users@glassfish.java.net

Glassfish role to LDAP group mapping (JSPWiki)

From: <forums_at_java.net>
Date: Tue, 6 Dec 2011 05:35:33 -0600 (CST)

Hi All,

I have seen from forum searches that similar questions have been asked in the
past (e.g. http://www.java.net/node/783668) but without any apparent
resolution. Would someone kindly be able to look at the issue I have here
and point me to what I am doing wrong?

I am using Glassfish 3.0.1 build 22. My LDAP server is OpenDJ 2.4.2. Both are
running on the same host system.

In my particular example, I am trying to integrate JSPWiki with Glassfish and
OpenDJ for container based authentication. I have got as far as being able to
authenticate LDAP users successfully to JSPWiki, but it appears that group
information is not being retrieved.

These are the steps I have followed. I will also attach copies of my web.xml,
sun-web.xml, and jspwiki.policy files.

1) I have deployed JSPWIki v2.8.3 as a web application successfully in
Glassfish.

2) In Glassfish under Configuration -> Security -> Realms, I have created an
LDAP realm with the following settings as copied from the Glassfish admin
BUI:

Realm Name:  JSPWikiUsers

Class Name: com.sun.enterprise.security.auth.realm.ldap.LDAPRealm

JAAS Context: ldapRealm

Directory: ldap://mycomputer:1389

Base DN: ou=People,dc=example,dc=co,dc=nz   The Assign Groups field has been
left blank. My test directory does not permit anonymous connections, so I
have added the search-bind-password and search-bind-dn properties along with
the relevant values.   I have added the group-base-dn property, and given it
the value ou=Groups,dc=example,dc=co,dc=nz   3) In Glassfish under
Configuration -> Security, I have made JSPWikiUsers the default realm. I have
then restarted Glassfish.
  4) I have then configured JSPWiki to enable container based
authentication. JSPWiki supports this out of the box, as stated in the
jspwiki.properties file in a default configuration:   "A) CONTAINER
AUTHENTICATION -  JSPWiki will always (passively) collect credentials
supplied by your servlet container, via
HttpServletRequest.getUserPrincipal/getRemote user. You do not need to do
anything to enable this. In addition, you can cause JSPWiki users to log in
to the web container by uncommenting the the security-constraint elements in
WEB-INF/web.xml."
I have attached a copy of my web.xml file. As you can see, I have defined two
roles: "wiki-users" for all authenticated users, and "wiki-admin" for JSPWiki
administrative users.   5) In OpenDJ, have created relevant users under the
People OU, some sample LDIF data as copied from the OpenDJ control panel for
my test LDAP user account follows:   dn: cn=Dave
K,ou=People,dc=example,dc=co,dc=nz
cn: Dave K
gidNumber: 119
givenName: Dave
homeDirectory: /home/dave
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
sn: K
uid: dave   6) In OpenDJ, I have created the wiki-admin and wiki-users
groups in the Groups OU. A sample of the LDIF data for the wiki-users entry
follows:   dn: cn=wiki-users,ou=Groups,dc=example,dc=co,dc=nz
cn: wiki-users
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: cn=Dave K,ou=People,dc=example,dc=co,dc=nz   7) I have created
the sun-web.xml file and placed it in the same WEB-INF directory as my
web.xml file. I have attached the file itself, and you can see that I am
mapping the roles I have defined in web.xml to what should me my LDAP groups.
    8) Finally, I have modified the jspwiki.policy file to what should only
allow users in the wiki-users and wiki-admin group to permit modification of
JSPWiki pages. I have attached this file as well.     Observations:   Upon
rebooting the domain, I can indeed log in to JSPWIki successfully as an LDAP
user, using the uid of "dave" for the example account. However, I can log in
as *any* LDAP user in the People OU, not just those that are unique members
of wiki-users. Furthermore, logging in as the LDAP user "dave", I would
expect to have the ability to modify wiki pages (i.e. edit etc.) if the
wiki-users role was successfully being mapped to the wiki-users group. This
isn't the case however, and my test LDAP user can only view pages, which is
what would be expected as defined by the "All" role in the jspwiki.policy
file, i.e. all users have the abililty to view pages and edit their own
profile information only. JSPWiki reports that the user is not authorized to
edit pages.   Based on this and the other forum posts describing similar
issues regarding role to LDAP group mapping, I believe the mapping in my
case is not working for whatever reason. Does anyone have any pointers here?
  Cheers, Dave

--
[Message sent by forum member 'davenz']
View Post: http://forums.java.net/node/871253