49 JNDIRealm[/slide]: lookupUser(jhands)
>>> 2005-08-15 11:04:49 JNDIRealm[/slide]:
>>> dn=uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
>>> 2005-08-15 11:04:49 JNDIRealm[/slide]: retrieving values for attribute
>>> eduPersonAffiliation
>>> 2005-08-15 11:04:49 JNDIRealm[/slide]: validating credentials by
>>> binding
>>> as the user
>>> 2005-08-15 11:04:49 JNDIRealm[/slide]: binding as
>>> uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
>>> 2005-08-15 11:04:49 JNDIRealm[/slide]: Username jhands successfully
>>> authenticated
>>> 2005-08-15 11:04:49 JNDIRealm[/slide]:
>>> getRoles(uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp)
>>>
>>> So the get Roles method should get the role of the user. Why is the
>>> jhands
>>> account not acting like an employee then (as jhands (me!) is an employee
>>> as
>>> found in the eduPersonAffiliation attribute.
>>>
>>> Any ideas?
>>>
>>> Jarrah Hands
>>> Software Engineer (Business Applications)
>>> The University of Notre Dame Australia
>>> 19 Mouat Street (PO Box 1225)
>>> Fremantle, Western Australia 6959
>>> Tel: +61 9 9433 05287
>>> Email: jhands@nd.edu.au
>>>
>>> -----Original Message-----
>>> From: Jarrah Hands [mailto:jhands@nd.edu.au]
>>> Sent: Monday, 15 August 2005 10:58 AM
>>> To: 'Slide Users Mailing List'
>>> Subject: RE: Getting slide working with a Samba share and LDAP
>>>
>>> Ok guys, I looked at this briefly, my log is reporting this:
>>>
>>> 2005-08-15 10:07:47 JNDIRealm[/slide]: lookupUser(20040051)
>>> 2005-08-15 10:07:47 JNDIRealm[/slide]:
>>> dn=uid=20040051,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
>>> 2005-08-15 10:07:47 JNDIRealm[/slide]: retrieving values for attribute
>>> eduPersonAffiliation
>>> 2005-08-15 10:07:47 JNDIRealm[/slide]: validating credentials by
>>> binding
>>> as the user
>>> 2005-08-15 10:07:47 JNDIRealm[/slide]: binding as
>>> uid=20040051,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
>>> 2005-08-15 10:07:47 JNDIRealm[/slide]: bind attempt failed
>>> 2005-08-15 10:07:47 JNDIRealm[/slide]: Username 20040051 NOT
>>> successfully
>>> authenticated
>>>
>>> Coming from an LDAP directory using
>>>
>>> <Realm className="org.apache.catalina.realm.JNDIRealm"
>>> debug="99"
>>> connectionName="cn=root"
>>> connectionPassword="rootpass"
>>> connectionURL="ldap://10.9.24.14:389"
>>>
>>> userPattern="uid={0},ou=People,ou=Fremantle,o=nd.edu.au,o=isp
>>> userRoleName="eduPersonAffiliation"
>>> />
>>>
>>> eduPersonAffiliation is the name of the attribute which says whether a
>>> user
>>> is a student or an employee. I want to set this as my role for the
>>> users.
>>> I
>>> thought that this was what userRoleName did, but apparently not. Any
>>> ideas?
>>>
>>> Jo I think I have JNDIPrincipalStore set up incorrectly. Below appears
>>> in
>>> my
>>> domain.xml.
>>>
>>> <!-- Use a JNDIPrincipalStore for users -->
>>> <store name="users">
>>> <nodestore
>>> classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
>>> <!-- See javadoc for JNDIPrincipalStore for description of
>>> parameters -->
>>> <parameter name="cache.refresh.checkrate">15</parameter>
>>> <parameter name="cache.refresh.rate">600</parameter>
>>> <parameter name="cache.refresh.threshold">500</parameter>
>>> <parameter
>>>
> name="jndi.container">ou=People,ou=Fremantle,o=nd.edu.au,o=isp</parameter>
>>> <parameter name="jndi.attributes.rdn">uid</parameter>
>>> <parameter
>>> name="jndi.search.filter">(objectClass=*)</parameter>
>>> <parameter
>>> name="jndi.search.scope">ONELEVEL_SCOPE</parameter>
>>> <parameter name="jndi.search.attributes">uid</parameter>
>>> <parameter
>>> name="java.naming.provider.url">ldap://10.9.24.14:389</parameter>
>>> <parameter
>>>
>>
> name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</paramet
>>> er>
>>> <parameter
>>> name="java.naming.security.principal">cn=root,o=isp</parameter>
>>> <parameter
>>> name="java.naming.security.authentication">simple</parameter>
>>> <parameter name="java.naming.security.credentials">root
>>> </parameter>
>>> </nodestore>
>>> <securitystore>
>>> <reference store="nodestore"/>
>>> </securitystore>
>>> <lockstore>
>>> <reference store="nodestore"/>
>>> </lockstore>
>>> <revisiondescriptorsstore>
>>> <reference store="nodestore"/>
>>> </revisiondescriptorsstore>
>>> <revisiondescriptorstore>
>>> <reference store="nodestore"/>
>>> </revisiondescriptorstore>
>>> <contentstore>
>>> <reference store="nodestore"/>
>>> </contentstore>
>>> </store>
>>>
>>> With a similar set up for roles. What am I doing wrong here? What Im
>>> trying
>>> to do hasn't changed from what is outlined below.
>>>
>>> Jarrah Hands
>>> Software Engineer (Business Applications)
>>> The University of Notre Dame Australia
>>> 19 Mouat Street (PO Box 1225)
>>> Fremantle, Western Australia 6959
>>> Tel: +61 9 9433 05287
>>> Email: jhands@nd.edu.au
>>>
>>> -----Original Message-----
>>> From: Jo [mailto:jojada@speedlegal.com]
>>> Sent: Friday, 12 August 2005 8:02 AM
>>> To: Slide Users Mailing List
>>> Subject: Re: Getting slide working with a Samba share and LDAP
>>>
>>> Let's talk about LDAP issues:
>>>>> 1. Users get a 403 when they access using IE/Firefox and their
>>>>> user
>>>
>>>>> ID does not already exist in users.def.xml in \bin\store\metadata.
>>>>> Once
>>>>> the user's UID is in this file the user can easily log into and
>>>>> read/write to their hearts content. Unfortunately setting permissions
>>>>> on
>>>>> users Slide user directory proves annoying (may have to script it)
>>>
>>>>> 2. We have about 3000-4000 students who will use the first
>>>>> implementation and entering them into the users.def.xml file is not
>>>>> practical (even if we use a script)
>>>
>>> Assuming that you're using JNDIPrincipalStore, would you send your
>>> /users,
>>> /roles, /group stores configuration and confirm whether you get the
>>> following message in the log file:
>>> JNDIPrincipalStore[/xxxx]: Adding property "group-member-set" in
>>> namespace
>>> "DAV:" with value of xxxxxxxxxxx
>>>
>>> Jo.-
>>>
>>> ----- Original Message -----
>>> From: "Jarrah Hands" <jh...@nd.edu.au>
>>> To: <sl...@jakarta.apache.org>
>>> Cc: <jh...@nd.edu.au>
>>> Sent: Thursday, August 11, 2005 6:37 PM
>>> Subject: Getting slide working with a Samba share and LDAP
>>>
>>>
>>>> G'day guys!
>>>>
>>>>
>>>>
>>>> Lots of questions, I apologise if they have been asked thousands of
>>>> times.
>>>>
>>>>
>>>>
>>>> We have a LDAP server with all the student information required for
>>>> authentication and access to various services on it ie:
>>>>
>>>> UID
>>>>
>>>> userPassword
>>>>
>>>> userEducationalAffilation (Student or Staff)
>>>>
>>>> sambaPassword
>>>>
>>>> homeDirectory
>>>>
>>>> mailUsername
>>>>
>>>> etc etc
>>>>
>>>> The LDAP server is currently used to control access to Webmail
>>>> (https://www.nd.edu.au <https://www.nd.edu.au/> ), an online file
>>>> server
>>>> (https://www.nd.edu.au/stf/) which allows access to user's home
>>>> directory,
>>>> an online portal, lecture sign up etc. so it contains all the required
>>>> info
>>>> we need for our current project. What we want to do is set up the
>>>> users'
>>>> home directories with Slide so that they can be accessed from any where
>>>> with
>>>> an internet connection using the functionality WebDAV provides,
>>>> especially
>>>> using WebFolders (Windoze) and Macs implementation. We currently have
>>>> Slide
>>>> running on Tomcat on a test server. We have it so that the users can
>>>> connect
>>>> to the server and authenticate using LDAP. This works perfectly fine
>>>> how
>>>> ever this is where the issues arise:
>>>>
>>>> 1. Users get a 403 when they access using IE/Firefox and their
>>>> user
>>>> ID
>>>> does not already exist in users.def.xml in \bin\store\metadata. Once
>>>> the
>>>> user's UID is in this file the user can easily log into and read/write
>>>> to
>>>> their hearts content. Unfortunately setting permissions on users Slide
>>>> user
>>>> directory proves annoying (may have to script it)
>>>>
>>>> 2. We have about 3000-4000 students who will use the first
>>>> implementation and entering them into the users.def.xml file is not
>>>> practical (even if we use a script)
>>>>
>>>> 3. We currently can not work out how to get Slide to connect to
>>>> and
>>>> use a Samba directory as the directory shared. We can work out how to
>>>> extract the user's sambaPassword and homeDirectory from LDAP and feed
>>>> these
>>>> to Slide, but getting Slide to connect to this as the rootpath/workpath
>>>> is
>>>> proving challenging (how do you set the values as the ones from LDAP in
>>>> Domain.xml?
>>>>
>>>>
>>>>
>>>> SO what we are trying to achieve is:
>>>>
>>>> 1. Users sets up a Webfolder etc to https://www.nd.edu.au/ndmfs
>>>> or
>>>> similar (Working)
>>>>
>>>> 2. User asked for username password (Working)
>>>>
>>>> 3. Username (uid) is authenticated using the password in LDAP
>>>> directory (working)
>>>>
>>>> 4. User's role extracted from LDAP directory (not sure if this is
>>>> working, is there a way for a user to check what their current role
>>>> is?)
>>>>
>>>> 5. Once authenticated the users Samba password and path to home
>>>> directory is extracted from LDAP. (Working I think)
>>>>
>>>> 6. Home directory is loaded as the directory shared by Slide (Not
>>>> working)
>>>>
>>>> 7. User sees their home drive as a windows webfolder (or similar)
>>>> which they can read/write etc (working using Slide directory, but not
>>>> Samba
>>>> home directory)
>>>>
>>>>
>>>>
>>>> Current issues:
>>>>
>>>> 1. The extracted role (userEducationalAffilation) does not appear
>>>> to
>>>> be used or set for users (any folder given permission for 'student'
>>>> does
>>>> not
>>>> appear to be accessible by students)
>>>>
>>>> 2. Can not work out how to use Samba shares as rootpath/workpath
>>>>
>>>> 3. User accounts need to be added to users.def.xml before a user
>>>> can
>>>> successfully log in (is there a dynamic way I can load the users uid
>>>> into
>>>> the user file so I don't need to add it manually/using a script?
>>>>
>>>> 4. Permissions are cumbersome to set / keep up to date.
>>>>
>>>>
>>>>
>>>> Any suggestions?
>>>>
>>>>
>>>>
>>>> Jarrah Hands
>>>>
>>>> Software Engineer (Business Applications)
>>>>
>>>> The University of Notre Dame Australia
>>>>
>>>> 19 Mouat Street (PO Box 1225)
>>>>
>>>> Fremantle, Western Australia 6959
>>>>
>>>> Tel: +61 9 9433 05287
>>>>
>>>> Email: jhands@nd.edu.au
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>>
>>>
>>>
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>
>>
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
> !DSPAM:4304140047271165412630!
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
RE: Getting Roles working with Slide from an LDAP server
Posted by Jarrah Hands <jh...@nd.edu.au>.
I was just thinking. Do I need some like this:
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/roles/*rolename from LDAP*">
<revision>
<property name="group-member-set"><![CDATA[<D:href
xmlns:D='DAV:'>/users/*uid*</D:href>]]></property>
</revision>
</objectnode>
Or something similar in me JNDIPrincipalStore area in order to add the user
to that particular role or should the JNDIPrincipalStore or JNDIRealm log in
do that or something very similar?
Jarrah Hands
Software Engineer (Business Applications)
The University of Notre Dame Australia
19 Mouat Street (PO Box 1225)
Fremantle, Western Australia 6959
Tel: +61 9 9433 05287
Email: jhands@nd.edu.au
RE: Getting slide working with a Samba share and LDAP
Posted by Jarrah Hands <jh...@nd.edu.au>.
