You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@roller.apache.org by Thomas-W Hofmann <th...@db.com> on 2006/11/28 10:30:32 UTC
LDAP Authentication problem
Hi,
I am currently working to get Roller LDAP authentication to work in our
corporate environment.
I managed to get users authenticated using their email address(using the
username field) and LDAP password.
Question : Once authentication is fine by LDAP how does Roller retrieve
the user rights from Roller db ?
I tried to change the select statements from daoauthentication to "SELECT
xxx WHERE mail=(0) " but this did not work.
Other question : Why is there a restriction to the username not to include
spaces or anything except a-z,A-z,0-9 ?
It would help to use the emailaddress as username (at least for our
environment)
Thank you
Thomas
--
Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Antwort: Re: Roller 3.1 RC 1 bugs (Here reg_group_subscription)
Posted by Thomas-W Hofmann <th...@db.com>.
I have no clue about hibernate and the related pojos - but could the
problem of duplicate entries come from the
* @hibernate.collection-many-to-many column="subscription_id"
I dont think thats true here. it is a one-to many column (if such thing
exists)
/**
* @hibernate.set table="rag_group_subscription" lazy="true"
invert="true" cascade="save-update"
* @hibernate.collection-key column="group_id"
* @hibernate.collection-many-to-many column="subscription_id"
class="org.apache.roller.planet.pojos.PlanetSubscriptionData"
*/
public Set getSubscriptions()
{
return subscriptions;
}
public void setSubscriptions(Set subscriptions)
{
this.subscriptions = subscriptions;
}
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Thomas Hofmann
Dave <sn...@gmail.com> schrieb am 01/12/2006 20:42:22:
> Thanks, I've added those to the wiki and we'll do our best to address
them.
> http://rollerweblogger.org/wiki/Wiki.jsp?page=Roller31Testing
> >
> > 2 Planet Admin - Subscriptions - There is a duplicate INSERT
INTO
> > RAG_GROUP_SUBSCRIPTONS statement with switched parameters causing
> > problems. (ORACLE db)
> >
> > Hibernate: insert into rag_subscription (feed_url, last_updated,
site_url,
> > title, author, inbound_links, inbound_blogs, id) values (?, ?, ?, ?,
?, ?,
> > ?, ?)
> > Hibernate: insert into rag_group_subscription (group_id,
subscription_id)
> > values (?, ?)
> > Hibernate: insert into rag_group_subscription (subscription_id,
group_id)
> > values (?, ?)
> >
> >
--
Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Re: Roller 3.1 RC 1 bugs
Posted by Dave <sn...@gmail.com>.
Thanks, I've added those to the wiki and we'll do our best to address them.
http://rollerweblogger.org/wiki/Wiki.jsp?page=Roller31Testing
- Dave
On 12/1/06, Thomas-W Hofmann <th...@db.com> wrote:
> 1 Roller : Unable to create directory in UploadFile.jsp
>
> /roller-ui/ is hardcoded in form action of createSubDir. The webapp
> directory is missing in fornt of the path.
>
> <%-- --------------------------
> Create directory form
> --%>
> <c:if test="${model.showingRoot}">
> <form name="createSubdir" method="post"
> action="/roller-ui/authoring/uploadFiles.do">
> <input type="hidden" name="method" value="createSubdir" />
> <input type="hidden" name="weblog" value='<c:out
> value="${model.website.handle}"/>'>
> <input type="hidden" name="path" value='<c:out
> value="${model.path}"/>'>
>
> <b><fmt:message key="uploadFiles.createDir" /></b> <input type="text"
> name="newDir" size="20" />
> <input type="submit" value='<fmt:message
> key="uploadFiles.createDirButton" />' />
>
> <br />
> <br />
>
> </form>
> </c:if>
>
> 2 Planet Admin - Subscriptions - There is a duplicate INSERT INTO
> RAG_GROUP_SUBSCRIPTONS statement with switched parameters causing
> problems. (ORACLE db)
>
> Hibernate: insert into rag_subscription (feed_url, last_updated, site_url,
> title, author, inbound_links, inbound_blogs, id) values (?, ?, ?, ?, ?, ?,
> ?, ?)
> Hibernate: insert into rag_group_subscription (group_id, subscription_id)
> values (?, ?)
