[Deploying Sakai] Active Directory Integration
Frizzell, Ryan
rfrizzel at regis.edu
Wed May 5 14:41:29 PDT 2010
I added the additional debugging directives to the sakai.properties file and here's what I'm getting now when trying to login. Not quite sure what to make of this.
Thanks,
-Ryan
2010-05-05 14:34:10,644 DEBUG http-8080-Processor25 edu.amc.sakai.user.JLDAPDirectoryProvider - getUserByEid(): [eid = null]
2010-05-05 14:34:10,644 DEBUG http-8080-Processor25 edu.amc.sakai.user.JLDAPDirectoryProvider - getCachedUserEntry(): [eid = null]
2010-05-05 14:34:10,644 DEBUG http-8080-Processor25 edu.amc.sakai.user.JLDAPDirectoryProvider - getCachedUserEntry(): cache access [found entry = false][entry expired = false]
2010-05-05 14:34:10,644 DEBUG http-8080-Processor25 edu.amc.sakai.user.JLDAPDirectoryProvider - searchDirectoryForSingleEntry(): [filter = sAMAccountName=null][reusing conn = false]
2010-05-05 14:34:10,644 DEBUG http-8080-Processor25 edu.amc.sakai.user.JLDAPDirectoryProvider - searchDirectory(): [filter = sAMAccountName=null][reusing conn = false]
2010-05-05 14:34:10,644 DEBUG http-8080-Processor25 edu.amc.sakai.user.SimpleLdapConnectionManager - getConnection()
2010-05-05 14:34:10,685 DEBUG http-8080-Processor25 edu.amc.sakai.user.SimpleLdapConnectionManager - applyConstraints(): values [timeout = 5000][follow referrals = true]
2010-05-05 14:34:10,685 DEBUG http-8080-Processor25 edu.amc.sakai.user.SimpleLdapConnectionManager - connect()
2010-05-05 14:34:10,699 DEBUG http-8080-Processor25 edu.amc.sakai.user.SimpleLdapConnectionManager - getConnection(): auto-binding
2010-05-05 14:34:10,699 DEBUG http-8080-Processor25 edu.amc.sakai.user.SimpleLdapConnectionManager - bind(): binding [dn = CN=lmsDemoAuth,OU=Service Accounts,OU=test,DC=mydomain,DC=net]
2010-05-05 14:34:10,744 ERROR http-8080-Processor25 edu.amc.sakai.user.JLDAPDirectoryProvider - getUser() failed [eid: null]
LDAPException: Invalid Credentials (49) Invalid Credentials
LDAPException: Server Message: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772
LDAPException: Matched DN:
at com.novell.ldap.LDAPResponse.getResultException(Unknown Source)
at com.novell.ldap.LDAPResponse.chkResultCode(Unknown Source)
at com.novell.ldap.LDAPConnection.chkResultCode(Unknown Source)
at com.novell.ldap.LDAPConnection.bind(Unknown Source)
at com.novell.ldap.LDAPConnection.bind(Unknown Source)
at edu.amc.sakai.user.SimpleLdapConnectionManager.bind(SimpleLdapConnectionManager.java:123)
at edu.amc.sakai.user.SimpleLdapConnectionManager.getConnection(SimpleLdapConnectionManager.java:92)
at edu.amc.sakai.user.JLDAPDirectoryProvider.searchDirectory(JLDAPDirectoryProvider.java:898)
at edu.amc.sakai.user.JLDAPDirectoryProvider.searchDirectoryForSingleEntry(JLDAPDirectoryProvider.java:846)
at edu.amc.sakai.user.JLDAPDirectoryProvider.getUserByEid(JLDAPDirectoryProvider.java:768)
at edu.amc.sakai.user.JLDAPDirectoryProvider.getUserByEid(JLDAPDirectoryProvider.java:722)
at edu.amc.sakai.user.JLDAPDirectoryProvider.getUser(JLDAPDirectoryProvider.java:580)
at org.sakaiproject.user.impl.BaseUserDirectoryService.getProvidedUserByEid(BaseUserDirectoryService.java:619)
at org.sakaiproject.user.impl.BaseUserDirectoryService.getUserId(BaseUserDirectoryService.java:597)
at org.sakaiproject.user.cover.UserDirectoryService.getUserId(UserDirectoryService.java:303)
at org.sakaiproject.portal.charon.site.PortalSiteHelperImpl.getSiteVisit(PortalSiteHelperImpl.java:887)