Well, I finally got the JNDI store for users up and running, but I'm having
a bit of trouble with the one for the roles. My log reveals that my
JNDIRealm statement is extracting the roles correctly:
Code:
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionName="cn=directory manager"
connectionPassword="dirmanager"
connectionURL="ldap://10.9.24.14:389"
userPattern="uid={0},ou=People,ou=Fremantle,o=nd.edu.au,o=isp"
roleBase="ou=People,ou=Fremantle,o=nd.edu.au,o=isp"
roleName="eduPersonAffiliation"
roleSearch="(uid={1})"
/>
Log:
2005-08-18 12:44:57 JNDIRealm[/slide]: lookupUser(jhands)
2005-08-18 12:44:57 JNDIRealm[/slide]:
dn=uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
2005-08-18 12:44:57 JNDIRealm[/slide]: validating credentials by binding
as the user
2005-08-18 12:44:57 JNDIRealm[/slide]: binding as
uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
2005-08-18 12:44:57 JNDIRealm[/slide]: Username jhands successfully
authenticated
2005-08-18 12:44:57 JNDIRealm[/slide]:
getRoles(uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp)
2005-08-18 12:44:57 JNDIRealm[/slide]: Searching role base
'ou=People,ou=Fremantle,o=nd.edu.au,o=isp' for attribute
'eduPersonAffiliation'
2005-08-18 12:44:57 JNDIRealm[/slide]: With filter expression
'(uid=jhands)'
2005-08-18 12:44:57 JNDIRealm[/slide]: retrieving values for attribute
eduPersonAffiliation
2005-08-18 12:44:57 JNDIRealm[/slide]: Returning 1 roles
2005-08-18 12:44:57 JNDIRealm[/slide]: Found role employee
But it does not appear that this is associating it self with the extracted
used (uid). Am I doing something wrong here?
So I'm trying to get a JNDIPrincipalStore working to handle the roles/UID.
This does not appear to be very successful. The user's role is stored in the
LDAP directory in their user account under the attribute
eduPersonAffiliation. I'm trying many different approaches, but none work.
The code below is my latest approach. I'm attempting to get uid's be
associated with roles.
Code:
<!-- Use a JNDIPrincipalStore for roles -->
<store name="roles">
<nodestore
classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
<parameter
name="jndi.container">ou=People,ou=Fremantle,o=nd.edu.au,o=isp</parameter>
<parameter
name="jndi.attributes.rdn">uid</parameter>
<parameter
name="jndi.attributes.groupmemberset">eduPersonAffiliation</parameter>-->
<!--<parameter
name="jndi.attributes.userprincipalname">uid</parameter>-->
<parameter
name="jndi.search.filter">(objectClass=inetOrgPerson)</parameter>
<parameter
name="jndi.search.scope">ONELEVEL_SCOPE</parameter>
<parameter
name="jndi.search.attributes">uid,eduPersonAffiliation</parameter>
<parameter
name="java.naming.provider.url">ldap://10.9.24.14:389</parameter>
<parameter
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</paramet
er>
<parameter
name="java.naming.security.principal">cn=directory manager</parameter>
<parameter
name="java.naming.security.authentication">simple</parameter>
<parameter
name="java.naming.security.credentials">dirmanager</parameter>
<parameter
name="cache.refresh.checkrate">15</parameter>
<parameter
name="cache.refresh.rate">800</parameter>
<parameter
name="cache.refresh.threshold">3600000</parameter>
</nodestore>
<!-- Use a Tx Store to store security and lock
information -->
<securitystore
classname="org.apache.slide.store.txfile.TxXMLFileDescriptorsStore">
<parameter
name="rootpath">roles/store/metadata</parameter>
<parameter
name="workpath">roles/work/metadata</parameter>
</securitystore>
<lockstore>
<reference store="securitystore"/>
</lockstore>
<revisiondescriptorsstore>
<reference store="nodestore"/>
</revisiondescriptorsstore>
<revisiondescriptorstore>
<reference store="nodestore"/>
</revisiondescriptorstore>
<contentstore>
<reference store="nodestore"/>
</contentstore>
</store>
<scope match="/" store="tx"/>
<scope match="/users" store="users"/>
<scope match="/roles" store="roles"/>
I'm most likely overlooking something which is really simple. Any ideas?
Jarrah Hands
Software Engineer (Business Applications)
The University of Notre Dame Australia
19 Mouat Street (PO Box 1225)
Fremantle, Western Australia 6959
Tel: +61 9 9433 05287
Email: jhands@nd.edu.au
-----Original Message-----
From: Jo [mailto:jojada@speedlegal.com]
Sent: Tuesday, 16 August 2005 9:10 AM
To: Slide Users Mailing List
Subject: Re: Getting slide working with a Samba share and LDAP
Hi Jarrah,
I browsed
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html#JNDIRealm
and found its content was very straightforward and informative.
It can be very useful for you. I didn't read carefully but it seems you have
to set roleBase, roleName and roleSearch parameters in the <Realm> element.
> When you say that JNDI extracts straight from the LDAP directory you mean
> with the line ' userRoleName="eduPersonAffiliation" '?
>
> If so, does this mean that the log has the extracted Role/s associated
> with
> their login whilst that user is logged in, as such no configuration of
> slide
> roles for each user is required?
As far as tomcat's authentication with JNDIRealm is concerned, yes, no
configuration of slide roles is involved.
> How do you suggest I check if my stores have been successfully populated?
> I
> can't find any data which has been saved with the store data.
What tool did you use to find out that you couldn't find any data ?
DAVExplorer is a good tool.
> Am I missing a parameter in my user/role config. I currently have the
> user/role schema in
> my domain.xml. Is this the correct place?
What sort of user/role schema ?
I guess what you can do now is firstly, make sure that your JNDIRealm works
then check whether your stores are populated.
Jo.-
----- Original Message -----
From: "Jarrah Hands" <jh...@nd.edu.au>
To: "'Slide Users Mailing List'" <sl...@jakarta.apache.org>
Sent: Monday, August 15, 2005 5:49 PM
Subject: RE: Getting slide working with a Samba share and LDAP
> Jo,
>
> I tried changing the userRoleName="eduPersonAffiliation" to other values
> to
> see what effect it would have on the operation of our slide server.
> Changing
> it to legit values such as 'uid' resulting in access being denied. Sam
> with
> non legit entries. This makes me think that maybe the role is being
> extracted from the LDAP directory (is there a way to find out?)
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> debug="99"
> connectionName="cn=root"
> connectionPassword="rootpass"
> connectionURL="ldap://10.9.24.14:389"
>
> userPattern="uid={0},ou=People,ou=Fremantle,o=nd.edu.au,o=isp"
>
> userRoleName="eduPersonAffiliation"
> />
>
> When you say that JNDI extracts straight from the LDAP directory you mean
> with the line ' userRoleName="eduPersonAffiliation" '?
>
> If so, does this mean that the log has the extracted Role/s associated
> with
> their login whilst that user is logged in, as such no configuration of
> slide
> roles for each user is required?
>
> As for my roles config:
>
> <!-- Use a JNDIPrincipalStore for roles -->
> <store name="roles">
> <nodestore
> classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
> <!-- See javadoc for JNDIPrincipalStore for description of
> parameters -->
> <parameter name="cache.refresh.checkrate">15</parameter>
> <parameter name="cache.refresh.rate">600</parameter>
> <parameter name="cache.refresh.threshold">500</parameter>
> <parameter
> name="jndi.container">ou=People,ou=Fremantle,o=nd.edu.au,o=isp</parameter>
> <parameter name="jndi.attributes.rdn">uid</parameter>
> <parameter
> name="jndi.search.filter">(objectClass=*)</parameter>
> <parameter name="jndi.search.scope">ONELEVEL_SCOPE</parameter>
> <parameter
> name="jndi.search.attributes">eduPersonAffiliation</parameter>
> <!-- Parameters to connect to LDAP Store -->
> <parameter
> name="java.naming.provider.url">ldap://10.9.24.14:389</parameter>
> <parameter
>
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</paramet
> er>
> <parameter name="java.naming.security.principal">cn=directory
> manager,o=isp</parameter>
> <parameter
> name="java.naming.security.authentication">simple</parameter>
> <parameter name="java.naming.security.credentials">directory
> manager</parameter>
> </nodestore>
> <securitystore>
> <reference store="nodestore"/>
> </securitystore>
> <lockstore>
> <reference store="nodestore"/>
> </lockstore>
> <revisiondescriptorsstore>
> <reference store="nodestore"/>
> </revisiondescriptorsstore>
> <revisiondescriptorstore>
> <reference store="nodestore"/>
> </revisiondescriptorstore>
> <contentstore>
> <reference store="nodestore"/>
> </contentstore>
> </store>
>
> How do you suggest I check if my stores have been successfully populated?
> I
> can't find any data which has been saved with the store data. Am I missing
> a
> parameter in my user/role config. I currently have the user/role schema in
> my domain.xml. Is this the correct place?
>
>
> Jarrah Hands
> Software Engineer (Business Applications)
> The University of Notre Dame Australia
> 19 Mouat Street (PO Box 1225)
> Fremantle, Western Australia 6959
> Tel: +61 9 9433 05287
> Email: jhands@nd.edu.au
>
> -----Original Message-----
> From: Jo [mailto:jojada@speedlegal.com]
> Sent: Monday, 15 August 2005 12:22 PM
> To: Slide Users Mailing List
> Subject: Re: Getting slide working with a Samba share and LDAP
>
> JNDIRealm retrieves usernames, passwords, and roles directly from an LDAP
> directory and hence, its success or failure issues should have nothing to
> do
>
> with Slide configuration.
> The tomcat's documentation on JNDIRealm may help.
>
> Regarding the /users and /roles store setup, some parameter values depend
> on
>
> your LDAP schema.
> Before we go down that path by trying different values, it's worth
> checking
> whether based on the current configuration any of those two stores have
> been
>
> successfully populated.
> Please attach your /roles store configuration as well in next mail.
>
> Jo.-
>
>
> ----- Original Message -----
> From: "Jarrah Hands" <jh...@nd.edu.au>
> To: "'Slide Users Mailing List'" <sl...@jakarta.apache.org>
> Sent: Monday, August 15, 2005 1:07 PM
> Subject: RE: Getting slide working with a Samba share and LDAP
>
>
>> Update:
>>
>> If the user is hard coded in as an already existing user then I get this
>> in
>> my log:
>>
>> 2005-08-15 11:04:49 JNDIRealm[/slide]: lookupUser(jhands)
>> 2005-08-15 11:04:49 JNDIRealm[/slide]:
>> dn=uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
>> 2005-08-15 11:04:49 JNDIRealm[/slide]: retrieving values for attribute
>> eduPersonAffiliation
>> 2005-08-15 11:04:49 JNDIRealm[/slide]: validating credentials by
>> binding
>> as the user
>> 2005-08-15 11:04:49 JNDIRealm[/slide]: binding as
>> uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
>> 2005-08-15 11:04:49 JNDIRealm[/slide]: Username jhands successfully
>> authenticated
>> 2005-08-15 11:04:49 JNDIRealm[/slide]:
>> getRoles(uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp)
>>
>> So the get Roles method should get the role of the user. Why is the
>> jhands
>> account not acting like an employee then (as jhands (me!) is an employee
>> as
>> found in the eduPersonAffiliation attribute.
>>
>> Any ideas?
>>
>> Jarrah Hands
>> Software Engineer (Business Applications)
>> The University of Notre Dame Australia
>> 19 Mouat Street (PO Box 1225)
>> Fremantle, Western Australia 6959
>> Tel: +61 9 9433 05287
>> Email: jhands@nd.edu.au
>>
>> -----Original Message-----
>> From: Jarrah Hands [mailto:jhands@nd.edu.au]
>> Sent: Monday, 15 August 2005 10:58 AM
>> To: 'Slide Users Mailing List'
>> Subject: RE: Getting slide working with a Samba share and LDAP
>>
>> Ok guys, I looked at this briefly, my log is reporting this:
>>
>> 2005-08-15 10:07:47 JNDIRealm[/slide]: lookupUser(20040051)
>> 2005-08-15 10:07:47 JNDIRealm[/slide]:
>> dn=uid=20040051,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
>> 2005-08-15 10:07:47 JNDIRealm[/slide]: retrieving values for attribute
>> eduPersonAffiliation
>> 2005-08-15 10:07:47 JNDIRealm[/slide]: validating credentials by
>> binding
>> as the user
>> 2005-08-15 10:07:47 JNDIRealm[/slide]: binding as
>> uid=20040051,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
>> 2005-08-15 10:07:47 JNDIRealm[/slide]: bind attempt failed
>> 2005-08-15 10:07:47 JNDIRealm[/slide]: Username 20040051 NOT successfully
>> authenticated
>>
>> Coming from an LDAP directory using
>>
>> <Realm className="org.apache.catalina.realm.JNDIRealm"
>> debug="99"
>> connectionName="cn=root"
>> connectionPassword="rootpass"
>> connectionURL="ldap://10.9.24.14:389"
>>
>> userPattern="uid={0},ou=People,ou=Fremantle,o=nd.edu.au,o=isp
>> userRoleName="eduPersonAffiliation"
>> />
>>
>> eduPersonAffiliation is the name of the attribute which says whether a
>> user
>> is a student or an employee. I want to set this as my role for the users.