> Hibernate: insert into rag_group_subscription (subscription_id, group_id)
> values (?, ?)
>
>
> 3 (all versions) someone should update the documentation that a 10g
> JDBC driver is needed to create the first user using ORACLE !
>
> 4 (all versions) someone should update the documentation to include
> username.allowedChars() parameter !
>
> 5 (all versions) There are still a lot of errors if ORACLE is used
> caused by empty form fields (i.e. description empty in Create new Weblog)
> resulting in ORACLE ERROR 14xx - (cannot insert null value into table
> xxxx)
>
>
> so far ...
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> Thomas Hofmann
>
>
>
>
> --
>
> Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
>
> This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
>
Roller 3.1 RC 1 bugs
Posted by Thomas-W Hofmann <th...@db.com>.
1 Roller : Unable to create directory in UploadFile.jsp
/roller-ui/ is hardcoded in form action of createSubDir. The webapp
directory is missing in fornt of the path.
<%-- --------------------------
Create directory form
--%>
<c:if test="${model.showingRoot}">
<form name="createSubdir" method="post"
action="/roller-ui/authoring/uploadFiles.do">
<input type="hidden" name="method" value="createSubdir" />
<input type="hidden" name="weblog" value='<c:out
value="${model.website.handle}"/>'>
<input type="hidden" name="path" value='<c:out
value="${model.path}"/>'>
<b><fmt:message key="uploadFiles.createDir" /></b> <input type="text"
name="newDir" size="20" />
<input type="submit" value='<fmt:message
key="uploadFiles.createDirButton" />' />
<br />
<br />
</form>
</c:if>
2 Planet Admin - Subscriptions - There is a duplicate INSERT INTO
RAG_GROUP_SUBSCRIPTONS statement with switched parameters causing
problems. (ORACLE db)
Hibernate: insert into rag_subscription (feed_url, last_updated, site_url,
title, author, inbound_links, inbound_blogs, id) values (?, ?, ?, ?, ?, ?,
?, ?)
Hibernate: insert into rag_group_subscription (group_id, subscription_id)
values (?, ?)
Hibernate: insert into rag_group_subscription (subscription_id, group_id)
values (?, ?)
3 (all versions) someone should update the documentation that a 10g
JDBC driver is needed to create the first user using ORACLE !
4 (all versions) someone should update the documentation to include
username.allowedChars() parameter !
5 (all versions) There are still a lot of errors if ORACLE is used
caused by empty form fields (i.e. description empty in Create new Weblog)
resulting in ORACLE ERROR 14xx - (cannot insert null value into table
xxxx)
so far ...
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Thomas Hofmann
--
Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Re: Re: LDAP Authentication problem
Posted by Dave <sn...@gmail.com>.
On 11/30/06, Thomas-W Hofmann <th...@db.com> wrote:
> HI Dave,
> please find comments below.
>
> After finding a thread from august/06 in roller-dev where Elias seems to
> have done just what I need I mailed him directly. Hopefully he will
> provide the examples and doc he did talk about.
> Another question : Where is the right place to post bugs in 3.1 RC1 ?
Normally, I follow the mailing list comments on the RC and list bugs the wiki:
http://rollerweblogger.org/wiki/Wiki.jsp?page=Roller31Testing
But you can also report them to JIRA.
http://opensource.atlassian.com/projects/roller
- Dave
Antwort: Re: LDAP Authentication problem
Posted by Thomas-W Hofmann <th...@db.com>.
HI Dave,
please find comments below.
After finding a thread from august/06 in roller-dev where Elias seems to
have done just what I need I mailed him directly. Hopefully he will
provide the examples and doc he did talk about.
Another question : Where is the right place to post bugs in 3.1 RC1 ?
After getting this installed I might be able to provide something like
"How to install Roller in a corporate environment ".
We are using LDAP v3 on Sun Directory Server
best regard
Thomas
Dave <sn...@gmail.com> schrieb am 30/11/2006 16:23:20:
> On 11/28/06, Thomas-W Hofmann <thomas-w.hofmann AT DB.com> wrote:
> > I am currently working to get Roller LDAP authentication to work in
our
> > corporate environment.
> > I managed to get users authenticated using their email address(using
the
> > username field) and LDAP password.
> >
> > Question : Once authentication is fine by LDAP how does Roller
retrieve
> > the user rights from Roller db ?