at org.sakaiproject.portal.charon.site.PortalSiteHelperImpl.getMyWorkspace(PortalSiteHelperImpl.java:680)
at org.sakaiproject.portal.charon.site.AbstractSiteViewImpl.<init>(AbstractSiteViewImpl.java:99)
at org.sakaiproject.portal.charon.site.SubSiteViewImpl.<init>(SubSiteViewImpl.java:58)
at org.sakaiproject.portal.charon.site.PortalSiteHelperImpl.getSitesView(PortalSiteHelperImpl.java:1117)
at org.sakaiproject.portal.charon.SkinnableCharonPortal.includeSubSites(SkinnableCharonPortal.java:403)
at org.sakaiproject.portal.charon.handlers.SiteHandler.doSite(SiteHandler.java:228)
at org.sakaiproject.portal.charon.handlers.SiteHandler.doGet(SiteHandler.java:113)
at org.sakaiproject.portal.charon.SkinnableCharonPortal.doGet(SkinnableCharonPortal.java:768)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.sakaiproject.util.RequestFilter.doFilter(RequestFilter.java:616)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
at java.lang.Thread.run(Thread.java:595)
2010-05-05 14:34:36,981 DEBUG http-8080-Processor23 edu.amc.sakai.user.JLDAPDirectoryProvider - authenticateUser(): [userLogin = testUser]
2010-05-05 14:34:36,981 DEBUG http-8080-Processor23 edu.amc.sakai.user.JLDAPDirectoryProvider - authenticateUser(): allocating connection for login [userLogin = testUser]
2010-05-05 14:34:36,981 DEBUG http-8080-Processor23 edu.amc.sakai.user.SimpleLdapConnectionManager - getConnection()
2010-05-05 14:34:36,981 DEBUG http-8080-Processor23 edu.amc.sakai.user.SimpleLdapConnectionManager - applyConstraints(): values [timeout = 5000][follow referrals = true]
2010-05-05 14:34:36,981 DEBUG http-8080-Processor23 edu.amc.sakai.user.SimpleLdapConnectionManager - connect()
2010-05-05 14:34:36,988 DEBUG http-8080-Processor23 edu.amc.sakai.user.SimpleLdapConnectionManager - postConnect()
2010-05-05 14:34:36,988 DEBUG http-8080-Processor23 edu.amc.sakai.user.SimpleLdapConnectionManager - getConnection(): auto-binding
2010-05-05 14:34:36,988 DEBUG http-8080-Processor23 edu.amc.sakai.user.SimpleLdapConnectionManager - bind(): binding [dn = CN=lmsDemoAuth,OU=Service Accounts,OU=test,DC=mydomain,DC=net]
2010-05-05 14:34:36,990 WARN http-8080-Processor23 edu.amc.sakai.user.JLDAPDirectoryProvider - authenticateUser(): invalid credentials [userLogin = testUser]
-----Original Message-----
From: Daniel McCallum [mailto:dmccallum at unicon.net]
Sent: Wednesday, May 05, 2010 1:47 PM
To: Frizzell, Ryan
Cc: production at collab.sakaiproject.org
Subject: Re: [Deploying Sakai] Active Directory Integration
The null business is probably a red herring.
Can you crank up logging to DEBUG and attach the output please?
E.g. add the following to [sakai|local].properties:
log.config.count=1
log.config.1=DEBUG.edu.amc.sakai.user
- Dan
Frizzell, Ryan wrote:
> Thanks for the catch on that, it seems I attached a slightly incorrect
> version of the jldap-beans.XML. That error did cause startup issues.
> I've resolved that issue however the error in the previous message still
> exists.
>
>
>
> I've done some more digging and it sounds like, from the error it might
> be related to the null EID option in the XML config however currently it
> is disabled. Will turning on the eidValidator in the config file and
> setting it to verify based on some pattern stop the null searching? The
> error looks like, even though its been supplied a username that the ldap
> search is still working with a null value.