>> I
>> thought that this was what userRoleName did, but apparently not. Any
>> ideas?
>>
>> Jo I think I have JNDIPrincipalStore set up incorrectly. Below appears in
>> my
>> domain.xml.
>>
>> <!-- Use a JNDIPrincipalStore for users -->
>> <store name="users">
>> <nodestore
>> classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
>> <!-- See javadoc for JNDIPrincipalStore for description of
>> parameters -->
>> <parameter name="cache.refresh.checkrate">15</parameter>
>> <parameter name="cache.refresh.rate">600</parameter>
>> <parameter name="cache.refresh.threshold">500</parameter>
>> <parameter
>>
name="jndi.container">ou=People,ou=Fremantle,o=nd.edu.au,o=isp</parameter>
>> <parameter name="jndi.attributes.rdn">uid</parameter>
>> <parameter
>> name="jndi.search.filter">(objectClass=*)</parameter>
>> <parameter name="jndi.search.scope">ONELEVEL_SCOPE</parameter>
>> <parameter name="jndi.search.attributes">uid</parameter>
>> <parameter
>> name="java.naming.provider.url">ldap://10.9.24.14:389</parameter>
>> <parameter
>>
>
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</paramet
>> er>
>> <parameter
>> name="java.naming.security.principal">cn=root,o=isp</parameter>
>> <parameter
>> name="java.naming.security.authentication">simple</parameter>
>> <parameter name="java.naming.security.credentials">root
>> </parameter>
>> </nodestore>
>> <securitystore>
>> <reference store="nodestore"/>
>> </securitystore>
>> <lockstore>
>> <reference store="nodestore"/>
>> </lockstore>
>> <revisiondescriptorsstore>
>> <reference store="nodestore"/>
>> </revisiondescriptorsstore>
>> <revisiondescriptorstore>
>> <reference store="nodestore"/>
>> </revisiondescriptorstore>
>> <contentstore>
>> <reference store="nodestore"/>
>> </contentstore>
>> </store>
>>
>> With a similar set up for roles. What am I doing wrong here? What Im
>> trying
>> to do hasn't changed from what is outlined below.
>>
>> Jarrah Hands
>> Software Engineer (Business Applications)
>> The University of Notre Dame Australia
>> 19 Mouat Street (PO Box 1225)
>> Fremantle, Western Australia 6959
>> Tel: +61 9 9433 05287
>> Email: jhands@nd.edu.au
>>
>> -----Original Message-----
>> From: Jo [mailto:jojada@speedlegal.com]
>> Sent: Friday, 12 August 2005 8:02 AM
>> To: Slide Users Mailing List
>> Subject: Re: Getting slide working with a Samba share and LDAP
>>
>> Let's talk about LDAP issues:
>>>> 1. Users get a 403 when they access using IE/Firefox and their
>>>> user
>>
>>>> ID does not already exist in users.def.xml in \bin\store\metadata. Once
>>>> the user's UID is in this file the user can easily log into and
>>>> read/write to their hearts content. Unfortunately setting permissions
>>>> on
>>>> users Slide user directory proves annoying (may have to script it)
>>
>>>> 2. We have about 3000-4000 students who will use the first
>>>> implementation and entering them into the users.def.xml file is not
>>>> practical (even if we use a script)
>>
>> Assuming that you're using JNDIPrincipalStore, would you send your
>> /users,
>> /roles, /group stores configuration and confirm whether you get the
>> following message in the log file:
>> JNDIPrincipalStore[/xxxx]: Adding property "group-member-set" in
>> namespace
>> "DAV:" with value of xxxxxxxxxxx
>>
>> Jo.-
>>
>> ----- Original Message -----
>> From: "Jarrah Hands" <jh...@nd.edu.au>
>> To: <sl...@jakarta.apache.org>
>> Cc: <jh...@nd.edu.au>
>> Sent: Thursday, August 11, 2005 6:37 PM
>> Subject: Getting slide working with a Samba share and LDAP
>>
>>
>>> G'day guys!
>>>
>>>
>>>
>>> Lots of questions, I apologise if they have been asked thousands of
>>> times.
>>>
>>>
>>>
>>> We have a LDAP server with all the student information required for
>>> authentication and access to various services on it ie:
>>>
>>> UID
>>>
>>> userPassword
>>>
>>> userEducationalAffilation (Student or Staff)
>>>
>>> sambaPassword
>>>
>>> homeDirectory
>>>
>>> mailUsername
>>>
>>> etc etc
>>>
>>> The LDAP server is currently used to control access to Webmail
>>> (https://www.nd.edu.au <https://www.nd.edu.au/> ), an online file server
>>> (https://www.nd.edu.au/stf/) which allows access to user's home
>>> directory,
>>> an online portal, lecture sign up etc. so it contains all the required
>>> info
>>> we need for our current project. What we want to do is set up the users'
>>> home directories with Slide so that they can be accessed from any where
>>> with
>>> an internet connection using the functionality WebDAV provides,
>>> especially
>>> using WebFolders (Windoze) and Macs implementation. We currently have
>>> Slide
>>> running on Tomcat on a test server. We have it so that the users can
>>> connect
>>> to the server and authenticate using LDAP. This works perfectly fine how
>>> ever this is where the issues arise:
>>>
>>> 1. Users get a 403 when they access using IE/Firefox and their
>>> user
>>> ID
>>> does not already exist in users.def.xml in \bin\store\metadata. Once the
>>> user's UID is in this file the user can easily log into and read/write
>>> to
>>> their hearts content. Unfortunately setting permissions on users Slide
>>> user
>>> directory proves annoying (may have to script it)
>>>
>>> 2. We have about 3000-4000 students who will use the first
>>> implementation and entering them into the users.def.xml file is not
>>> practical (even if we use a script)
>>>
>>> 3. We currently can not work out how to get Slide to connect to
>>> and
>>> use a Samba directory as the directory shared. We can work out how to
>>> extract the user's sambaPassword and homeDirectory from LDAP and feed
>>> these
>>> to Slide, but getting Slide to connect to this as the rootpath/workpath
>>> is
>>> proving challenging (how do you set the values as the ones from LDAP in
>>> Domain.xml?
>>>
>>>
>>>
>>> SO what we are trying to achieve is:
>>>
>>> 1. Users sets up a Webfolder etc to https://www.nd.edu.au/ndmfs or
>>> similar (Working)
>>>
>>> 2. User asked for username password (Working)
>>>
>>> 3. Username (uid) is authenticated using the password in LDAP
>>> directory (working)
>>>
>>> 4. User's role extracted from LDAP directory (not sure if this is
>>> working, is there a way for a user to check what their current role is?)
>>>
>>> 5. Once authenticated the users Samba password and path to home
>>> directory is extracted from LDAP. (Working I think)
>>>
>>> 6. Home directory is loaded as the directory shared by Slide (Not
>>> working)
>>>
>>> 7. User sees their home drive as a windows webfolder (or similar)
>>> which they can read/write etc (working using Slide directory, but not
>>> Samba
>>> home directory)
>>>
>>>
>>>
>>> Current issues:
>>>
>>> 1. The extracted role (userEducationalAffilation) does not appear
>>> to
>>> be used or set for users (any folder given permission for 'student' does
>>> not
>>> appear to be accessible by students)
>>>
>>> 2. Can not work out how to use Samba shares as rootpath/workpath
>>>
>>> 3. User accounts need to be added to users.def.xml before a user
>>> can
>>> successfully log in (is there a dynamic way I can load the users uid
>>> into
>>> the user file so I don't need to add it manually/using a script?
>>>
>>> 4. Permissions are cumbersome to set / keep up to date.
>>>
>>>
>>>
>>> Any suggestions?
>>>
>>>
>>>
>>> Jarrah Hands
>>>
>>> Software Engineer (Business Applications)
>>>
>>> The University of Notre Dame Australia
>>>
>>> 19 Mouat Street (PO Box 1225)
>>>
>>> Fremantle, Western Australia 6959
>>>
>>> Tel: +61 9 9433 05287
>>>
>>> Email: jhands@nd.edu.au
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>
>>
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
> !DSPAM:43004840171599065896393!
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: Getting slide working with a Samba share and LDAP
Posted by Jo <jo...@speedlegal.com>.
Hi Jarrah,
I browsed
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html#JNDIRealm
and found its content was very straightforward and informative.
It can be very useful for you. I didn't read carefully but it seems you have
to set roleBase, roleName and roleSearch parameters in the <Realm> element.
> When you say that JNDI extracts straight from the LDAP directory you mean
> with the line ' userRoleName="eduPersonAffiliation" '?
>
> If so, does this mean that the log has the extracted Role/s associated
> with
> their login whilst that user is logged in, as such no configuration of
> slide
> roles for each user is required?
As far as tomcat's authentication with JNDIRealm is concerned, yes, no
configuration of slide roles is involved.
> How do you suggest I check if my stores have been successfully populated?
> I
> can't find any data which has been saved with the store data.
What tool did you use to find out that you couldn't find any data ?
DAVExplorer is a good tool.
> Am I missing a parameter in my user/role config. I currently have the
> user/role schema in
> my domain.xml. Is this the correct place?
What sort of user/role schema ?
I guess what you can do now is firstly, make sure that your JNDIRealm works
then check whether your stores are populated.
Jo.-
----- Original Message -----
From: "Jarrah Hands" <jh...@nd.edu.au>
To: "'Slide Users Mailing List'" <sl...@jakarta.apache.org>
Sent: Monday, August 15, 2005 5:49 PM
Subject: RE: Getting slide working with a Samba share and LDAP
> Jo,
>
> I tried changing the userRoleName="eduPersonAffiliation" to other values
> to
> see what effect it would have on the operation of our slide server.
> Changing
> it to legit values such as 'uid' resulting in access being denied. Sam
> with
> non legit entries. This makes me think that maybe the role is being
> extracted from the LDAP directory (is there a way to find out?)
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> debug="99"
> connectionName="cn=root"
> connectionPassword="rootpass"
> connectionURL="ldap://10.9.24.14:389"
>
> userPattern="uid={0},ou=People,ou=Fremantle,o=nd.edu.au,o=isp"
>
> userRoleName="eduPersonAffiliation"
> />
>
> When you say that JNDI extracts straight from the LDAP directory you mean
> with the line ' userRoleName="eduPersonAffiliation" '?
>
> If so, does this mean that the log has the extracted Role/s associated
> with
> their login whilst that user is logged in, as such no configuration of
> slide
> roles for each user is required?
>
> As for my roles config:
>
> <!-- Use a JNDIPrincipalStore for roles -->
> <store name="roles">
> <nodestore
> classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
> <!-- See javadoc for JNDIPrincipalStore for description of
> parameters -->
> <parameter name="cache.refresh.checkrate">15</parameter>
> <parameter name="cache.refresh.rate">600</parameter>
> <parameter name="cache.refresh.threshold">500</parameter>
> <parameter
> name="jndi.container">ou=People,ou=Fremantle,o=nd.edu.au,o=isp</parameter>
> <parameter name="jndi.attributes.rdn">uid</parameter>
> <parameter
> name="jndi.search.filter">(objectClass=*)</parameter>
> <parameter name="jndi.search.scope">ONELEVEL_SCOPE</parameter>
> <parameter
> name="jndi.search.attributes">eduPersonAffiliation</parameter>
> <!-- Parameters to connect to LDAP Store -->
> <parameter
> name="java.naming.provider.url">ldap://10.9.24.14:389</parameter>
> <parameter
> name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</paramet
> er>
> <parameter name="java.naming.security.principal">cn=directory
> manager,o=isp</parameter>
> <parameter
> name="java.naming.security.authentication">simple</parameter>
> <parameter name="java.naming.security.credentials">directory
> manager</parameter>
> </nodestore>
> <securitystore>
> <reference store="nodestore"/>
> </securitystore>
> <lockstore>
> <reference store="nodestore"/>
> </lockstore>
> <revisiondescriptorsstore>
> <reference store="nodestore"/>
> </revisiondescriptorsstore>
> <revisiondescriptorstore>
> <reference store="nodestore"/>
> </revisiondescriptorstore>
> <contentstore>
> <reference store="nodestore"/>
> </contentstore>
> </store>
>
> How do you suggest I check if my stores have been successfully populated?
> I
> can't find any data which has been saved with the store data. Am I missing
> a
> parameter in my user/role config. I currently have the user/role schema in
> my domain.xml. Is this the correct place?
>
>
> Jarrah Hands
> Software Engineer (Business Applications)
> The University of Notre Dame Australia
> 19 Mouat Street (PO Box 1225)
> Fremantle, Western Australia 6959
> Tel: +61 9 9433 05287
> Email: jhands@nd.edu.au
>
> -----Original Message-----
> From: Jo [mailto:jojada@speedlegal.com]
> Sent: Monday, 15 August 2005 12:22 PM
> To: Slide Users Mailing List
> Subject: Re: Getting slide working with a Samba share and LDAP
>
> JNDIRealm retrieves usernames, passwords, and roles directly from an LDAP
> directory and hence, its success or failure issues should have nothing to
> do
>
> with Slide configuration.