> > I tried to change the select statements from daoauthentication to
"SELECT
> > xxx WHERE mail=(0) " but this did not work.
>
> I haven't tried it myself but, with LDAP authentication I believe each
> user still has to register with Roller to establish an entry in the
> USER and ROLE tables. Which set of instructions (if any) did you use
> to get LDAP auth working? And out of curiousity, what LDAP server are
> you using?
>
I tried setting up a user in Roller first.
Username=emailaddress (found out about the undocumented property by
scanning lots of your sourcecode)
Then the user logs in, authenticates correctly against LDAP but 403 is
thrown because the roles are NOT retrieved from the rollerdb !
SECURITIES.XML (Authorities populator sets anonymous role as default-
your comment says it will fetch correct role from database)
<bean id="initialDirContextFactory"
class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
<constructor-arg
value="ldaps://ldaps.xx.xx:636/ou=people,ou=global,dc=xxxxxx,dc=com"/>
<property
name="managerDn"><value>uid=xxxxxxxxx,ou=Directory
Administrators,dc=xxxxxxx,dc=com</value></property>
<property
name="managerPassword"><value>password</value></property>
<property name="extraEnvVars">
<map>
<entry>
<key>
<value>java.naming.referral</value>
</key>
<value>follow</value>
</entry>
</map>
</property>
</bean>
<bean id="userSearch"
class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0">
<value/>
</constructor-arg>
<constructor-arg index="1">
<value>(mail={0})<!-- FOR Active directory use
this or use (uid={0}) for openldpap --></value>
</constructor-arg>
<constructor-arg index="2">
<ref local="initialDirContextFactory" />
</constructor-arg>
<property name="searchSubtree">
<value>true</value>
</property>
</bean>
<bean id="ldapAuthProvider"
class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
<constructor-arg>
<bean
class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg><ref
local="initialDirContextFactory"/></constructor-arg>
<property name="userSearch">
<ref local="userSearch" />
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg><ref
local="initialDirContextFactory"/></constructor-arg>
<constructor-arg><value></value></constructor-arg>
<property
name="groupRoleAttribute"><value>cn</value></property>
<!-- use role from your ldap entry and set role search for
that or use default role as given below -->
<!-- it won't give any problem as actual roles will be
used from roller db only -->
<property
name="defaultRole"><value>anonymous</value></property>
</bean>
</constructor-arg>
</bean>
I worked on the SSO section but its still disabled because I dont want to
use SSO, only authentication against LDAP
#----------------------------------
# Single-Sign-On
# Enables Roller to behave differently when registering new users
# in an SSO-enabled environment. You must configure security.xml
appropriately.
users.sso.enabled=false
# Set these properties for a custom LDAP schema (optional)
users.sso.registry.ldap.attributes.name=mail
users.sso.registry.ldap.attributes.email=mail
#users.sso.registry.ldap.attributes.locale=locale
#users.sso.registry.ldap.attributes.timezone=timezone
# If you don't want user credentials from LDAP/etc to be stored in
Roller
# (possibly in clear-text) leave this alone, otherwise set to
true.
# i.e. you would like a backup auth mechanism in case LDAP is
down.
users.sso.passwords.save=false
# if you don't want passwords stored in DB, set this to the
default value.
users.sso.passwords.defaultValue=<unknown>
users.sso.autoProvision.enabled=false
users.sso.autoProvision.className=org.apache.roller.ui.core.security.BasicUserAutoProvision
>
> > Other question : Why is there a restriction to the username not to
include
> > spaces or anything except a-z,A-z,0-9 ?
> > It would help to use the emailaddress as username (at least for our
> > environment)
>
> We want username to be a URL safe string, so we stick to a very safe
> ASCII subset, but this can be configured. You can set the allowed
> character string by setting the (apparently undocumented) property
> "username.allowedChars" in your roller-custom.properties file. The
> default is "A-Za-z0-9"
>
> - Dave
--
Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Re: LDAP Authentication problem
Posted by Dave <sn...@gmail.com>.
On 11/28/06, Thomas-W Hofmann <th...@db.com> wrote:
> I am currently working to get Roller LDAP authentication to work in our
> corporate environment.
> I managed to get users authenticated using their email address(using the
> username field) and LDAP password.