>
>
>
> Thanks,
>
>
>
> Ryan
>
>
>
> Here's an updated version of the jldap-beans.xml:
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
> "http://www.springframework.org/dtd/spring-beans.dtd">
>
>
>
> <beans>
>
>
>
> <bean id="org.sakaiproject.user.api.UserDirectoryProvider"
>
>
> class="edu.amc.sakai.user.JLDAPDirectoryProvider" init-method="init"
>
> destroy-method="destroy" singleton="true">
>
>
>
> <!-- Required. Host name or address of your LDAP
> server -->
>
> <property name="ldapHost">
>
> <value>myhost.domain.net</value>
>
> </property>
>
>
>
> <!-- Optional. LDAP connection port. Typically
> defaults to
>
>
> JLDAPDirectoryProvider.DEFAULT_LDAP_PORT (389). Secured
>
> connections are usually on 636 -->
>
> <!-- property name="ldapPort">
>
> <value>389</value>
>
> </property-->
>
>
>
> <!-- If secureConnection is true, a keystore
> location must be provided
>
> unless javax.net.ssl.trustStore
> system property has already been
>
> set -->
>
> <!--property name="keystoreLocation">
>
> <value>/usually/set/at/startup</value>
>
> </property-->
>
>
>
> <!-- If secureConnection is true, a keystore
> password must be provided
>
> unless
> javax.net.ssl.trustStorePassword system property has already
>
> been set -->
>
> <!--property name="keystorePassword">
>
> <value>usually-set-at-startup</value>
>
> </property-->
>
>
>
> <!-- Optional. DN to which to bind for directory
> searches.
>
> Typically only necessary if autoBind
> is true -->
>
> <property name="ldapUser">
>
>
> <value>CN=lmsDemoAuth,OU=lms,OU=test,DC=mydomain,DC=net</value>
>
> </property>
>
>
>
> <!-- Optional. Password for ldapUser defined
> above -->
>
> <property name="ldapPassword">
>
> <value>secret</value>
>
> </property>
>
>
>
> <!-- Optional. Enables/disables secure LDAP
> connections.
>
> defaults to
> JLDAPDirectoryProvider.DEFAULT_IS_SECURE_CONNECTION (false) -->
>
> <!-- property name="secureConnection">
>
> <value>false</value>
>
> </property -->
>
>
>
> <!-- Optional. If secureConnection is true, this
> socket factory
>
> will be assigned globally to
> LDAPConnections. Defaults to an
>
> instance of
> com.novell.ldap.LDAPJSSESecureSocketFactory, which
>
> is appropriate for SSL connections. Use
>
>
> com.novell.ldap.LDAPJSSEStartTLSFactory for TLS. -->
>
> <!-- property name="secureSocketFactory">
>
> <bean
> class="com.novell.ldap.LDAPJSSESecureSocketFactory" />
>
> </property -->
>
>
>
> <!-- Optional. Indicate if connection allocation
> should
>
> implicitly bind as ${ldapUser}.
> Defaults to false -->
>
> <property name="autoBind">
>
> <value>true</value>
>
> </property>
>
>
>
> <!-- Optional, but usually specified. Base DN
> for directory searches. -->
>
> <property name="basePath">
>
> <value>dc=mydomain,dc=net</value>
>
> </property>
>
>
>
> <!-- Optional. Indicate if connections should follow
>
> referrals. Defaults to
>
>
> JLDAPDirectoryProvider.DEFAULT_IS_FOLLOW_REFERRALS (false)-->
>
> <property name="followReferrals">
>
> <value>true</value>
>
> </property>
>
>
>
> <!-- Optional. LDAP operation timeout in millis.
> Defaults
>
> to
> JLDAPDirectoryProvider.DEFAULT_OPERATION_TIMEOUT_MILLIS (5000) -->
>
> <!-- property name="operationTimeout">
>
> <value>5000</value>
>
> </property -->
>
>
>
> <!-- Optional. User entry cache ttl in millis.
> Defaults
>
> to
> JLDAPDirectoryProvider.DEFAULT_CACHE_TTL (300000)-->
>
> <property name="cacheTTL">
>
> <value>300000</value>
>
> </property>
>
>
>
> <!-- Optional. Control case-sensitivity of cache
> keys (User.eid values).