> The tomcat's documentation on JNDIRealm may help.
>
> Regarding the /users and /roles store setup, some parameter values depend
> on
>
> your LDAP schema.
> Before we go down that path by trying different values, it's worth
> checking
> whether based on the current configuration any of those two stores have
> been
>
> successfully populated.
> Please attach your /roles store configuration as well in next mail.
>
> Jo.-
>
>
> ----- Original Message -----
> From: "Jarrah Hands" <jh...@nd.edu.au>
> To: "'Slide Users Mailing List'" <sl...@jakarta.apache.org>
> Sent: Monday, August 15, 2005 1:07 PM
> Subject: RE: Getting slide working with a Samba share and LDAP
>
>
>> Update:
>>
>> If the user is hard coded in as an already existing user then I get this
>> in
>> my log:
>>
>> 2005-08-15 11:04:49 JNDIRealm[/slide]: lookupUser(jhands)
>> 2005-08-15 11:04:49 JNDIRealm[/slide]:
>> dn=uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
>> 2005-08-15 11:04:49 JNDIRealm[/slide]: retrieving values for attribute
>> eduPersonAffiliation
>> 2005-08-15 11:04:49 JNDIRealm[/slide]: validating credentials by
>> binding
>> as the user
>> 2005-08-15 11:04:49 JNDIRealm[/slide]: binding as
>> uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
>> 2005-08-15 11:04:49 JNDIRealm[/slide]: Username jhands successfully
>> authenticated
>> 2005-08-15 11:04:49 JNDIRealm[/slide]:
>> getRoles(uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp)
>>
>> So the get Roles method should get the role of the user. Why is the
>> jhands
>> account not acting like an employee then (as jhands (me!) is an employee
>> as
>> found in the eduPersonAffiliation attribute.
>>
>> Any ideas?
>>
>> Jarrah Hands
>> Software Engineer (Business Applications)
>> The University of Notre Dame Australia
>> 19 Mouat Street (PO Box 1225)
>> Fremantle, Western Australia 6959
>> Tel: +61 9 9433 05287
>> Email: jhands@nd.edu.au
>>
>> -----Original Message-----
>> From: Jarrah Hands [mailto:jhands@nd.edu.au]
>> Sent: Monday, 15 August 2005 10:58 AM
>> To: 'Slide Users Mailing List'
>> Subject: RE: Getting slide working with a Samba share and LDAP
>>
>> Ok guys, I looked at this briefly, my log is reporting this:
>>
>> 2005-08-15 10:07:47 JNDIRealm[/slide]: lookupUser(20040051)
>> 2005-08-15 10:07:47 JNDIRealm[/slide]:
>> dn=uid=20040051,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
>> 2005-08-15 10:07:47 JNDIRealm[/slide]: retrieving values for attribute
>> eduPersonAffiliation
>> 2005-08-15 10:07:47 JNDIRealm[/slide]: validating credentials by
>> binding
>> as the user
>> 2005-08-15 10:07:47 JNDIRealm[/slide]: binding as
>> uid=20040051,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
>> 2005-08-15 10:07:47 JNDIRealm[/slide]: bind attempt failed
>> 2005-08-15 10:07:47 JNDIRealm[/slide]: Username 20040051 NOT successfully
>> authenticated
>>
>> Coming from an LDAP directory using
>>
>> <Realm className="org.apache.catalina.realm.JNDIRealm"
>> debug="99"
>> connectionName="cn=root"
>> connectionPassword="rootpass"
>> connectionURL="ldap://10.9.24.14:389"
>>
>> userPattern="uid={0},ou=People,ou=Fremantle,o=nd.edu.au,o=isp
>> userRoleName="eduPersonAffiliation"
>> />
>>
>> eduPersonAffiliation is the name of the attribute which says whether a
>> user
>> is a student or an employee. I want to set this as my role for the users.
>> I
>> thought that this was what userRoleName did, but apparently not. Any
>> ideas?
>>
>> Jo I think I have JNDIPrincipalStore set up incorrectly. Below appears in
>> my
>> domain.xml.
>>
>> <!-- Use a JNDIPrincipalStore for users -->
>> <store name="users">
>> <nodestore
>> classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
>> <!-- See javadoc for JNDIPrincipalStore for description of
>> parameters -->
>> <parameter name="cache.refresh.checkrate">15</parameter>
>> <parameter name="cache.refresh.rate">600</parameter>
>> <parameter name="cache.refresh.threshold">500</parameter>
>> <parameter
>> name="jndi.container">ou=People,ou=Fremantle,o=nd.edu.au,o=isp</parameter>
>> <parameter name="jndi.attributes.rdn">uid</parameter>
>> <parameter
>> name="jndi.search.filter">(objectClass=*)</parameter>
>> <parameter name="jndi.search.scope">ONELEVEL_SCOPE</parameter>
>> <parameter name="jndi.search.attributes">uid</parameter>
>> <parameter
>> name="java.naming.provider.url">ldap://10.9.24.14:389</parameter>
>> <parameter
>>
> name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</paramet
>> er>
>> <parameter
>> name="java.naming.security.principal">cn=root,o=isp</parameter>
>> <parameter
>> name="java.naming.security.authentication">simple</parameter>
>> <parameter name="java.naming.security.credentials">root
>> </parameter>
>> </nodestore>
>> <securitystore>
>> <reference store="nodestore"/>
>> </securitystore>
>> <lockstore>
>> <reference store="nodestore"/>
>> </lockstore>
>> <revisiondescriptorsstore>
>> <reference store="nodestore"/>
>> </revisiondescriptorsstore>
>> <revisiondescriptorstore>
>> <reference store="nodestore"/>
>> </revisiondescriptorstore>
>> <contentstore>
>> <reference store="nodestore"/>
>> </contentstore>
>> </store>
>>
>> With a similar set up for roles. What am I doing wrong here? What Im
>> trying
>> to do hasn't changed from what is outlined below.
>>
>> Jarrah Hands
>> Software Engineer (Business Applications)
>> The University of Notre Dame Australia
>> 19 Mouat Street (PO Box 1225)
>> Fremantle, Western Australia 6959
>> Tel: +61 9 9433 05287
>> Email: jhands@nd.edu.au
>>
>> -----Original Message-----
>> From: Jo [mailto:jojada@speedlegal.com]
>> Sent: Friday, 12 August 2005 8:02 AM
>> To: Slide Users Mailing List
>> Subject: Re: Getting slide working with a Samba share and LDAP
>>
>> Let's talk about LDAP issues:
>>>> 1. Users get a 403 when they access using IE/Firefox and their
>>>> user
>>
>>>> ID does not already exist in users.def.xml in \bin\store\metadata. Once
>>>> the user's UID is in this file the user can easily log into and
>>>> read/write to their hearts content. Unfortunately setting permissions
>>>> on
>>>> users Slide user directory proves annoying (may have to script it)
>>
>>>> 2. We have about 3000-4000 students who will use the first
>>>> implementation and entering them into the users.def.xml file is not
>>>> practical (even if we use a script)
>>
>> Assuming that you're using JNDIPrincipalStore, would you send your
>> /users,
>> /roles, /group stores configuration and confirm whether you get the
>> following message in the log file:
>> JNDIPrincipalStore[/xxxx]: Adding property "group-member-set" in
>> namespace
>> "DAV:" with value of xxxxxxxxxxx
>>
>> Jo.-
>>
>> ----- Original Message -----
>> From: "Jarrah Hands" <jh...@nd.edu.au>
>> To: <sl...@jakarta.apache.org>
>> Cc: <jh...@nd.edu.au>
>> Sent: Thursday, August 11, 2005 6:37 PM
>> Subject: Getting slide working with a Samba share and LDAP
>>
>>
>>> G'day guys!
>>>
>>>
>>>
>>> Lots of questions, I apologise if they have been asked thousands of
>>> times.
>>>
>>>
>>>
>>> We have a LDAP server with all the student information required for
>>> authentication and access to various services on it ie:
>>>
>>> UID
>>>
>>> userPassword
>>>
>>> userEducationalAffilation (Student or Staff)
>>>
>>> sambaPassword
>>>
>>> homeDirectory
>>>
>>> mailUsername
>>>
>>> etc etc
>>>
>>> The LDAP server is currently used to control access to Webmail
>>> (https://www.nd.edu.au <https://www.nd.edu.au/> ), an online file server
>>> (https://www.nd.edu.au/stf/) which allows access to user's home
>>> directory,
>>> an online portal, lecture sign up etc. so it contains all the required
>>> info
>>> we need for our current project. What we want to do is set up the users'
>>> home directories with Slide so that they can be accessed from any where
>>> with
>>> an internet connection using the functionality WebDAV provides,
>>> especially
>>> using WebFolders (Windoze) and Macs implementation. We currently have
>>> Slide
>>> running on Tomcat on a test server. We have it so that the users can
>>> connect
>>> to the server and authenticate using LDAP. This works perfectly fine how
>>> ever this is where the issues arise:
>>>
>>> 1. Users get a 403 when they access using IE/Firefox and their
>>> user
>>> ID
>>> does not already exist in users.def.xml in \bin\store\metadata. Once the
>>> user's UID is in this file the user can easily log into and read/write
>>> to
>>> their hearts content. Unfortunately setting permissions on users Slide
>>> user
>>> directory proves annoying (may have to script it)
>>>
>>> 2. We have about 3000-4000 students who will use the first
>>> implementation and entering them into the users.def.xml file is not
>>> practical (even if we use a script)
>>>
>>> 3. We currently can not work out how to get Slide to connect to
>>> and
>>> use a Samba directory as the directory shared. We can work out how to
>>> extract the user's sambaPassword and homeDirectory from LDAP and feed
>>> these
>>> to Slide, but getting Slide to connect to this as the rootpath/workpath
>>> is
>>> proving challenging (how do you set the values as the ones from LDAP in
>>> Domain.xml?
>>>
>>>
>>>
>>> SO what we are trying to achieve is:
>>>
>>> 1. Users sets up a Webfolder etc to https://www.nd.edu.au/ndmfs or
>>> similar (Working)
>>>
>>> 2. User asked for username password (Working)
>>>
>>> 3. Username (uid) is authenticated using the password in LDAP
>>> directory (working)
>>>
>>> 4. User's role extracted from LDAP directory (not sure if this is
>>> working, is there a way for a user to check what their current role is?)
>>>
>>> 5. Once authenticated the users Samba password and path to home
>>> directory is extracted from LDAP. (Working I think)
>>>
>>> 6. Home directory is loaded as the directory shared by Slide (Not
>>> working)
>>>
>>> 7. User sees their home drive as a windows webfolder (or similar)
>>> which they can read/write etc (working using Slide directory, but not
>>> Samba
>>> home directory)
>>>
>>>
>>>
>>> Current issues:
>>>
>>> 1. The extracted role (userEducationalAffilation) does not appear
>>> to
>>> be used or set for users (any folder given permission for 'student' does
>>> not
>>> appear to be accessible by students)
>>>
>>> 2. Can not work out how to use Samba shares as rootpath/workpath
>>>
>>> 3. User accounts need to be added to users.def.xml before a user
>>> can
>>> successfully log in (is there a dynamic way I can load the users uid
>>> into
>>> the user file so I don't need to add it manually/using a script?
>>>
>>> 4. Permissions are cumbersome to set / keep up to date.
>>>
>>>
>>>
>>> Any suggestions?
>>>
>>>
>>>
>>> Jarrah Hands
>>>
>>> Software Engineer (Business Applications)
>>>
>>> The University of Notre Dame Australia
>>>
>>> 19 Mouat Street (PO Box 1225)
>>>
>>> Fremantle, Western Australia 6959
>>>
>>> Tel: +61 9 9433 05287
>>>
>>> Email: jhands@nd.edu.au
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>
>>
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
> !DSPAM:43004840171599065896393!
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
RE: Getting slide working with a Samba share and LDAP
Posted by Jarrah Hands <jh...@nd.edu.au>.
Jo,
I tried changing the userRoleName="eduPersonAffiliation" to other values to
see what effect it would have on the operation of our slide server. Changing
it to legit values such as 'uid' resulting in access being denied. Sam with
non legit entries. This makes me think that maybe the role is being
extracted from the LDAP directory (is there a way to find out?)
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionName="cn=root"
connectionPassword="rootpass"
connectionURL="ldap://10.9.24.14:389"
userPattern="uid={0},ou=People,ou=Fremantle,o=nd.edu.au,o=isp"
userRoleName="eduPersonAffiliation"
/>
When you say that JNDI extracts straight from the LDAP directory you mean
with the line ' userRoleName="eduPersonAffiliation" '?
If so, does this mean that the log has the extracted Role/s associated with
their login whilst that user is logged in, as such no configuration of slide
roles for each user is required?
