Page Operations
Browse SpaceInformation needed
- IP address of the LDAP server
- The baseDN of the LDAP server
- A user that can read the LDAP (read-only)
- The name of the attribute that holds the username (cn)
- The name of the attribute that holds the password (only needed when not doing default "bind" auth)
LDAP/JNDI based authentication
In the build.properties, add two more parameters:
repository.ldap.use=true
repository.ldap.config=config/ldap-realm.xml
This defines the JNDI authentication in general and where to get the configuration from. The configuration is an xml file and configures namespaces by name. If a namespace does not have a configuration here, then it falls back to the standard Slide authentication.
An example ldap-realm.xml file for the namespace "mynamespace":
<?xml version="1.0" encoding="UTF-8"?> <realms> <namespace name="mynamespace"> <!-- cache time in milliseconds --> <cache-time>5000</cache-time> <!-- connection setup, super-user needs complete distinguished name! --> <super-user>cn=ldapreader,ou=System,dc=hippocms,dc=org</super-user> <super-user-password>passord</super-user-password> <provider-url>ldap://ldap.hippocms.org:389</provider-url> <authentication>simple</authentication> <!-- user discovery --> <username-attribute>cn</username-attribute> <password-attribute>userPassword</password-attribute> <distinguished-name-attribute>dn</distinguished-name-attribute> <user-search-root>ou=People,dc=hippocms,dc=org</user-search-root> <!-- Location limiting filters to restrict allowed users All filters will be or'ed together. --> <filters> <filter> <![CDATA[ (&(objectClass=inetOrgPerson)(cn=*)) ]]> </filter> </filters> </namespace> </realms>
 |
Note the CDATA tag for the non xml characters in the filter section. If the file is not valid xml the repository won't start. |
All user passwords are kept in memory for 5 seconds, this is configurable with the cache-time setting.
Filters are used to limit who may log in. All given LDAP search filters are OR'ed together and AND'ed with a filter to check the username. After the user is found, the value of the password-attribute will be compared with the password the user supplied. Only if this works, the user is authenticated.
This means that the super-user must be able to compare the real password attribute! This must be configured in LDAP!
LDAP/JNDI based groups
Define an extra groups store in the definition.xml of the namespace:
<store name="groups"> <nodestore classname="org.apache.slide.store.txjndi.JNDIRolesStore"> <parameter name="cache.refresh.checkrate">15</parameter> <parameter name="cache.refresh.rate">600</parameter> <parameter name="cache.refresh.threshold">500</parameter> <parameter name="jndi.attributes.user">uid</parameter> <parameter name="configuration">../config/ldap-roles.xml</parameter> <parameter name="java.naming.provider.url">ldap://ldap.hippocms.org:389</parameter> <parameter name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</parameter> <parameter name="java.naming.security.principal">cn=ldapreader,ou=System,dc=hippocms,dc=org</parameter> <parameter name="java.naming.security.authentication">simple</parameter> <parameter name="java.naming.security.credentials">password</parameter> </nodestore> <securitystore classname="org.apache.slide.store.txfile.TxXMLFileDescriptorsStore"> <parameter name="rootpath">../slide/groupsdata</parameter> <parameter name="workpath">../work/groupsdata</parameter> </securitystore> <lockstore> <reference store="securitystore"/> </lockstore> <revisiondescriptorsstore> <reference store="nodestore"/> </revisiondescriptorsstore> <revisiondescriptorstore> <reference store="nodestore"/> </revisiondescriptorstore> <contentstore> <reference store="nodestore"/> </contentstore> </store> <scope match="/roles" store="groups"/>
The ldap-roles.xml files in which the groups are defined is reference in the config above. The file looks like:
<?xml version="1.0" encoding="UTF-8"?> <groups> <group name="root"> <member>/users/adminuser</member> <member>/users/root</member> </group> <group name="editors"> <search dn="ou=Groups,dc=hippocms,dc=org"> <filter>(cn=sales)</filter> <filter>(cn=marketing)</filter> <search dn="{memberUid}"> <filter>(role=editor)</filter> </search> </search> </group> <group name="user"> <search dn="ou=People,dc=hippocms,dc=org"> <filter>(cn=editors)</filter> <search dn="{memberUid}"> </search> </search> <search dn="ou=People,dc=hippocms,dc=org"> <filter>(l=amsterdam)</filter> </search> </group> <group name="beheerder"> <member>/users/adminuser</member> </group> </groups>
All group elements will be a group in slide. Their users will be a combination of the users which satisfy any of the LDAP filters (see RFC-2254) and the explicit users mentioned in the member elements. This way, it is possible to have a few maintenance users which are not part of the referenced LDAP directory.
The searches can be nested (like done above) to indirectly reference users (and find them for the search). This means that references within the ldap directory can resolved, like usually in posixGroup entities (the memberUid property holds distinguished names for group members). Referenced attributes from previous results will be replaced.
JNDI based users
Define an extra users store in the definition.xml of the namespace:
<store name="users"> <nodestore classname="org.apache.slide.store.txjndi.JNDIUsersStore"> <parameter name="cache.refresh.checkrate">15</parameter> <parameter name="cache.refresh.rate">600</parameter> <parameter name="cache.refresh.threshold">500</parameter> <parameter name="jndi.container">ou=People,dc=hippocms,dc=org</parameter> <parameter name="jndi.attributes.user">uid</parameter> <parameter name="configuration">../config/ldap-users.xml</parameter> <parameter name="java.naming.provider.url">ldap://ldap.hippocms.org:389</parameter> <parameter name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</parameter> <parameter name="java.naming.security.principal">cn=ldapreader,ou=System,dc=hippocms,dc=org</parameter> <parameter name="java.naming.security.authentication">simple</parameter> <parameter name="java.naming.security.credentials">password</parameter> </nodestore> <securitystore classname="org.apache.slide.store.txfile.TxXMLFileDescriptorsStore"> <parameter name="rootpath">../slide/usersdata</parameter> <parameter name="workpath">../work/usersdata</parameter> </securitystore> <lockstore> <reference store="securitystore"/> </lockstore> <revisiondescriptorsstore> <reference store="nodestore"/> </revisiondescriptorsstore> <revisiondescriptorstore> <reference store="nodestore"/> </revisiondescriptorstore> <contentstore> <reference store="nodestore"/> </contentstore> </store> <scope match="/users" store="users"/>
The referenced configuration has to look like this:
<?xml version="1.0" encoding="UTF-8"?> <users> <search dn="ou=People,dc=hippocms,dc=org"> <filter>(objectClass=posixAccount)</filter> </search> <user name="root" pass="password"/> <user name="siteuser" pass="siteuser"/> </users>
|
The root and siteuser are defined in data.xml and therefor MUST be defined in the ldap-users.xml file. |
The searches and filters work in the same way as the group searches and filters. It also possible to add extra users, outside of the LDAP, like is done above with the user "root".
Using secure connections over ldaps:// (since 1.2.11)
- Change all instances of ldap:// into ldaps://
- To disable the certificate authentication check add the following line
<parameter name="java.naming.ldap.factory.socket">nl.hippo.slide.auth.GullibleSSLSocketFactory</parameter>
after each occurance of:
<parameter name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</parameter>