>
> Defaults to false. (Note that this is a
> departure from historical
>
> behavior.) -->
>
> <property name="caseSensitiveCacheKeys">
>
> <value>false</value>
>
> </property>
>
>
>
> <!-- Optional. Control the return value of
>
>
> JLDAPDirectoryProvider.authenticateWithProviderFirst(String)
>
> on a global basis. Defaults to
>
>
> JLDAPDirectoryProvider.DEFAULT_AUTHENTICATE_WITH_PROVIDER_FIRST. -->
>
> <!-- property name="authenticateWithProviderFirst">
>
> <value>false</value>
>
> </property -->
>
>
>
> <!-- Optional. Control whether or not
> authentication is attempted
>
> on a global basis. "true" enables
> authentication attempts (but
>
> does not automatically grant all authN
> attempts), "false"
>
> short-circuits that process and refuses
> all authN
>
> attempts. Defaults to
>
>
> JLDAPDirectoryProvider.DEFAULT_ALLOW_AUTHENTICATION -->
>
> <!-- property name="allowAuthentication">
>
> <value>true</value>
>
> </property -->
>
>
>
> <!-- Optional. Defaults to an instance of
>
> edu.amc.sakai.user.SimpleLdapConnectionManager -->
>
> <!-- property name="ldapConnectionManager">
>
> <bean
> class="edu.amc.sakai.user.SimpleLdapConnectionManager" />
>
> </property -->
>
>
>
> <!-- Optional. Use Connection Pooling?
>
> Defaults to
> JLDAPDirectoryProvider.DEFAULT_POOLING (false).
>
> Has no effect if
> ldapConnectionManager has been explicitly
>
> assigned (unless that object honors
> this flag, of course). -->
>
> <!-- property name="pooling">
>
> <value>false</value>
>
> </property -->
>
>
>
> <!-- Optional. Maxmimum number of connections in
> the pool
>
> Defaults to
> JLDAPDirectoryProvider.DEFAULT_POOL_MAX_CONNS (10) -->
>
> <!-- property name="poolMaxConns">
>
> <value>10</value>
>
> </property -->
>
>
>
> <!-- Optional. Defaults to an instance of
>
> edu.amc.sakai.user.SimpleLdapAttributeMapper -->
>
> <property name="ldapAttributeMapper">
>
> <ref
> bean="edu.amc.sakai.user.LdapAttributeMapper" />
>
> </property>
>
>
>
> <!-- Optional. Only considered if
> ldapAttributeMapper is not explicitly
>
> assigned. That is, if you choose to use the
> default LdapAttributeMapper
>
> implementation, it is sufficient to specify
> attribute mappings here
>
> and dispense with defining a
> edu.amc.sakai.user.LdapAttributeMapper bean.
>
> This preserves forward compatibility of pre-2.5
> config -->
>
> <!-- property name="attributeMappings">
>
> <map>
>
> <entry
> key="logicalAttrName">
>
>
> <value>physicalAttrName</value>
>
> </entry>
>
> </map>
>
> </property -->
>
>
>
> <!-- Optional. Defaults to allowing searches on
> any EID, including empty
>
> and null Strings. -->
>
> <!-- property name="eidValidator">
>
> <bean
> class="edu.amc.sakai.user.RegexpBlacklistEidValidator">
>
> <property
> name="regexpFlags">
>
> <bean
> id="java.util.regex.Pattern.CASE_INSENSITIVE"
>
>
> class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean"
> />
>
> </property>
>
> <property
> name="eidBlacklist">
>
> <list>
>
>
> <value>guest</value>
>
>
> <value>nobody</value>
>
>
> <value>adversary</value>
>
> </list>
>
> </property>
>
> </bean>
>
> </property -->
>
>
>
> </bean>
>
>
>
> <!-- An optional bean definition which can be used to customize LDAP
>
> attribute to Sakai User instance member mapping behaviors. This
>
> example describes availabel configuration options for
> SimpleLdapAttributeMapper
>
> (the default LdapAttributeMapper implementation). -->
>
> <bean id="edu.amc.sakai.user.LdapAttributeMapper"
>
>
> class="edu.amc.sakai.user.SimpleLdapAttributeMapper"
>
> init-method="init"
>
> singleton="true">
>
>
>
> <!-- A typical set of attribute mappings. Keys
> are logical
>
> names expected by the application. Values are
> physical LDAP
>
