OpenLdap role mapping
4 views
Skip to first unread message
Aleksandar Vidakovic
Aug 28, 2009, 9:06:41 AM8/28/09
to EmForge
Salut all,
I was just wondering if there is a special trick concerning the role
mapping when the openldap auth provider is used. I followed the
descriptions in the wiki and was able to authenticate, but for some
reason after the login emforge tells me that I don't have enough
rights. The log trace of spring security shows me that I am assigned
to all necessary roles (EmForgeAdmin, WikiWriter, EmForgeUser) so in
principle that part works.
I saw in config.properties an entry
"security.openId.roles=ROLE_EMFORGEUSER"... that makes me wonder if
there are some prefixes required somewhere...
Thanks for your help in advance...
Cheers,
Aleks
I was just wondering if there is a special trick concerning the role
mapping when the openldap auth provider is used. I followed the
descriptions in the wiki and was able to authenticate, but for some
reason after the login emforge tells me that I don't have enough
rights. The log trace of spring security shows me that I am assigned
to all necessary roles (EmForgeAdmin, WikiWriter, EmForgeUser) so in
principle that part works.
I saw in config.properties an entry
"security.openId.roles=ROLE_EMFORGEUSER"... that makes me wonder if
there are some prefixes required somewhere...
Thanks for your help in advance...
Cheers,
Aleks
Aleksandar Vidakovic
Aug 28, 2009, 12:43:09 PM8/28/09
to EmForge
Ha... I found it.
The trick was just to use group entities of type
"groupOfNames" (members are referenced by "member" attribute) instead
of "groupOfUniqueNames" (members are referenced by "uniqueMember"
attribute). The corresponding LDIF for OpenLdap looks something like
this:
[ldif]
dn: ou=ou=groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: forge
dn: cn=EMFORGEADMIN,ou=groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: EMFORGEADMIN
member: uid=someone,ou=people,dc=example,dc=com
dn: cn=EMFORGEUSER,ou=groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: EMFORGEUSER
member: uid=someone,ou=people,dc=example,dc=com
dn: cn=EMFORGEWIKIWRITER,ou=groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: EMFORGEWIKIWRITER
member: uid=someone,ou=people,dc=example,dc=com
[/ldif]
BTW: EmForge is really nice! Thanks for this nice piece...
Cheers,
Aleks
On Aug 28, 2:06 pm, Aleksandar Vidakovic
The trick was just to use group entities of type
"groupOfNames" (members are referenced by "member" attribute) instead
of "groupOfUniqueNames" (members are referenced by "uniqueMember"
attribute). The corresponding LDIF for OpenLdap looks something like
this:
[ldif]
dn: ou=ou=groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: forge
dn: cn=EMFORGEADMIN,ou=groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: EMFORGEADMIN
member: uid=someone,ou=people,dc=example,dc=com
dn: cn=EMFORGEUSER,ou=groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: EMFORGEUSER
member: uid=someone,ou=people,dc=example,dc=com
dn: cn=EMFORGEWIKIWRITER,ou=groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: EMFORGEWIKIWRITER
member: uid=someone,ou=people,dc=example,dc=com
[/ldif]
BTW: EmForge is really nice! Thanks for this nice piece...
Cheers,
Aleks
On Aug 28, 2:06 pm, Aleksandar Vidakovic
Aleksandar Vidakovic
Aug 28, 2009, 2:25:03 PM8/28/09
to EmForge
Well... now there seems to be another problem. So far the following
steps are successful:
1. login successful
2. I have at least enough permissions to view the pages
3. the trace of spring security shows that I have been granted the
roles ROLE_EMFORGEUSER, ROLE_EMFORGEADMIN, ROLE_WIKIWRITER (looks the
same when I login with the default admin)
4. with the default admin I can do everything (have admin and ldap
auth service enabled)
But for some reason I can't edit pages and am not able to add new
projects when I am logged in with one of the LDAP accounts.
Did someone setup EmForge with OpenLdap successfully? I guess I am
missing something obvious here...
Thanks for your help...
Aleks
steps are successful:
1. login successful
2. I have at least enough permissions to view the pages
3. the trace of spring security shows that I have been granted the
roles ROLE_EMFORGEUSER, ROLE_EMFORGEADMIN, ROLE_WIKIWRITER (looks the
same when I login with the default admin)
4. with the default admin I can do everything (have admin and ldap
auth service enabled)
But for some reason I can't edit pages and am not able to add new
projects when I am logged in with one of the LDAP accounts.
Did someone setup EmForge with OpenLdap successfully? I guess I am
missing something obvious here...
Thanks for your help...
Aleks
Aleksandar Vidakovic
Aug 28, 2009, 3:58:46 PM8/28/09
to EmForge
Boy... that was a tricky one... well I think now finally I pinned down
the problem.
Ok, the whole problem is related to the ldapProvider bean definition
in emforge-security.xml. It references the the bean
"authoritiesProvider" which in turn - I guess - is the right one for
Active Directory as it searches the groups by the attribute "member".
Now... in EmForge's config file you can set the userService and for
that one I used openLdapUserService which in turn references the
olAuthoritiesProvider bean... and voila the reason why I had to change
my LDAP structure described before.
To make the story short the cleanest way to address this - IMHO - is
to add the following config in emforge-security.xml:
[config]
<bean id="openLdapAuthProvider"
class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<constructor-arg>
<ref local="bindAuthenticator"/>
</constructor-arg>
<constructor-arg>
<ref local="olAuthoritiesPopulator"/>
</constructor-arg>
</bean>
[/config]
Then it would be possible to choose it accordingly in the config file.
Cheers,
Aleks
On Aug 28, 7:25 pm, Aleksandar Vidakovic
the problem.