As for my roles config:
<!-- Use a JNDIPrincipalStore for roles -->
<store name="roles">
<nodestore
classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
<!-- See javadoc for JNDIPrincipalStore for description of
parameters -->
<parameter name="cache.refresh.checkrate">15</parameter>
<parameter name="cache.refresh.rate">600</parameter>
<parameter name="cache.refresh.threshold">500</parameter>
<parameter
name="jndi.container">ou=People,ou=Fremantle,o=nd.edu.au,o=isp</parameter>
<parameter name="jndi.attributes.rdn">uid</parameter>
<parameter name="jndi.search.filter">(objectClass=*)</parameter>
<parameter name="jndi.search.scope">ONELEVEL_SCOPE</parameter>
<parameter
name="jndi.search.attributes">eduPersonAffiliation</parameter>
<!-- Parameters to connect to LDAP Store -->
<parameter
name="java.naming.provider.url">ldap://10.9.24.14:389</parameter>
<parameter
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</paramet
er>
<parameter name="java.naming.security.principal">cn=directory
manager,o=isp</parameter>
<parameter
name="java.naming.security.authentication">simple</parameter>
<parameter name="java.naming.security.credentials">directory
manager</parameter>
</nodestore>
<securitystore>
<reference store="nodestore"/>
</securitystore>
<lockstore>
<reference store="nodestore"/>
</lockstore>
<revisiondescriptorsstore>
<reference store="nodestore"/>
</revisiondescriptorsstore>
<revisiondescriptorstore>
<reference store="nodestore"/>
</revisiondescriptorstore>
<contentstore>
<reference store="nodestore"/>
</contentstore>
</store>
How do you suggest I check if my stores have been successfully populated? I
can't find any data which has been saved with the store data. Am I missing a
parameter in my user/role config. I currently have the user/role schema in
my domain.xml. Is this the correct place?
Jarrah Hands
Software Engineer (Business Applications)
The University of Notre Dame Australia
19 Mouat Street (PO Box 1225)
Fremantle, Western Australia 6959
Tel: +61 9 9433 05287
Email: jhands@nd.edu.au
-----Original Message-----
From: Jo [mailto:jojada@speedlegal.com]
Sent: Monday, 15 August 2005 12:22 PM
To: Slide Users Mailing List
Subject: Re: Getting slide working with a Samba share and LDAP
JNDIRealm retrieves usernames, passwords, and roles directly from an LDAP
directory and hence, its success or failure issues should have nothing to do
with Slide configuration.
The tomcat's documentation on JNDIRealm may help.
Regarding the /users and /roles store setup, some parameter values depend on
your LDAP schema.
Before we go down that path by trying different values, it's worth checking
whether based on the current configuration any of those two stores have been
successfully populated.
Please attach your /roles store configuration as well in next mail.
Jo.-
----- Original Message -----
From: "Jarrah Hands" <jh...@nd.edu.au>
To: "'Slide Users Mailing List'" <sl...@jakarta.apache.org>
Sent: Monday, August 15, 2005 1:07 PM
Subject: RE: Getting slide working with a Samba share and LDAP
> Update:
>
> If the user is hard coded in as an already existing user then I get this
> in
> my log:
>
> 2005-08-15 11:04:49 JNDIRealm[/slide]: lookupUser(jhands)
> 2005-08-15 11:04:49 JNDIRealm[/slide]:
> dn=uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
> 2005-08-15 11:04:49 JNDIRealm[/slide]: retrieving values for attribute
> eduPersonAffiliation
> 2005-08-15 11:04:49 JNDIRealm[/slide]: validating credentials by binding
> as the user
> 2005-08-15 11:04:49 JNDIRealm[/slide]: binding as
> uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
> 2005-08-15 11:04:49 JNDIRealm[/slide]: Username jhands successfully
> authenticated
> 2005-08-15 11:04:49 JNDIRealm[/slide]:
> getRoles(uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp)
>
> So the get Roles method should get the role of the user. Why is the jhands
> account not acting like an employee then (as jhands (me!) is an employee
> as
> found in the eduPersonAffiliation attribute.
>
> Any ideas?
>
> Jarrah Hands
> Software Engineer (Business Applications)
> The University of Notre Dame Australia
> 19 Mouat Street (PO Box 1225)
> Fremantle, Western Australia 6959
> Tel: +61 9 9433 05287
> Email: jhands@nd.edu.au
>
> -----Original Message-----
> From: Jarrah Hands [mailto:jhands@nd.edu.au]
> Sent: Monday, 15 August 2005 10:58 AM
> To: 'Slide Users Mailing List'
> Subject: RE: Getting slide working with a Samba share and LDAP
>
> Ok guys, I looked at this briefly, my log is reporting this:
>
> 2005-08-15 10:07:47 JNDIRealm[/slide]: lookupUser(20040051)
> 2005-08-15 10:07:47 JNDIRealm[/slide]:
> dn=uid=20040051,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
> 2005-08-15 10:07:47 JNDIRealm[/slide]: retrieving values for attribute
> eduPersonAffiliation
> 2005-08-15 10:07:47 JNDIRealm[/slide]: validating credentials by binding
> as the user
> 2005-08-15 10:07:47 JNDIRealm[/slide]: binding as
> uid=20040051,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
> 2005-08-15 10:07:47 JNDIRealm[/slide]: bind attempt failed
> 2005-08-15 10:07:47 JNDIRealm[/slide]: Username 20040051 NOT successfully
> authenticated
>
> Coming from an LDAP directory using
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> debug="99"
> connectionName="cn=root"
> connectionPassword="rootpass"
> connectionURL="ldap://10.9.24.14:389"
>
> userPattern="uid={0},ou=People,ou=Fremantle,o=nd.edu.au,o=isp
> userRoleName="eduPersonAffiliation"
> />
>
> eduPersonAffiliation is the name of the attribute which says whether a
> user
> is a student or an employee. I want to set this as my role for the users.
> I
> thought that this was what userRoleName did, but apparently not. Any
> ideas?
>
> Jo I think I have JNDIPrincipalStore set up incorrectly. Below appears in
> my
> domain.xml.
>
> <!-- Use a JNDIPrincipalStore for users -->
> <store name="users">
> <nodestore
> classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
> <!-- See javadoc for JNDIPrincipalStore for description of
> parameters -->
> <parameter name="cache.refresh.checkrate">15</parameter>
> <parameter name="cache.refresh.rate">600</parameter>
> <parameter name="cache.refresh.threshold">500</parameter>
> <parameter
> name="jndi.container">ou=People,ou=Fremantle,o=nd.edu.au,o=isp</parameter>
> <parameter name="jndi.attributes.rdn">uid</parameter>
> <parameter
> name="jndi.search.filter">(objectClass=*)</parameter>
> <parameter name="jndi.search.scope">ONELEVEL_SCOPE</parameter>
> <parameter name="jndi.search.attributes">uid</parameter>
> <parameter
> name="java.naming.provider.url">ldap://10.9.24.14:389</parameter>
> <parameter
>
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</paramet
> er>
> <parameter
> name="java.naming.security.principal">cn=root,o=isp</parameter>
> <parameter
> name="java.naming.security.authentication">simple</parameter>
> <parameter name="java.naming.security.credentials">root
> </parameter>
> </nodestore>
> <securitystore>
> <reference store="nodestore"/>
> </securitystore>
> <lockstore>
> <reference store="nodestore"/>
> </lockstore>
> <revisiondescriptorsstore>
> <reference store="nodestore"/>
> </revisiondescriptorsstore>
> <revisiondescriptorstore>
> <reference store="nodestore"/>
> </revisiondescriptorstore>
> <contentstore>
> <reference store="nodestore"/>
> </contentstore>
> </store>
>
> With a similar set up for roles. What am I doing wrong here? What Im
> trying
> to do hasn't changed from what is outlined below.
>
> Jarrah Hands
> Software Engineer (Business Applications)
> The University of Notre Dame Australia
> 19 Mouat Street (PO Box 1225)
> Fremantle, Western Australia 6959
> Tel: +61 9 9433 05287
> Email: jhands@nd.edu.au
>
> -----Original Message-----
> From: Jo [mailto:jojada@speedlegal.com]
> Sent: Friday, 12 August 2005 8:02 AM
> To: Slide Users Mailing List
> Subject: Re: Getting slide working with a Samba share and LDAP
>
> Let's talk about LDAP issues:
>>> 1. Users get a 403 when they access using IE/Firefox and their
>>> user
>
>>> ID does not already exist in users.def.xml in \bin\store\metadata. Once
>>> the user's UID is in this file the user can easily log into and
>>> read/write to their hearts content. Unfortunately setting permissions on
>>> users Slide user directory proves annoying (may have to script it)
>
>>> 2. We have about 3000-4000 students who will use the first
>>> implementation and entering them into the users.def.xml file is not
>>> practical (even if we use a script)
>
> Assuming that you're using JNDIPrincipalStore, would you send your /users,
> /roles, /group stores configuration and confirm whether you get the
> following message in the log file:
> JNDIPrincipalStore[/xxxx]: Adding property "group-member-set" in namespace
> "DAV:" with value of xxxxxxxxxxx
>
> Jo.-
>
> ----- Original Message -----
> From: "Jarrah Hands" <jh...@nd.edu.au>
> To: <sl...@jakarta.apache.org>
> Cc: <jh...@nd.edu.au>
> Sent: Thursday, August 11, 2005 6:37 PM
> Subject: Getting slide working with a Samba share and LDAP
>
>
>> G'day guys!
>>
>>
>>
>> Lots of questions, I apologise if they have been asked thousands of
>> times.
>>
>>
>>
>> We have a LDAP server with all the student information required for
>> authentication and access to various services on it ie:
>>
>> UID
>>
>> userPassword
>>
>> userEducationalAffilation (Student or Staff)
>>
>> sambaPassword
>>
>> homeDirectory
>>
>> mailUsername
>>
>> etc etc
>>
>> The LDAP server is currently used to control access to Webmail
>> (https://www.nd.edu.au <https://www.nd.edu.au/> ), an online file server
>> (https://www.nd.edu.au/stf/) which allows access to user's home
>> directory,
>> an online portal, lecture sign up etc. so it contains all the required
>> info
>> we need for our current project. What we want to do is set up the users'
>> home directories with Slide so that they can be accessed from any where
>> with
>> an internet connection using the functionality WebDAV provides,
>> especially
>> using WebFolders (Windoze) and Macs implementation. We currently have
>> Slide
>> running on Tomcat on a test server. We have it so that the users can
>> connect
>> to the server and authenticate using LDAP. This works perfectly fine how
>> ever this is where the issues arise:
>>
>> 1. Users get a 403 when they access using IE/Firefox and their user
>> ID
>> does not already exist in users.def.xml in \bin\store\metadata. Once the
>> user's UID is in this file the user can easily log into and read/write to
>> their hearts content. Unfortunately setting permissions on users Slide
>> user
>> directory proves annoying (may have to script it)
>>
>> 2. We have about 3000-4000 students who will use the first
>> implementation and entering them into the users.def.xml file is not
>> practical (even if we use a script)
>>
>> 3. We currently can not work out how to get Slide to connect to and
>> use a Samba directory as the directory shared. We can work out how to
>> extract the user's sambaPassword and homeDirectory from LDAP and feed
>> these
>> to Slide, but getting Slide to connect to this as the rootpath/workpath
>> is
>> proving challenging (how do you set the values as the ones from LDAP in
>> Domain.xml?
>>
>>
>>
>> SO what we are trying to achieve is:
>>
>> 1. Users sets up a Webfolder etc to https://www.nd.edu.au/ndmfs or
>> similar (Working)
>>
>> 2. User asked for username password (Working)
>>
>> 3. Username (uid) is authenticated using the password in LDAP
>> directory (working)
>>
>> 4. User's role extracted from LDAP directory (not sure if this is
>> working, is there a way for a user to check what their current role is?)
>>
>> 5. Once authenticated the users Samba password and path to home
>> directory is extracted from LDAP. (Working I think)
>>
>> 6. Home directory is loaded as the directory shared by Slide (Not
>> working)
>>
>> 7. User sees their home drive as a windows webfolder (or similar)
>> which they can read/write etc (working using Slide directory, but not
>> Samba
>> home directory)
>>
>>
>>
>> Current issues:
>>
>> 1. The extracted role (userEducationalAffilation) does not appear
>> to
>> be used or set for users (any folder given permission for 'student' does
>> not
>> appear to be accessible by students)
>>
>> 2. Can not work out how to use Samba shares as rootpath/workpath
>>
>> 3. User accounts need to be added to users.def.xml before a user
>> can
>> successfully log in (is there a dynamic way I can load the users uid into
>> the user file so I don't need to add it manually/using a script?
>>
>> 4. Permissions are cumbersome to set / keep up to date.
>>
>>
>>
>> Any suggestions?