> attribute names. If not specified or empty,
> defaults to
>
> AttributeMappingConstants.DEFAULT_ATTR_MAPPINGS. -->
>
> <property name="attributeMappings">
>
> <map>
>
> <entry
> key="login"><value>sAMAccountName</value></entry>
>
> <entry
> key="firstName"><value>givenName</value></entry>
>
> <entry
> key="lastName"><value>sn</value></entry>
>
> <entry
> key="email"><value>mail</value></entry>
>
>
>
> </map>
>
> </property>
>
>
>
> <!-- Several options for calculating Sakai user
> types based
>
> on LDAP attributes. Defaults to an instance of
> EmptyStringUserTypeMapper -->
>
> <property name="userTypeMapper">
>
> <!-- Select one of the following
> beans -->
>
> <ref
> bean="edu.amc.sakai.user.EmptyStringUserTypeMapper" />
>
> <!-- ref
> bean="edu.amc.sakai.user.EntryAttributeToUserTypeMapper" /-->
>
> <!-- ref
> bean="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper" /-->
>
> </property>
>
>
>
> </bean>
>
>
>
>
>
> <!-- /// Begin Sample UserTypeMapper Beans /// -->
>
>
>
> <!-- Will usually only need at most one of the following
> UserTypeMapper
>
> beans. Three "standard" options shown here for documentation
> purposes. The
>
> "active" bean will be selected by a bean reference in the
> userTypeMapper
>
> property definition above. -->
>
>
>
> <!-- EmptyStringUserTypeMapper assigns gives all users an
>
> empty string as their Sakai "type" -->
>
> <bean id="edu.amc.sakai.user.EmptyStringUserTypeMapper"
>
> class="edu.amc.sakai.user.EmptyStringUserTypeMapper"
>
> singleton="true" />
>
>
>
> <!-- EntryAttributeToUserTypeMapper calculates Sakai user
>
> types by simply passing attribute values through
> a map with
>
> configurable "miss" behavior. -->
>
> <bean id="edu.amc.sakai.user.EntryAttributeToUserTypeMapper"
>
>
> class="edu.amc.sakai.user.EntryAttributeToUserTypeMapper"
>
> singleton="true">
>
>
>
> <!-- Optional. If not present or empty, behavior is
>
> determined by the value of
> returnLiteralAttributeValueIfNoMapping
>
> (see below). -->
>
> <!-- property
> name="attributeValueToSakaiUserTypeMap">
>
> <map>
>
> <entry
> key="faculty"><value>faculty</value></entry>
>
> <entry
> key="students"><value>student</value></entry>
>
> </map>
>
> </property -->
>
>
>
> <!-- Required. The logical name of the LDAP
> attribute which
>
> defines Sakai users' types. Value should be a
> key into the
>
> attribute mappings associated with this
> LdapAttributeMapper
>
> instance. -->
>
> <property name="logicalAttributeName">
>
> <value>groupMembership</value>
>
> </property>
>
>
>
> <!-- Optional. Defaults to false -->
>
> <!-- property
> name="returnLiteralAttributeValueIfNoMapping">
>
> <value>false</value>
>
> </property -->
>
>
>
> <!-- Optional. Only considered if
> returnLiteralAttributeValueIfNoMapping
>
> is false. Defaults to null. -->
>
> <!-- property name="defaultSakaiUserType">
>
> <null />
>
> </property -->
>
>
>
> </bean>
>
>
>
> <!-- EntryContainerRdnToUserTypeMapper calculates Sakai user
>
> types by filtering a user entry's most-local RDN
> through the
>
> assigned map. -->
>
> <bean id="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper"
>
>
> class="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper"
>
> singleton="true">
>
>
>
> <!-- Optional. Maps between container RDN values
> and Sakai user types -->
>
> <!-- property name="rdnToSakaiUserTypeMap">
>
> <map>
>
> <entry
> key="facultyStaff"><value>faculty</value></entry>
>
> <entry
> key="students"><value>student</value></entry>
>
> </map>
>
> </property -->
>
>
>
> <!-- Optional. Defaults to false. -->
>
> <!-- property
> name="returnLiteralRdnValueIfNoMapping">
>
> <value>false</value>
>
> </property -->
>
>
>
> </bean>
>
>
>
> <!-- /// End Sample UserTypeMapper Beans /// -->