Ok, the whole problem is related to the ldapProvider bean definition
in emforge-security.xml. It references the the bean
"authoritiesProvider" which in turn - I guess - is the right one for
Active Directory as it searches the groups by the attribute "member".
Now... in EmForge's config file you can set the userService and for
that one I used openLdapUserService which in turn references the
olAuthoritiesProvider bean... and voila the reason why I had to change
my LDAP structure described before.
To make the story short the cleanest way to address this - IMHO - is
to add the following config in emforge-security.xml:
[config]
<bean id="openLdapAuthProvider"
class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<constructor-arg>
<ref local="bindAuthenticator"/>
</constructor-arg>
<constructor-arg>
<ref local="olAuthoritiesPopulator"/>
</constructor-arg>
</bean>
[/config]
Then it would be possible to choose it accordingly in the config file.
Cheers,
Aleks
On Aug 28, 7:25 pm, Aleksandar Vidakovic
Alexey Kakunin
Aug 28, 2009, 4:18:10 PM8/28/09
to emf...@googlegroups.com
Aleks, hi!
You resolving problems faster then I can understand it :)
So, just to clarify:
is changes authoritiesPopulator to olAuthoritiesPopulator in ldapAuthProvider bean definition resolved your problem (looks like should)?
In any case - you are right - LDAP support in EmForge first of all oriented to ActiveDirectory support. OpelLDAP support was contributed by external contributer and I never work a lot on it's support.
To simplify life - I think, it allow user to choise - AD or LDAP is used via config.properties - but, as short-term I hope updating wiki page (to avoid future users from same problems) will be enough
--
With Best Regards,
Alexey Kakunin, EmDev Limited
Professional Software Development:
http://www.emdev.ru
You resolving problems faster then I can understand it :)
So, just to clarify:
is changes authoritiesPopulator to olAuthoritiesPopulator in ldapAuthProvider bean definition resolved your problem (looks like should)?
In any case - you are right - LDAP support in EmForge first of all oriented to ActiveDirectory support. OpelLDAP support was contributed by external contributer and I never work a lot on it's support.
To simplify life - I think, it allow user to choise - AD or LDAP is used via config.properties - but, as short-term I hope updating wiki page (to avoid future users from same problems) will be enough
2009/8/28 Aleksandar Vidakovic <aleksandar...@gmail.com>
--
With Best Regards,
Alexey Kakunin, EmDev Limited
Professional Software Development:
http://www.emdev.ru
Aleksandar Vidakovic
Aug 28, 2009, 4:28:41 PM8/28/09
to emf...@googlegroups.com
Salut Alexey,
yes, only that small change is necessary if you want to use EmForge with
OpenLdap. I am currently testing it, but I can already tell you that it
works just fine with these small changes.
I am currently figuring out how this change can be done without
extracting emforge-security.xml from the jar file and packaging it
again. I think that another spring config can be created with the small
bean definition that I provided, drop it in emforge.war/WEB-INF/classes
and reference it from in web.xml... then nothing has to be changed in
your current distribution. And it's fairly easy to do this (I have it
running under JBoss 5.1... so the war file is already extracted).
And again: this piece is really nice! I was following this project
already for several months... but the LDAP features was somewhat missing
(so had to fall back to Bugzilla... which I don't like). Thanks again
for putting all this together... I owe you guys at least a beer ;-)
Cheers,
Aleks
Alexey Kakunin wrote:
> Aleks, hi!
>
> You resolving problems faster then I can understand it :)
>
> So, just to clarify:
> is changes authoritiesPopulator to olAuthoritiesPopulator in
> ldapAuthProvider bean definition resolved your problem (looks like
> should)?
>
> In any case - you are right - LDAP support in EmForge first of all
> oriented to ActiveDirectory support. OpelLDAP support was contributed
> by external contributer and I never work a lot on it's support.
>
> To simplify life - I think, it allow user to choise - AD or LDAP is
> used via config.properties - but, as short-term I hope updating wiki
> page (to avoid future users from same problems) will be enough
>
> 2009/8/28 Aleksandar Vidakovic <aleksandar...@gmail.com
> <mailto:aleksandar...@gmail.com>>
yes, only that small change is necessary if you want to use EmForge with
OpenLdap. I am currently testing it, but I can already tell you that it
works just fine with these small changes.
I am currently figuring out how this change can be done without
extracting emforge-security.xml from the jar file and packaging it
again. I think that another spring config can be created with the small
bean definition that I provided, drop it in emforge.war/WEB-INF/classes
and reference it from in web.xml... then nothing has to be changed in
your current distribution. And it's fairly easy to do this (I have it
running under JBoss 5.1... so the war file is already extracted).
And again: this piece is really nice! I was following this project
already for several months... but the LDAP features was somewhat missing
(so had to fall back to Bugzilla... which I don't like). Thanks again
for putting all this together... I owe you guys at least a beer ;-)
Cheers,
Aleks
Alexey Kakunin wrote:
> Aleks, hi!
>
> You resolving problems faster then I can understand it :)
>
> So, just to clarify:
> is changes authoritiesPopulator to olAuthoritiesPopulator in
> ldapAuthProvider bean definition resolved your problem (looks like
> should)?
>
> In any case - you are right - LDAP support in EmForge first of all
> oriented to ActiveDirectory support. OpelLDAP support was contributed
> by external contributer and I never work a lot on it's support.
>
> To simplify life - I think, it allow user to choise - AD or LDAP is
> used via config.properties - but, as short-term I hope updating wiki
> page (to avoid future users from same problems) will be enough
>
> 2009/8/28 Aleksandar Vidakovic <aleksandar...@gmail.com
Reply all
Reply to author
Forward
0 new messages