portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Davy De Waele (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Commented: (JS2-491) Enhance J2 LDAP Security Documentation
Date Fri, 18 Aug 2006 06:53:17 GMT
    [ http://issues.apache.org/jira/browse/JS2-491?page=comments#action_12428928 ] 
            
Davy De Waele commented on JS2-491:
-----------------------------------

I think we need the following properties in jetspeed if we want to allow for a flexible LDAP
integration approach.
The following properties will allow jetspeed to interact with a number of different LDAP schemas,
as the user can now decide what filters to use, where groups/users/roles are stored, how group
& role membership should be handled , what objectClasses to use for users/groups/roles....

Let me know if somebody is interested in a security patch that takes these properties into
account, and removes the dependency with custom objectClasses & attributes. 

# Ldap Configuration.
org.apache.jetspeed.ldap.initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
org.apache.jetspeed.ldap.ldapServerName=localhost
org.apache.jetspeed.ldap.ldapServerPort=389
org.apache.jetspeed.ldap.rootDn=cn=Directory Manager
org.apache.jetspeed.ldap.rootPassword=adminadmin
org.apache.jetspeed.ldap.rootContext=o\=Company3

# define the filters needed to search for roles/groups/users
org.apache.jetspeed.ldap.RoleFilter=(&(objectclass=ldapsubentry) (objectclass=nsroledefinition))
org.apache.jetspeed.ldap.GroupFilter=(objectclass=groupOfUniqueNames)
org.apache.jetspeed.ldap.UserFilter=(&(objectclass=inetorgperson)(objectclass=organizationalPerson))


org.apache.jetspeed.ldap.UserAuthenticationFiler=(&(uid=%u)(objectclass=inetorgperson))

# define the way role membership occurs
# if RoleMembershipAttributes is used, membership attr will be stored on role
# if UserRoleMembershipAttributes is used, membership attr will be stored on user
org.apache.jetspeed.ldap.RoleMembershipAttributes=
org.apache.jetspeed.ldap.UserRoleMembershipAttributes=nsroledn

# define the way group membership occurs
# if GroupMembershipAttributes is used, membership attr will be stored on group
# if UserGroupMembershipAttributes is used, membership attr will be stored on user
org.apache.jetspeed.ldap.GroupMembershipAttributes=uniqueMember
org.apache.jetspeed.ldap.UserGroupMembershipAttributes=

# define the path to roles,groups and users
# needs to be defined without the defaultsearchbase
org.apache.jetspeed.ldap.RoleFilterBase=
org.apache.jetspeed.ldap.GroupFilterBase=
org.apache.jetspeed.ldap.UserFilterBase=ou\=People\,ou\=OrgUnit1

# objectClasses used for role/group/user entries
org.apache.jetspeed.ldap.RoleObjectClasses=top\,ldapsubentry\,nsroledefinition\,nssimpleroledefinition\,nsmanagedroledefinition
org.apache.jetspeed.ldap.GroupObjectClasses=top\,groupofuniquenames
org.apache.jetspeed.ldap.UserObjectClasses=top\,person\,organizationalPerson\,inetorgperson

# define the ID attribute used to define roles/groups/users
org.apache.jetspeed.ldap.RoleIdAttribute=cn
org.apache.jetspeed.ldap.GroupIdAttribute=cn
org.apache.jetspeed.ldap.UserIdAttribute=uid

> Enhance J2 LDAP Security Documentation
> --------------------------------------
>
>                 Key: JS2-491
>                 URL: http://issues.apache.org/jira/browse/JS2-491
>             Project: Jetspeed 2
>          Issue Type: Improvement
>          Components: Security
>    Affects Versions: 2.1-dev
>            Reporter: David Le Strat
>             Fix For: 2.1-dev
>
>
> From Davy De Waele email to the list:
> Judging from the recent activity on the mailing list I noticed some
> interest in using LDAP & Jetspeed 
> Some thoughts come to mind:
> 1. The instructions located at
> http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/ldap
> .html are really only applicable for people who are building jetspeed
> from source. 
> Due to the fact that the security-spi-ldap*.xml files shown there are
> coming from SVN (interface changes, additional objects in the
> configuration files that are not in the 2.0 binary release), users who
> have installed jetspeed2 via the installer attempting to follow these
> instructions will run into configuration issues.
> What would be the best way to address this?
> I think we should make a difference between users who are familiar with
> Maven, SVN, compiling/building/deploying, and users who just want to 
> get
> the thing up & running using the installer.
> Shouldn't we put this information into perspective by:
> a) Clearly indicating that this is only intended for people building
> from source
> b) Provide an additional manual on what needs to be done starting from 
> a
> binary release (2.0 version)
> 	
> The user would have to 
>           * copy the security-spi-ldap*.xml files (we provide
> downloadable spring XML files acting as examples)
>           * remove their default security-spi-atn.xml
>           * restart tomcat
>           * preparing their LDAP server 
> As far as LDAP support goes, we should provide instructions on how
> existing LDAP servers can be used with jetspeed. We can also provide
> downloadable schema files & LDIF sample data for all major vendors +
> documentation)
> I could provide such manuals for OpenLDAP,SunDS and ApacheDS.
> 2. The major problem that users will be facing today is that encrypted
> passwords are not supported in the jetspeed2.0 release. Given that this
> functionality has been committed to the codebase, how do you feel
> towards providing a downloadable JAR file to users that would act as a
> replacement for their current jetspeed-security-2.0.jar - doesn't have
> to be anything official, could be included as a link in the
> documentation)
> The user would have to
>          * replace his jetspeed-security-2.0.jar
>          * restart tomcat
> The user would have support for encrypted passwords and group/role
> membership via LDAP.	   
> 3. OpenLDAP schema file
> I had to add groupOfUniqueNames as a parent to the jetspeed-2-group and
> jetspeed-2-role objectClasses in order for the group/role assignment to
> work in OpenLDAP.
> ApacheDS doesn't really care when objects are created in the LDAP tree
> containing attributes that aren't defined in the LDAP schema. OpenLDAP
> does :) I've attached the new jetspeed.schema file.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message