>>
>>
>>
>> Jarrah Hands
>>
>> Software Engineer (Business Applications)
>>
>> The University of Notre Dame Australia
>>
>> 19 Mouat Street (PO Box 1225)
>>
>> Fremantle, Western Australia 6959
>>
>> Tel: +61 9 9433 05287
>>
>> Email: jhands@nd.edu.au
>>
>>
>>
>>
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
> !DSPAM:4300064a119701693010734!
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: Getting slide working with a Samba share and LDAP
Posted by Jo <jo...@speedlegal.com>.
JNDIRealm retrieves usernames, passwords, and roles directly from an LDAP
directory and hence, its success or failure issues should have nothing to do
with Slide configuration.
The tomcat's documentation on JNDIRealm may help.
Regarding the /users and /roles store setup, some parameter values depend on
your LDAP schema.
Before we go down that path by trying different values, it's worth checking
whether based on the current configuration any of those two stores have been
successfully populated.
Please attach your /roles store configuration as well in next mail.
Jo.-
----- Original Message -----
From: "Jarrah Hands" <jh...@nd.edu.au>
To: "'Slide Users Mailing List'" <sl...@jakarta.apache.org>
Sent: Monday, August 15, 2005 1:07 PM
Subject: RE: Getting slide working with a Samba share and LDAP
> Update:
>
> If the user is hard coded in as an already existing user then I get this
> in
> my log:
>
> 2005-08-15 11:04:49 JNDIRealm[/slide]: lookupUser(jhands)
> 2005-08-15 11:04:49 JNDIRealm[/slide]:
> dn=uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
> 2005-08-15 11:04:49 JNDIRealm[/slide]: retrieving values for attribute
> eduPersonAffiliation
> 2005-08-15 11:04:49 JNDIRealm[/slide]: validating credentials by binding
> as the user
> 2005-08-15 11:04:49 JNDIRealm[/slide]: binding as
> uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
> 2005-08-15 11:04:49 JNDIRealm[/slide]: Username jhands successfully
> authenticated
> 2005-08-15 11:04:49 JNDIRealm[/slide]:
> getRoles(uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp)
>
> So the get Roles method should get the role of the user. Why is the jhands
> account not acting like an employee then (as jhands (me!) is an employee
> as
> found in the eduPersonAffiliation attribute.
>
> Any ideas?
>
> Jarrah Hands
> Software Engineer (Business Applications)
> The University of Notre Dame Australia
> 19 Mouat Street (PO Box 1225)
> Fremantle, Western Australia 6959
> Tel: +61 9 9433 05287
> Email: jhands@nd.edu.au
>
> -----Original Message-----
> From: Jarrah Hands [mailto:jhands@nd.edu.au]
> Sent: Monday, 15 August 2005 10:58 AM
> To: 'Slide Users Mailing List'
> Subject: RE: Getting slide working with a Samba share and LDAP
>
> Ok guys, I looked at this briefly, my log is reporting this:
>
> 2005-08-15 10:07:47 JNDIRealm[/slide]: lookupUser(20040051)
> 2005-08-15 10:07:47 JNDIRealm[/slide]:
> dn=uid=20040051,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
> 2005-08-15 10:07:47 JNDIRealm[/slide]: retrieving values for attribute
> eduPersonAffiliation
> 2005-08-15 10:07:47 JNDIRealm[/slide]: validating credentials by binding
> as the user
> 2005-08-15 10:07:47 JNDIRealm[/slide]: binding as
> uid=20040051,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
> 2005-08-15 10:07:47 JNDIRealm[/slide]: bind attempt failed
> 2005-08-15 10:07:47 JNDIRealm[/slide]: Username 20040051 NOT successfully
> authenticated
>
> Coming from an LDAP directory using
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> debug="99"
> connectionName="cn=root"
> connectionPassword="rootpass"
> connectionURL="ldap://10.9.24.14:389"
>
> userPattern="uid={0},ou=People,ou=Fremantle,o=nd.edu.au,o=isp
> userRoleName="eduPersonAffiliation"
> />
>
> eduPersonAffiliation is the name of the attribute which says whether a
> user
> is a student or an employee. I want to set this as my role for the users.
> I
> thought that this was what userRoleName did, but apparently not. Any
> ideas?
>
> Jo I think I have JNDIPrincipalStore set up incorrectly. Below appears in
> my
> domain.xml.
>
> <!-- Use a JNDIPrincipalStore for users -->
> <store name="users">
> <nodestore
> classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
> <!-- See javadoc for JNDIPrincipalStore for description of
> parameters -->
> <parameter name="cache.refresh.checkrate">15</parameter>
> <parameter name="cache.refresh.rate">600</parameter>
> <parameter name="cache.refresh.threshold">500</parameter>
> <parameter
> name="jndi.container">ou=People,ou=Fremantle,o=nd.edu.au,o=isp</parameter>
> <parameter name="jndi.attributes.rdn">uid</parameter>
> <parameter
> name="jndi.search.filter">(objectClass=*)</parameter>
> <parameter name="jndi.search.scope">ONELEVEL_SCOPE</parameter>
> <parameter name="jndi.search.attributes">uid</parameter>
> <parameter
> name="java.naming.provider.url">ldap://10.9.24.14:389</parameter>
> <parameter
> name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</paramet
> er>
> <parameter
> name="java.naming.security.principal">cn=root,o=isp</parameter>
> <parameter
> name="java.naming.security.authentication">simple</parameter>
> <parameter name="java.naming.security.credentials">root
> </parameter>
> </nodestore>
> <securitystore>
> <reference store="nodestore"/>
> </securitystore>
> <lockstore>
> <reference store="nodestore"/>
> </lockstore>
> <revisiondescriptorsstore>
> <reference store="nodestore"/>
> </revisiondescriptorsstore>
> <revisiondescriptorstore>
> <reference store="nodestore"/>
> </revisiondescriptorstore>
> <contentstore>
> <reference store="nodestore"/>
> </contentstore>
> </store>
>
> With a similar set up for roles. What am I doing wrong here? What Im
> trying
> to do hasn't changed from what is outlined below.
>
> Jarrah Hands
> Software Engineer (Business Applications)
> The University of Notre Dame Australia
> 19 Mouat Street (PO Box 1225)
> Fremantle, Western Australia 6959
> Tel: +61 9 9433 05287
> Email: jhands@nd.edu.au
>
> -----Original Message-----
> From: Jo [mailto:jojada@speedlegal.com]
> Sent: Friday, 12 August 2005 8:02 AM
> To: Slide Users Mailing List
> Subject: Re: Getting slide working with a Samba share and LDAP
>
> Let's talk about LDAP issues:
>>> 1. Users get a 403 when they access using IE/Firefox and their
>>> user
>
>>> ID does not already exist in users.def.xml in \bin\store\metadata. Once
>>> the user's UID is in this file the user can easily log into and
>>> read/write to their hearts content. Unfortunately setting permissions on
>>> users Slide user directory proves annoying (may have to script it)
>
>>> 2. We have about 3000-4000 students who will use the first
>>> implementation and entering them into the users.def.xml file is not
>>> practical (even if we use a script)
>
> Assuming that you're using JNDIPrincipalStore, would you send your /users,
> /roles, /group stores configuration and confirm whether you get the
> following message in the log file:
> JNDIPrincipalStore[/xxxx]: Adding property "group-member-set" in namespace
> "DAV:" with value of xxxxxxxxxxx
>
> Jo.-
>
> ----- Original Message -----
> From: "Jarrah Hands" <jh...@nd.edu.au>
> To: <sl...@jakarta.apache.org>
> Cc: <jh...@nd.edu.au>
> Sent: Thursday, August 11, 2005 6:37 PM
> Subject: Getting slide working with a Samba share and LDAP
>
>
>> G'day guys!
>>
>>
>>
>> Lots of questions, I apologise if they have been asked thousands of
>> times.
>>
>>
>>
>> We have a LDAP server with all the student information required for
>> authentication and access to various services on it ie:
>>
>> UID
>>
>> userPassword
>>
>> userEducationalAffilation (Student or Staff)
>>
>> sambaPassword
>>
>> homeDirectory
>>
>> mailUsername
>>
>> etc etc
>>
>> The LDAP server is currently used to control access to Webmail
>> (https://www.nd.edu.au <https://www.nd.edu.au/> ), an online file server
>> (https://www.nd.edu.au/stf/) which allows access to user's home
>> directory,
>> an online portal, lecture sign up etc. so it contains all the required
>> info
>> we need for our current project. What we want to do is set up the users'
>> home directories with Slide so that they can be accessed from any where
>> with
>> an internet connection using the functionality WebDAV provides,
>> especially
>> using WebFolders (Windoze) and Macs implementation. We currently have
>> Slide
>> running on Tomcat on a test server. We have it so that the users can
>> connect
>> to the server and authenticate using LDAP. This works perfectly fine how
>> ever this is where the issues arise:
>>
>> 1. Users get a 403 when they access using IE/Firefox and their user
>> ID
>> does not already exist in users.def.xml in \bin\store\metadata. Once the
>> user's UID is in this file the user can easily log into and read/write to
>> their hearts content. Unfortunately setting permissions on users Slide
>> user
>> directory proves annoying (may have to script it)
>>
>> 2. We have about 3000-4000 students who will use the first
>> implementation and entering them into the users.def.xml file is not
>> practical (even if we use a script)
>>
>> 3. We currently can not work out how to get Slide to connect to and
>> use a Samba directory as the directory shared. We can work out how to
>> extract the user's sambaPassword and homeDirectory from LDAP and feed
>> these
>> to Slide, but getting Slide to connect to this as the rootpath/workpath
>> is
>> proving challenging (how do you set the values as the ones from LDAP in
>> Domain.xml?
>>
>>
>>
>> SO what we are trying to achieve is:
>>
>> 1. Users sets up a Webfolder etc to https://www.nd.edu.au/ndmfs or
>> similar (Working)
>>
>> 2. User asked for username password (Working)
>>
>> 3. Username (uid) is authenticated using the password in LDAP
>> directory (working)
>>
>> 4. User's role extracted from LDAP directory (not sure if this is
>> working, is there a way for a user to check what their current role is?)
>>
>> 5. Once authenticated the users Samba password and path to home
>> directory is extracted from LDAP. (Working I think)
>>
>> 6. Home directory is loaded as the directory shared by Slide (Not
>> working)
>>
>> 7. User sees their home drive as a windows webfolder (or similar)
>> which they can read/write etc (working using Slide directory, but not
>> Samba
>> home directory)
>>
>>
>>
>> Current issues:
>>
>> 1. The extracted role (userEducationalAffilation) does not appear
>> to
>> be used or set for users (any folder given permission for 'student' does
>> not
>> appear to be accessible by students)
>>
>> 2. Can not work out how to use Samba shares as rootpath/workpath
>>
>> 3. User accounts need to be added to users.def.xml before a user
>> can
>> successfully log in (is there a dynamic way I can load the users uid into
>> the user file so I don't need to add it manually/using a script?
>>
>> 4. Permissions are cumbersome to set / keep up to date.
>>
>>
>>
>> Any suggestions?
>>
>>
>>
>> Jarrah Hands
>>
>> Software Engineer (Business Applications)
>>
>> The University of Notre Dame Australia
>>
>> 19 Mouat Street (PO Box 1225)
>>
>> Fremantle, Western Australia 6959
>>
>> Tel: +61 9 9433 05287
>>
>> Email: jhands@nd.edu.au
>>
>>
>>
>>
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
> !DSPAM:4300064a119701693010734!
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
RE: Getting slide working with a Samba share and LDAP
Posted by Jarrah Hands <jh...@nd.edu.au>.
Update:
If the user is hard coded in as an already existing user then I get this in
my log:
2005-08-15 11:04:49 JNDIRealm[/slide]: lookupUser(jhands)
2005-08-15 11:04:49 JNDIRealm[/slide]:
dn=uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
2005-08-15 11:04:49 JNDIRealm[/slide]: retrieving values for attribute
eduPersonAffiliation
2005-08-15 11:04:49 JNDIRealm[/slide]: validating credentials by binding
as the user
2005-08-15 11:04:49 JNDIRealm[/slide]: binding as
uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
2005-08-15 11:04:49 JNDIRealm[/slide]: Username jhands successfully
authenticated
2005-08-15 11:04:49 JNDIRealm[/slide]:
getRoles(uid=jhands,ou=People,ou=Fremantle,o=nd.edu.au,o=isp)
So the get Roles method should get the role of the user. Why is the jhands
account not acting like an employee then (as jhands (me!) is an employee as
found in the eduPersonAffiliation attribute.
Any ideas?
