You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@roller.apache.org by Steve McCain <s....@Bradford.ac.uk> on 2008/04/18 13:09:11 UTC
ldap authentication & authorisation
By using the Sample LDAP/RollerDB hybrid config in the security.xml file
supplied with Roller 4.0
I have users being authenticated by ldap while their authorisation
remains under the control of the
database (users and roles). So far so good.
I work in a university and would like to restrict access to roller to
staff only. We have a 'staff' group
in our ldap so I'm looking how I could use group membership to do this.
To test this out I've created
a 'register' group with myself as a uniqueMember. I've changed the
LdapAuthenticationProvider bean
to use a DefaultLdapAuthoritiesPopulator instead of the
AuthoritiesPopulator (id=jdbcAuthoritiesPopulator)
as in the supplied security.xml. I now get 403 errors when I try to log
in. How do I trace what roller is
sending to ldap?
Am I barking up the wrong tree entirely with this approach? Have I
crippled roller's ability to get user/role
info from the database by not using the AuthoritiesPopulator bean? Can
anyone suggest a way of
configuring roller to use ldap group membership for a broad-brush access
control while control of
which users can contribute to which blog is controlled by the database?
thanks
Steve
Re: ldap authentication & authorisation
Posted by Dave <sn...@gmail.com>.
On Fri, Apr 18, 2008 at 7:09 AM, Steve McCain <s....@bradford.ac.uk> wrote:
> By using the Sample LDAP/RollerDB hybrid config in the security.xml file
> supplied with Roller 4.0
> I have users being authenticated by ldap while their authorisation remains
> under the control of the
> database (users and roles). So far so good.
>
> I work in a university and would like to restrict access to roller to staff
> only. We have a 'staff' group
> in our ldap so I'm looking how I could use group membership to do this. To
> test this out I've created
> a 'register' group with myself as a uniqueMember. I've changed the
> LdapAuthenticationProvider bean
> to use a DefaultLdapAuthoritiesPopulator instead of the
> AuthoritiesPopulator (id=jdbcAuthoritiesPopulator)
> as in the supplied security.xml. I now get 403 errors when I try to log in.
> How do I trace what roller is
> sending to ldap?
>
> Am I barking up the wrong tree entirely with this approach? Have I crippled
> roller's ability to get user/role
> info from the database by not using the AuthoritiesPopulator bean? Can
> anyone suggest a way of
> configuring roller to use ldap group membership for a broad-brush access
> control while control of
> which users can contribute to which blog is controlled by the database?
I believe what you want to do is theoretically possible, that is,
getting role information from LDAP.
Roles are used to control "global" access to Roller, i.e. in relation
to the system as a whole and not one individual blog. I think you'd
have to write your own authorities populator object and then plug it
in via security.xml to do this.
- Dave
Re: ldap authentication & authorisation
Posted by Steve McCain <s....@Bradford.ac.uk>.
The jdbc AuthoritesPopulator returns roles from the database as
'editor', 'register' etc.
The acegi DefaultLdapAuthoritiesPopulator defaults to converting
groupRoleAttribute values
to uppercase and prefixing with 'ROLE_' hence it was returning
'ROLE_EDITOR',
'ROLE_REGISTER' etc to roller. The properties can be over-ridden eg:-
<property name="rolePrefix"> <value>""</value></property>
<property
name="convertToUpperCase"><value>false</value></property>
Hope this helps anyone else trying to use ldap authorisation.
Steve
Steve McCain wrote:
> Thanks Dave. Yes there is a groupSearchFilter property in acegi that
> defaults to member - I've
> set it to "(uniqueMember={0})" in DefaultLdapAuthoritiesPopulator in
> security.xml.
>
> The ldap seach is now finding me as a uniqueMember of the groups but
> I'm still getting 403 errors.
>
> In the userrole table in the database I have a single entry with a
> rollname of 'editor' & have therefore
> assumed that I needed to be in a ldap group of cn=editor, ou=groups,
> dc.... etc. I also set ou to be 'editor'
> and have tried using either cn or ou as groupRoleAttribute - I get 403
> regardless. I've tried with
> and without being a member of a 'register' group & again this makes no
> difference.
>
> How can I turn on logging to see what roller is doing? What exactly
> does roller need to get
> from the ldap search to grant access?
>
> Steve
>
>
>
>
Re: ldap authentication & authorisation
Posted by Steve McCain <s....@Bradford.ac.uk>.
Thanks Dave. Yes there is a groupSearchFilter property in acegi that
defaults to member - I've
set it to "(uniqueMember={0})" in DefaultLdapAuthoritiesPopulator in
security.xml.
The ldap seach is now finding me as a uniqueMember of the groups but I'm
still getting 403 errors.
In the userrole table in the database I have a single entry with a
rollname of 'editor' & have therefore
assumed that I needed to be in a ldap group of cn=editor, ou=groups,
dc.... etc. I also set ou to be 'editor'
and have tried using either cn or ou as groupRoleAttribute - I get 403
regardless. I've tried with
and without being a member of a 'register' group & again this makes no
difference.
How can I turn on logging to see what roller is doing? What exactly does
roller need to get
from the ldap search to grant access?
Steve
Dave wrote:
> On Fri, Apr 18, 2008 at 10:53 AM, Steve McCain <s....@bradford.ac.uk> wrote:
>
>> I've spotted from the ldap access log that the group membership search is
>> actually using 'member' rather than 'uniqueMember' as the group attribute. How do I change
>> this?
>>
>
> Hmm... I don't see any reference to "member" in the Roller source
> code. Perhaps this is something that is being done under the covers by
> the Acegi security system? You might have to hit the Acegi docs to
> figure this one out. Hopefully, it's something that is pluggable.
>
> - Dave
>
>
Re: ldap authentication & authorisation
Posted by Dave <sn...@gmail.com>.
On Fri, Apr 18, 2008 at 10:53 AM, Steve McCain <s....@bradford.ac.uk> wrote:
> I've spotted from the ldap access log that the group membership search is
> actually using 'member' rather than 'uniqueMember' as the group attribute. How do I change
> this?
Hmm... I don't see any reference to "member" in the Roller source
code. Perhaps this is something that is being done under the covers by
the Acegi security system? You might have to hit the Acegi docs to
figure this one out. Hopefully, it's something that is pluggable.
- Dave
Re: ldap authentication & authorisation
Posted by Steve McCain <s....@Bradford.ac.uk>.
I've spotted from the ldap access log that the group membership search
is actually using
'member' rather than 'uniqueMember' as the group attribute. How do I
change this?