>
> Question : Once authentication is fine by LDAP how does Roller retrieve
> the user rights from Roller db ?
> I tried to change the select statements from daoauthentication to "SELECT
> xxx WHERE mail=(0) " but this did not work.
I haven't tried it myself but, with LDAP authentication I believe each
user still has to register with Roller to establish an entry in the
USER and ROLE tables. Which set of instructions (if any) did you use
to get LDAP auth working? And out of curiousity, what LDAP server are
you using?
> Other question : Why is there a restriction to the username not to include
> spaces or anything except a-z,A-z,0-9 ?
> It would help to use the emailaddress as username (at least for our
> environment)
We want username to be a URL safe string, so we stick to a very safe
ASCII subset, but this can be configured. You can set the allowed
character string by setting the (apparently undocumented) property
"username.allowedChars" in your roller-custom.properties file. The
default is "A-Za-z0-9"
- Dave
Antwort: Re: LDAP Authentication problem
Posted by Thomas-W Hofmann <th...@db.com>.
Please see this thread
http://www.nabble.com/TR%3A-Problem-with-LDAP-tf2761760s12275.html
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Thomas
Dharmesh <fe...@yahoo.com> schrieb am 28/12/2006 14:00:20:
>
> Hi,
> I have also been working on the same kind of requirement. Could you
please
> let me know how you did it.
> An early response shall be greatly appreciated.
>
> thanks
> Dharmesh
>
>
> Thomas Hofmann wrote:
> >
> > Hi,
> >
> > I am currently working to get Roller LDAP authentication to work in
our
> > corporate environment.
> > I managed to get users authenticated using their email address(using
the
> > username field) and LDAP password.
> >
> > Question : Once authentication is fine by LDAP how does Roller
retrieve
> > the user rights from Roller db ?
> > I tried to change the select statements from daoauthentication to
"SELECT
> > xxx WHERE mail=(0) " but this did not work.
> >
> > Other question : Why is there a restriction to the username not to
include
> > spaces or anything except a-z,A-z,0-9 ?
> > It would help to use the emailaddress as username (at least for our
> > environment)
> >
> > Thank you
> > Thomas
> >
> >
> >
> >
> > --
> >
> > Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte
> > Informationen. Wenn Sie nicht der richtige Adressat sind oder diese
E-Mail
> > irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender
und
> > vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
> > Weitergabe dieser Mail ist nicht gestattet.
> >
> > This e-mail may contain confidential and/or privileged information. If
you
> > are not the intended recipient (or have received this e-mail in error)
> > please notify the sender immediately and destroy this e-mail. Any
> > unauthorized copying, disclosure or distribution of the material in
this
> > e-mail is strictly forbidden.
> >
>
> --
> View this message in context: http://www.nabble.com/LDAP-
> Authentication-problem-tf2717226s12275.html#a8074348
> Sent from the Roller - User mailing list archive at Nabble.com.
>
--
Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Re: LDAP Authentication problem
Posted by Dharmesh <fe...@yahoo.com>.
Hi,
I have also been working on the same kind of requirement. Could you please
let me know how you did it.
An early response shall be greatly appreciated.
thanks
Dharmesh
Thomas Hofmann wrote:
>
> Hi,
>
> I am currently working to get Roller LDAP authentication to work in our
> corporate environment.
> I managed to get users authenticated using their email address(using the
> username field) and LDAP password.
>
> Question : Once authentication is fine by LDAP how does Roller retrieve
> the user rights from Roller db ?
> I tried to change the select statements from daoauthentication to "SELECT
> xxx WHERE mail=(0) " but this did not work.
>
> Other question : Why is there a restriction to the username not to include
> spaces or anything except a-z,A-z,0-9 ?
> It would help to use the emailaddress as username (at least for our
> environment)
>
> Thank you
> Thomas
>
>
>
>
> --
>
> Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte
> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
> irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und
> vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
> Weitergabe dieser Mail ist nicht gestattet.
>
> This e-mail may contain confidential and/or privileged information. If you
> are not the intended recipient (or have received this e-mail in error)
> please notify the sender immediately and destroy this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
>
--
View this message in context: http://www.nabble.com/LDAP-Authentication-problem-tf2717226s12275.html#a8074348
Sent from the Roller - User mailing list archive at Nabble.com.