Jarrah Hands
Software Engineer (Business Applications)
The University of Notre Dame Australia
19 Mouat Street (PO Box 1225)
Fremantle, Western Australia 6959
Tel: +61 9 9433 05287
Email: jhands@nd.edu.au
-----Original Message-----
From: Jarrah Hands [mailto:jhands@nd.edu.au]
Sent: Monday, 15 August 2005 10:58 AM
To: 'Slide Users Mailing List'
Subject: RE: Getting slide working with a Samba share and LDAP
Ok guys, I looked at this briefly, my log is reporting this:
2005-08-15 10:07:47 JNDIRealm[/slide]: lookupUser(20040051)
2005-08-15 10:07:47 JNDIRealm[/slide]:
dn=uid=20040051,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
2005-08-15 10:07:47 JNDIRealm[/slide]: retrieving values for attribute
eduPersonAffiliation
2005-08-15 10:07:47 JNDIRealm[/slide]: validating credentials by binding
as the user
2005-08-15 10:07:47 JNDIRealm[/slide]: binding as
uid=20040051,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
2005-08-15 10:07:47 JNDIRealm[/slide]: bind attempt failed
2005-08-15 10:07:47 JNDIRealm[/slide]: Username 20040051 NOT successfully
authenticated
Coming from an LDAP directory using
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionName="cn=root"
connectionPassword="rootpass"
connectionURL="ldap://10.9.24.14:389"
userPattern="uid={0},ou=People,ou=Fremantle,o=nd.edu.au,o=isp
userRoleName="eduPersonAffiliation"
/>
eduPersonAffiliation is the name of the attribute which says whether a user
is a student or an employee. I want to set this as my role for the users. I
thought that this was what userRoleName did, but apparently not. Any ideas?
Jo I think I have JNDIPrincipalStore set up incorrectly. Below appears in my
domain.xml.
<!-- Use a JNDIPrincipalStore for users -->
<store name="users">
<nodestore
classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
<!-- See javadoc for JNDIPrincipalStore for description of
parameters -->
<parameter name="cache.refresh.checkrate">15</parameter>
<parameter name="cache.refresh.rate">600</parameter>
<parameter name="cache.refresh.threshold">500</parameter>
<parameter
name="jndi.container">ou=People,ou=Fremantle,o=nd.edu.au,o=isp</parameter>
<parameter name="jndi.attributes.rdn">uid</parameter>
<parameter name="jndi.search.filter">(objectClass=*)</parameter>
<parameter name="jndi.search.scope">ONELEVEL_SCOPE</parameter>
<parameter name="jndi.search.attributes">uid</parameter>
<parameter
name="java.naming.provider.url">ldap://10.9.24.14:389</parameter>
<parameter
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</paramet
er>
<parameter
name="java.naming.security.principal">cn=root,o=isp</parameter>
<parameter
name="java.naming.security.authentication">simple</parameter>
<parameter name="java.naming.security.credentials">root
</parameter>
</nodestore>
<securitystore>
<reference store="nodestore"/>
</securitystore>
<lockstore>
<reference store="nodestore"/>
</lockstore>
<revisiondescriptorsstore>
<reference store="nodestore"/>
</revisiondescriptorsstore>
<revisiondescriptorstore>
<reference store="nodestore"/>
</revisiondescriptorstore>
<contentstore>
<reference store="nodestore"/>
</contentstore>
</store>
With a similar set up for roles. What am I doing wrong here? What Im trying
to do hasn't changed from what is outlined below.
Jarrah Hands
Software Engineer (Business Applications)
The University of Notre Dame Australia
19 Mouat Street (PO Box 1225)
Fremantle, Western Australia 6959
Tel: +61 9 9433 05287
Email: jhands@nd.edu.au
-----Original Message-----
From: Jo [mailto:jojada@speedlegal.com]
Sent: Friday, 12 August 2005 8:02 AM
To: Slide Users Mailing List
Subject: Re: Getting slide working with a Samba share and LDAP
Let's talk about LDAP issues:
>> 1. Users get a 403 when they access using IE/Firefox and their user
>> ID does not already exist in users.def.xml in \bin\store\metadata. Once
>> the user's UID is in this file the user can easily log into and
>> read/write to their hearts content. Unfortunately setting permissions on
>> users Slide user directory proves annoying (may have to script it)
>> 2. We have about 3000-4000 students who will use the first
>> implementation and entering them into the users.def.xml file is not
>> practical (even if we use a script)
Assuming that you're using JNDIPrincipalStore, would you send your /users,
/roles, /group stores configuration and confirm whether you get the
following message in the log file:
JNDIPrincipalStore[/xxxx]: Adding property "group-member-set" in namespace
"DAV:" with value of xxxxxxxxxxx
Jo.-
----- Original Message -----
From: "Jarrah Hands" <jh...@nd.edu.au>
To: <sl...@jakarta.apache.org>
Cc: <jh...@nd.edu.au>
Sent: Thursday, August 11, 2005 6:37 PM
Subject: Getting slide working with a Samba share and LDAP
> G'day guys!
>
>
>
> Lots of questions, I apologise if they have been asked thousands of times.
>
>
>
> We have a LDAP server with all the student information required for
> authentication and access to various services on it ie:
>
> UID
>
> userPassword
>
> userEducationalAffilation (Student or Staff)
>
> sambaPassword
>
> homeDirectory
>
> mailUsername
>
> etc etc
>
> The LDAP server is currently used to control access to Webmail
> (https://www.nd.edu.au <https://www.nd.edu.au/> ), an online file server
> (https://www.nd.edu.au/stf/) which allows access to user's home directory,
> an online portal, lecture sign up etc. so it contains all the required
> info
> we need for our current project. What we want to do is set up the users'
> home directories with Slide so that they can be accessed from any where
> with
> an internet connection using the functionality WebDAV provides, especially
> using WebFolders (Windoze) and Macs implementation. We currently have
> Slide
> running on Tomcat on a test server. We have it so that the users can
> connect
> to the server and authenticate using LDAP. This works perfectly fine how
> ever this is where the issues arise:
>
> 1. Users get a 403 when they access using IE/Firefox and their user
> ID
> does not already exist in users.def.xml in \bin\store\metadata. Once the
> user's UID is in this file the user can easily log into and read/write to
> their hearts content. Unfortunately setting permissions on users Slide
> user
> directory proves annoying (may have to script it)
>
> 2. We have about 3000-4000 students who will use the first
> implementation and entering them into the users.def.xml file is not
> practical (even if we use a script)
>
> 3. We currently can not work out how to get Slide to connect to and
> use a Samba directory as the directory shared. We can work out how to
> extract the user's sambaPassword and homeDirectory from LDAP and feed
> these
> to Slide, but getting Slide to connect to this as the rootpath/workpath is
> proving challenging (how do you set the values as the ones from LDAP in
> Domain.xml?
>
>
>
> SO what we are trying to achieve is:
>
> 1. Users sets up a Webfolder etc to https://www.nd.edu.au/ndmfs or
> similar (Working)
>
> 2. User asked for username password (Working)
>
> 3. Username (uid) is authenticated using the password in LDAP
> directory (working)
>
> 4. User's role extracted from LDAP directory (not sure if this is
> working, is there a way for a user to check what their current role is?)
>
> 5. Once authenticated the users Samba password and path to home
> directory is extracted from LDAP. (Working I think)
>
> 6. Home directory is loaded as the directory shared by Slide (Not
> working)
>
> 7. User sees their home drive as a windows webfolder (or similar)
> which they can read/write etc (working using Slide directory, but not
> Samba
> home directory)
>
>
>
> Current issues:
>
> 1. The extracted role (userEducationalAffilation) does not appear to
> be used or set for users (any folder given permission for 'student' does
> not
> appear to be accessible by students)
>
> 2. Can not work out how to use Samba shares as rootpath/workpath
>
> 3. User accounts need to be added to users.def.xml before a user can
> successfully log in (is there a dynamic way I can load the users uid into
> the user file so I don't need to add it manually/using a script?
>
> 4. Permissions are cumbersome to set / keep up to date.
>
>
>
> Any suggestions?
>
>
>
> Jarrah Hands
>
> Software Engineer (Business Applications)
>
> The University of Notre Dame Australia
>
> 19 Mouat Street (PO Box 1225)
>
> Fremantle, Western Australia 6959
>
> Tel: +61 9 9433 05287
>
> Email: jhands@nd.edu.au
>
>
>
>
>
> !DSPAM:42fb127f79122102850160!
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
RE: Getting slide working with a Samba share and LDAP
Posted by Jarrah Hands <jh...@nd.edu.au>.
Ok guys, I looked at this briefly, my log is reporting this:
2005-08-15 10:07:47 JNDIRealm[/slide]: lookupUser(20040051)
2005-08-15 10:07:47 JNDIRealm[/slide]:
dn=uid=20040051,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
2005-08-15 10:07:47 JNDIRealm[/slide]: retrieving values for attribute
eduPersonAffiliation
2005-08-15 10:07:47 JNDIRealm[/slide]: validating credentials by binding
as the user
2005-08-15 10:07:47 JNDIRealm[/slide]: binding as
uid=20040051,ou=People,ou=Fremantle,o=nd.edu.au,o=isp
2005-08-15 10:07:47 JNDIRealm[/slide]: bind attempt failed
2005-08-15 10:07:47 JNDIRealm[/slide]: Username 20040051 NOT successfully
authenticated
Coming from an LDAP directory using
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionName="cn=root"
connectionPassword="rootpass"
connectionURL="ldap://10.9.24.14:389"
userPattern="uid={0},ou=People,ou=Fremantle,o=nd.edu.au,o=isp
userRoleName="eduPersonAffiliation"
/>
eduPersonAffiliation is the name of the attribute which says whether a user
is a student or an employee. I want to set this as my role for the users. I
thought that this was what userRoleName did, but apparently not. Any ideas?
Jo I think I have JNDIPrincipalStore set up incorrectly. Below appears in my
domain.xml.
<!-- Use a JNDIPrincipalStore for users -->
<store name="users">
<nodestore
classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
<!-- See javadoc for JNDIPrincipalStore for description of
parameters -->
<parameter name="cache.refresh.checkrate">15</parameter>
<parameter name="cache.refresh.rate">600</parameter>
<parameter name="cache.refresh.threshold">500</parameter>
<parameter
name="jndi.container">ou=People,ou=Fremantle,o=nd.edu.au,o=isp</parameter>
<parameter name="jndi.attributes.rdn">uid</parameter>
<parameter name="jndi.search.filter">(objectClass=*)</parameter>
<parameter name="jndi.search.scope">ONELEVEL_SCOPE</parameter>
<parameter name="jndi.search.attributes">uid</parameter>
<parameter
name="java.naming.provider.url">ldap://10.9.24.14:389</parameter>
<parameter
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</paramet
er>
<parameter
name="java.naming.security.principal">cn=root,o=isp</parameter>
<parameter
name="java.naming.security.authentication">simple</parameter>
<parameter name="java.naming.security.credentials">root
</parameter>
</nodestore>
<securitystore>
<reference store="nodestore"/>
</securitystore>
<lockstore>
<reference store="nodestore"/>
</lockstore>
<revisiondescriptorsstore>
<reference store="nodestore"/>
</revisiondescriptorsstore>
<revisiondescriptorstore>
<reference store="nodestore"/>
</revisiondescriptorstore>
<contentstore>
<reference store="nodestore"/>
</contentstore>
</store>
With a similar set up for roles. What am I doing wrong here? What Im trying
to do hasn't changed from what is outlined below.
Jarrah Hands
Software Engineer (Business Applications)
The University of Notre Dame Australia
19 Mouat Street (PO Box 1225)
Fremantle, Western Australia 6959
Tel: +61 9 9433 05287
Email: jhands@nd.edu.au
-----Original Message-----
From: Jo [mailto:jojada@speedlegal.com]
Sent: Friday, 12 August 2005 8:02 AM
To: Slide Users Mailing List
Subject: Re: Getting slide working with a Samba share and LDAP
Let's talk about LDAP issues:
>> 1. Users get a 403 when they access using IE/Firefox and their user
>> ID does not already exist in users.def.xml in \bin\store\metadata. Once
>> the user's UID is in this file the user can easily log into and
>> read/write to their hearts content. Unfortunately setting permissions on
>> users Slide user directory proves annoying (may have to script it)
>> 2. We have about 3000-4000 students who will use the first
>> implementation and entering them into the users.def.xml file is not
>> practical (even if we use a script)
Assuming that you're using JNDIPrincipalStore, would you send your /users,
/roles, /group stores configuration and confirm whether you get the
following message in the log file:
JNDIPrincipalStore[/xxxx]: Adding property "group-member-set" in namespace
"DAV:" with value of xxxxxxxxxxx
Jo.-
----- Original Message -----
From: "Jarrah Hands" <jh...@nd.edu.au>
To: <sl...@jakarta.apache.org>
Cc: <jh...@nd.edu.au>
Sent: Thursday, August 11, 2005 6:37 PM
Subject: Getting slide working with a Samba share and LDAP
> G'day guys!
>
>
>
> Lots of questions, I apologise if they have been asked thousands of times.
