portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Davy De Waele (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Updated: (JS2-491) Enhance J2 LDAP Security Documentation
Date Sat, 16 Sep 2006 08:47:22 GMT
     [ http://issues.apache.org/jira/browse/JS2-491?page=all ]

Davy De Waele updated JS2-491:
------------------------------

    Attachment: jetspeed-ldap-final.patch

This patch contains a new implementation for the ldap security module.

It allows for the LDAP to be configured through a property file (or spring config file) that
has the following properties, allowing for an easy LDAP integration with a variety of different
vendors. 

# Ldap Configuration.

org.apache.jetspeed.ldap.initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
org.apache.jetspeed.ldap.ldapServerName=localhost
org.apache.jetspeed.ldap.ldapServerPort=10389
org.apache.jetspeed.ldap.rootDn=uid\=admin\,ou\=system
org.apache.jetspeed.ldap.rootPassword=secret
org.apache.jetspeed.ldap.rootContext=o\=sevenSeas
#org.apache.jetspeed.ldap.defaultDnSuffix=
#org.apache.jetspeed.ldap.ou.users=people
#org.apache.jetspeed.ldap.ou.groups=groups
#org.apache.jetspeed.ldap.ou.roles=roles

# define the filters needed to search for roles/groups/users
#org.apache.jetspeed.ldap.RoleFilter=(&(objectclass=ldapsubentry) (objectclass=nsroledefinition))
org.apache.jetspeed.ldap.RoleFilter=(objectClass=groupOfUniqueNames)
org.apache.jetspeed.ldap.GroupFilter=(objectclass=organization)
org.apache.jetspeed.ldap.UserFilter=(objectclass=inetorgperson)


org.apache.jetspeed.ldap.UserAuthenticationFiler=(&(uid=%u)(objectclass=inetorgperson))

# define the way role membership occurs for a user
# if RoleMembershipAttributes is used, membership attr will be stored on role
# if UserRoleMembershipAttributes is used, membership attr will be stored on user
org.apache.jetspeed.ldap.RoleMembershipAttributes=member
org.apache.jetspeed.ldap.UserRoleMembershipAttributes=

# define the way group membership occurs for a user
# if GroupMembershipAttributes is used, membership attr will be stored on group
# if UserGroupMembershipAttributes is used, membership attr will be stored on user
org.apache.jetspeed.ldap.GroupMembershipAttributes=
org.apache.jetspeed.ldap.UserGroupMembershipAttributes=uniqueMember

# define the way group membership occurs for a role 
# if GroupMembershipAttributes is used, membership attr will be stored on group
# if UserGroupMembershipAttributes is used, membership attr will be stored on user
org.apache.jetspeed.ldap.GroupMembershipForRoleAttributes=uniqueMember
org.apache.jetspeed.ldap.RoleGroupMembershipAttributes=

# define the default search base. (=rootContext)
org.apache.jetspeed.ldap.DefaultSearchBase=o\=sevenSeas

# define the path to roles,groups and users
# needs to be defined without the defaultsearchbase
org.apache.jetspeed.ldap.RoleFilterBase=ou\=Roles\,ou\=OrgUnit1
org.apache.jetspeed.ldap.GroupFilterBase=ou\=Groups\,ou\=OrgUnit1
org.apache.jetspeed.ldap.UserFilterBase=ou\=People\,ou\=OrgUnit1

org.apache.jetspeed.ldap.RoleObjectClasses=top\,groupOfUniqueNames
org.apache.jetspeed.ldap.GroupObjectClasses=top\,organization
org.apache.jetspeed.ldap.UserObjectClasses=top\,person\,organizationalPerson\,inetorgperson

# define the ID attribute used to search roles/groups/users
org.apache.jetspeed.ldap.RoleIdAttribute=cn
org.apache.jetspeed.ldap.GroupIdAttribute=cn
org.apache.jetspeed.ldap.UserIdAttribute=uid

As you can see, filters and objectClasses can now be configured, and no jetspeed specific
object classes or attributes need to be used.

The provided config files in the patch (components/security/src/test/JETSPEED-INF/directory/config
) have been tested on apacheds,openldap and sunds

I'm going to try and get it up & running with Lotus Domino and Active Directory today
(hasn't been tested yet).

Feel free to try out the patch and let me know if you have any problems

> Enhance J2 LDAP Security Documentation
> --------------------------------------
>
>                 Key: JS2-491
>                 URL: http://issues.apache.org/jira/browse/JS2-491
>             Project: Jetspeed 2
>          Issue Type: Improvement
>          Components: Security
>    Affects Versions: 2.1-dev
>            Reporter: David Le Strat
>             Fix For: 2.1-dev
>
>         Attachments: jetspeed-ldap-final.patch
>
>
> From Davy De Waele email to the list:
> Judging from the recent activity on the mailing list I noticed some
> interest in using LDAP & Jetspeed 
> Some thoughts come to mind:
> 1. The instructions located at
> http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/ldap
> .html are really only applicable for people who are building jetspeed
> from source. 
> Due to the fact that the security-spi-ldap*.xml files shown there are
> coming from SVN (interface changes, additional objects in the
> configuration files that are not in the 2.0 binary release), users who
> have installed jetspeed2 via the installer attempting to follow these
> instructions will run into configuration issues.
> What would be the best way to address this?
> I think we should make a difference between users who are familiar with
> Maven, SVN, compiling/building/deploying, and users who just want to 
> get
> the thing up & running using the installer.
> Shouldn't we put this information into perspective by:
> a) Clearly indicating that this is only intended for people building
> from source
> b) Provide an additional manual on what needs to be done starting from 
> a
> binary release (2.0 version)
> 	
> The user would have to 
>           * copy the security-spi-ldap*.xml files (we provide
> downloadable spring XML files acting as examples)
>           * remove their default security-spi-atn.xml
>           * restart tomcat
>           * preparing their LDAP server 
> As far as LDAP support goes, we should provide instructions on how
> existing LDAP servers can be used with jetspeed. We can also provide
> downloadable schema files & LDIF sample data for all major vendors +
> documentation)
> I could provide such manuals for OpenLDAP,SunDS and ApacheDS.
> 2. The major problem that users will be facing today is that encrypted
> passwords are not supported in the jetspeed2.0 release. Given that this
> functionality has been committed to the codebase, how do you feel
> towards providing a downloadable JAR file to users that would act as a
> replacement for their current jetspeed-security-2.0.jar - doesn't have
> to be anything official, could be included as a link in the
> documentation)
> The user would have to
>          * replace his jetspeed-security-2.0.jar
>          * restart tomcat
> The user would have support for encrypted passwords and group/role
> membership via LDAP.	   
> 3. OpenLDAP schema file
> I had to add groupOfUniqueNames as a parent to the jetspeed-2-group and
> jetspeed-2-role objectClasses in order for the group/role assignment to
> work in OpenLDAP.
> ApacheDS doesn't really care when objects are created in the LDAP tree
> containing attributes that aren't defined in the LDAP schema. OpenLDAP
> does :) I've attached the new jetspeed.schema file.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message