>
>
>
> We have a LDAP server with all the student information required for
> authentication and access to various services on it ie:
>
> UID
>
> userPassword
>
> userEducationalAffilation (Student or Staff)
>
> sambaPassword
>
> homeDirectory
>
> mailUsername
>
> etc etc
>
> The LDAP server is currently used to control access to Webmail
> (https://www.nd.edu.au <https://www.nd.edu.au/> ), an online file server
> (https://www.nd.edu.au/stf/) which allows access to user's home directory,
> an online portal, lecture sign up etc. so it contains all the required
> info
> we need for our current project. What we want to do is set up the users'
> home directories with Slide so that they can be accessed from any where
> with
> an internet connection using the functionality WebDAV provides, especially
> using WebFolders (Windoze) and Macs implementation. We currently have
> Slide
> running on Tomcat on a test server. We have it so that the users can
> connect
> to the server and authenticate using LDAP. This works perfectly fine how
> ever this is where the issues arise:
>
> 1. Users get a 403 when they access using IE/Firefox and their user
> ID
> does not already exist in users.def.xml in \bin\store\metadata. Once the
> user's UID is in this file the user can easily log into and read/write to
> their hearts content. Unfortunately setting permissions on users Slide
> user
> directory proves annoying (may have to script it)
>
> 2. We have about 3000-4000 students who will use the first
> implementation and entering them into the users.def.xml file is not
> practical (even if we use a script)
>
> 3. We currently can not work out how to get Slide to connect to and
> use a Samba directory as the directory shared. We can work out how to
> extract the user's sambaPassword and homeDirectory from LDAP and feed
> these
> to Slide, but getting Slide to connect to this as the rootpath/workpath is
> proving challenging (how do you set the values as the ones from LDAP in
> Domain.xml?
>
>
>
> SO what we are trying to achieve is:
>
> 1. Users sets up a Webfolder etc to https://www.nd.edu.au/ndmfs or
> similar (Working)
>
> 2. User asked for username password (Working)
>
> 3. Username (uid) is authenticated using the password in LDAP
> directory (working)
>
> 4. User's role extracted from LDAP directory (not sure if this is
> working, is there a way for a user to check what their current role is?)
>
> 5. Once authenticated the users Samba password and path to home
> directory is extracted from LDAP. (Working I think)
>
> 6. Home directory is loaded as the directory shared by Slide (Not
> working)
>
> 7. User sees their home drive as a windows webfolder (or similar)
> which they can read/write etc (working using Slide directory, but not
> Samba
> home directory)
>
>
>
> Current issues:
>
> 1. The extracted role (userEducationalAffilation) does not appear to
> be used or set for users (any folder given permission for 'student' does
> not
> appear to be accessible by students)
>
> 2. Can not work out how to use Samba shares as rootpath/workpath
>
> 3. User accounts need to be added to users.def.xml before a user can
> successfully log in (is there a dynamic way I can load the users uid into
> the user file so I don't need to add it manually/using a script?
>
> 4. Permissions are cumbersome to set / keep up to date.
>
>
>
> Any suggestions?
>
>
>
> Jarrah Hands
>
> Software Engineer (Business Applications)
>
> The University of Notre Dame Australia
>
> 19 Mouat Street (PO Box 1225)
>
> Fremantle, Western Australia 6959
>
> Tel: +61 9 9433 05287
>
> Email: jhands@nd.edu.au
>
>
>
>
>
> !DSPAM:42fb127f79122102850160!
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
RE: Getting slide working with a Samba share and LDAP
Posted by Jarrah Hands <jh...@nd.edu.au>.
No I'm not getting the message:
JNDIPrincipalStore[/xxxx]: Adding property "group-member-set" in namespace
"DAV:" with value of xxxxxxxxxxx
In my log file. I probably don't have JNDIPrincipalStore set up correctly.
I'll look into it.
Jarrah Hands
Software Engineer (Business Applications)
The University of Notre Dame Australia
19 Mouat Street (PO Box 1225)
Fremantle, Western Australia 6959
Tel: +61 9 9433 05287
Email: jhands@nd.edu.au
-----Original Message-----
From: Jo [mailto:jojada@speedlegal.com]
Sent: Friday, 12 August 2005 8:02 AM
To: Slide Users Mailing List
Subject: Re: Getting slide working with a Samba share and LDAP
Let's talk about LDAP issues:
>> 1. Users get a 403 when they access using IE/Firefox and their user
>> ID does not already exist in users.def.xml in \bin\store\metadata. Once
>> the user's UID is in this file the user can easily log into and
>> read/write to their hearts content. Unfortunately setting permissions on
>> users Slide user directory proves annoying (may have to script it)
>> 2. We have about 3000-4000 students who will use the first
>> implementation and entering them into the users.def.xml file is not
>> practical (even if we use a script)
Assuming that you're using JNDIPrincipalStore, would you send your /users,
/roles, /group stores configuration and confirm whether you get the
following message in the log file:
JNDIPrincipalStore[/xxxx]: Adding property "group-member-set" in namespace
"DAV:" with value of xxxxxxxxxxx
Jo.-
----- Original Message -----
From: "Jarrah Hands" <jh...@nd.edu.au>
To: <sl...@jakarta.apache.org>
Cc: <jh...@nd.edu.au>
Sent: Thursday, August 11, 2005 6:37 PM
Subject: Getting slide working with a Samba share and LDAP
> G'day guys!
>
>
>
> Lots of questions, I apologise if they have been asked thousands of times.
>
>
>
> We have a LDAP server with all the student information required for
> authentication and access to various services on it ie:
>
> UID
>
> userPassword
>
> userEducationalAffilation (Student or Staff)
>
> sambaPassword
>
> homeDirectory
>
> mailUsername
>
> etc etc
>
> The LDAP server is currently used to control access to Webmail
> (https://www.nd.edu.au <https://www.nd.edu.au/> ), an online file server
> (https://www.nd.edu.au/stf/) which allows access to user's home directory,
> an online portal, lecture sign up etc. so it contains all the required
> info
> we need for our current project. What we want to do is set up the users'
> home directories with Slide so that they can be accessed from any where
> with
> an internet connection using the functionality WebDAV provides, especially
> using WebFolders (Windoze) and Macs implementation. We currently have
> Slide
> running on Tomcat on a test server. We have it so that the users can
> connect
> to the server and authenticate using LDAP. This works perfectly fine how
> ever this is where the issues arise:
>
> 1. Users get a 403 when they access using IE/Firefox and their user
> ID
> does not already exist in users.def.xml in \bin\store\metadata. Once the
> user's UID is in this file the user can easily log into and read/write to
> their hearts content. Unfortunately setting permissions on users Slide
> user
> directory proves annoying (may have to script it)
>
> 2. We have about 3000-4000 students who will use the first
> implementation and entering them into the users.def.xml file is not
> practical (even if we use a script)
>
> 3. We currently can not work out how to get Slide to connect to and
> use a Samba directory as the directory shared. We can work out how to
> extract the user's sambaPassword and homeDirectory from LDAP and feed
> these
> to Slide, but getting Slide to connect to this as the rootpath/workpath is
> proving challenging (how do you set the values as the ones from LDAP in
> Domain.xml?
>
>
>
> SO what we are trying to achieve is:
>
> 1. Users sets up a Webfolder etc to https://www.nd.edu.au/ndmfs or
> similar (Working)
>
> 2. User asked for username password (Working)
>
> 3. Username (uid) is authenticated using the password in LDAP
> directory (working)
>
> 4. User's role extracted from LDAP directory (not sure if this is
> working, is there a way for a user to check what their current role is?)
>
> 5. Once authenticated the users Samba password and path to home
> directory is extracted from LDAP. (Working I think)
>
> 6. Home directory is loaded as the directory shared by Slide (Not
> working)
>
> 7. User sees their home drive as a windows webfolder (or similar)
> which they can read/write etc (working using Slide directory, but not
> Samba
> home directory)
>
>
>
> Current issues:
>
> 1. The extracted role (userEducationalAffilation) does not appear to
> be used or set for users (any folder given permission for 'student' does
> not
> appear to be accessible by students)
>
> 2. Can not work out how to use Samba shares as rootpath/workpath
>
> 3. User accounts need to be added to users.def.xml before a user can
> successfully log in (is there a dynamic way I can load the users uid into
> the user file so I don't need to add it manually/using a script?
>
> 4. Permissions are cumbersome to set / keep up to date.
>
>
>
> Any suggestions?
>
>
>
> Jarrah Hands
>
> Software Engineer (Business Applications)
>
> The University of Notre Dame Australia
>
> 19 Mouat Street (PO Box 1225)
>
> Fremantle, Western Australia 6959
>
> Tel: +61 9 9433 05287
>
> Email: jhands@nd.edu.au
>
>
>
>
>
> !DSPAM:42fb127f79122102850160!
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: Getting slide working with a Samba share and LDAP
Posted by Jo <jo...@speedlegal.com>.
Let's talk about LDAP issues:
>> 1. Users get a 403 when they access using IE/Firefox and their user
>> ID does not already exist in users.def.xml in \bin\store\metadata. Once
>> the user's UID is in this file the user can easily log into and
>> read/write to their hearts content. Unfortunately setting permissions on
>> users Slide user directory proves annoying (may have to script it)
>> 2. We have about 3000-4000 students who will use the first
>> implementation and entering them into the users.def.xml file is not
>> practical (even if we use a script)
Assuming that you're using JNDIPrincipalStore, would you send your /users,
/roles, /group stores configuration and confirm whether you get the
following message in the log file:
JNDIPrincipalStore[/xxxx]: Adding property "group-member-set" in namespace
"DAV:" with value of xxxxxxxxxxx
Jo.-
----- Original Message -----
From: "Jarrah Hands" <jh...@nd.edu.au>
To: <sl...@jakarta.apache.org>
Cc: <jh...@nd.edu.au>
Sent: Thursday, August 11, 2005 6:37 PM
Subject: Getting slide working with a Samba share and LDAP
> G'day guys!
>
>
>
> Lots of questions, I apologise if they have been asked thousands of times.
>
>
>
> We have a LDAP server with all the student information required for
> authentication and access to various services on it ie:
>
> UID
>
> userPassword
>
> userEducationalAffilation (Student or Staff)
>
> sambaPassword
>
> homeDirectory
>
> mailUsername
>
> etc etc
>
> The LDAP server is currently used to control access to Webmail
> (https://www.nd.edu.au <https://www.nd.edu.au/> ), an online file server
> (https://www.nd.edu.au/stf/) which allows access to user's home directory,
> an online portal, lecture sign up etc. so it contains all the required
> info
> we need for our current project. What we want to do is set up the users'
> home directories with Slide so that they can be accessed from any where
> with
> an internet connection using the functionality WebDAV provides, especially
> using WebFolders (Windoze) and Macs implementation. We currently have
> Slide
> running on Tomcat on a test server. We have it so that the users can
> connect
> to the server and authenticate using LDAP. This works perfectly fine how
> ever this is where the issues arise:
>
> 1. Users get a 403 when they access using IE/Firefox and their user
> ID
> does not already exist in users.def.xml in \bin\store\metadata. Once the
> user's UID is in this file the user can easily log into and read/write to
> their hearts content. Unfortunately setting permissions on users Slide
> user
> directory proves annoying (may have to script it)
>
> 2. We have about 3000-4000 students who will use the first
> implementation and entering them into the users.def.xml file is not
> practical (even if we use a script)
>
> 3. We currently can not work out how to get Slide to connect to and
> use a Samba directory as the directory shared. We can work out how to
> extract the user's sambaPassword and homeDirectory from LDAP and feed
> these
> to Slide, but getting Slide to connect to this as the rootpath/workpath is
> proving challenging (how do you set the values as the ones from LDAP in
> Domain.xml?
>
>
>
> SO what we are trying to achieve is:
>
> 1. Users sets up a Webfolder etc to https://www.nd.edu.au/ndmfs or
> similar (Working)
>
> 2. User asked for username password (Working)
>
> 3. Username (uid) is authenticated using the password in LDAP
> directory (working)
>
> 4. User's role extracted from LDAP directory (not sure if this is
> working, is there a way for a user to check what their current role is?)
>
> 5. Once authenticated the users Samba password and path to home
> directory is extracted from LDAP. (Working I think)
>
> 6. Home directory is loaded as the directory shared by Slide (Not
> working)
>
> 7. User sees their home drive as a windows webfolder (or similar)
> which they can read/write etc (working using Slide directory, but not
> Samba
> home directory)
>
>
>
> Current issues:
>
> 1. The extracted role (userEducationalAffilation) does not appear to
> be used or set for users (any folder given permission for 'student' does
> not
> appear to be accessible by students)
>
> 2. Can not work out how to use Samba shares as rootpath/workpath
>
> 3. User accounts need to be added to users.def.xml before a user can
> successfully log in (is there a dynamic way I can load the users uid into
> the user file so I don't need to add it manually/using a script?
>
> 4. Permissions are cumbersome to set / keep up to date.
>
>
>
> Any suggestions?
>
>
>
> Jarrah Hands
>
> Software Engineer (Business Applications)
>
> The University of Notre Dame Australia
>
> 19 Mouat Street (PO Box 1225)
>
> Fremantle, Western Australia 6959
>
> Tel: +61 9 9433 05287
>
> Email: jhands@nd.edu.au
>
>
>
>
>
> !DSPAM:42fb127f79122102850160!
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org