>
>
>
> </beans>:
>
>
>
> *From:* Mike De Simone [mailto:michael.desimone at rsmart.com]
> *Sent:* Wednesday, May 05, 2010 12:48 PM
> *To:* Frizzell, Ryan
> *Cc:* production at collab.sakaiproject.org
> *Subject:* Re: [Deploying Sakai] Active Directory Integration
>
>
>
> one quick thing I can see is the ldapPassword property has an XML syntax
> error. the --> at the end of the element is there but the beginning of
> the comment <!-- is not. This seems like it would cause spring to fail
> on startup, and since that doesn't appear to be happening, I'm not
> entirely sure this would cause your problems, but probably isn't helping
> things either :)
>
>
>
> Thanks,
>
> -------------------------------
> Mike DeSimone
> Sr. Technical Consultant
> rSmart
> tel: 602-490-0473
> icq: 161896611
>
> On Wed, May 5, 2010 at 11:21, Frizzell, Ryan <rfrizzel at regis.edu
> <mailto:rfrizzel at regis.edu>> wrote:
>
> Hello all,
>
> I'm in the process of setting up a Sakai demo system with active
> directory integration. The error I'm running into upon attempts to
> authenticate is:
>
> 2010-05-05 11:10:38,183 WARN http-8080-Processor19
> edu.amc.sakai.user.JLDAPDirectoryProvider - authenticateUser(): invalid
> credentials [userLogin = testUser]
> 2010-05-05 11:19:51,232 ERROR http-8080-Processor23
> edu.amc.sakai.user.JLDAPDirectoryProvider - getUser() failed [eid: null]
> LDAPException: Invalid Credentials (49) Invalid Credentials
> LDAPException: Server Message: 80090308: LdapErr: DSID-0C0903AA,
> comment: AcceptSecurityContext error, data 525, v1772
> LDAPException: Matched DN:
>
>
>
> I've been browsing the mail lists and documentation but I can't seem to
> determine the cause of this issue. I'm using the JLDAP provider. Here is
> my configuration for JLDAP, I'm building from 2.6.2:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
> "http://www.springframework.org/dtd/spring-beans.dtd">
>
> <beans>
>
> <bean id="org.sakaiproject.user.api.UserDirectoryProvider"
> class="edu.amc.sakai.user.JLDAPDirectoryProvider"
> init-method="init"
> destroy-method="destroy" singleton="true">
>
> <!-- Required. Host name or address of your LDAP server -->
> <property name="ldapHost">
> <value>myhost.domain.net
> <http://myhost.domain.net></value>
> </property>
>
> <!-- Optional. LDAP connection port. Typically defaults to
> JLDAPDirectoryProvider.DEFAULT_LDAP_PORT (389).
> Secured
> connections are usually on 636 -->
> <!-- property name="ldapPort">
> <value>389</value>
> </property-->
>
> <!-- If secureConnection is true, a keystore location
> must be provided
> unless javax.net.ssl.trustStore system property
> has already been
> set -->
> <!--property name="keystoreLocation">
> <value>/usually/set/at/startup</value>
> </property-->
>
> <!-- If secureConnection is true, a keystore password
> must be provided
> unless javax.net.ssl.trustStorePassword system
> property has already
> been set -->
> <!--property name="keystorePassword">
> <value>usually-set-at-startup</value>
> </property-->
>
> <!-- Optional. DN to which to bind for directory searches.
> Typically only necessary if autoBind is true -->
> <property name="ldapUser">
>
> <value>CN=lmsDemoAuth,OU=lms,OU=test,DC=mydomain,DC=net</value>
> </property>
>
> <!-- Optional. Password for ldapUser defined above -->
> <property name="ldapPassword">
> <value>secret</value>
> </property -->
>
> <!-- Optional. Enables/disables secure LDAP connections.
> defaults to
> JLDAPDirectoryProvider.DEFAULT_IS_SECURE_CONNECTION (false) -->
> <!-- property name="secureConnection">
> <value>false</value>
> </property -->
>
> <!-- Optional. If secureConnection is true, this socket
> factory
> will be assigned globally to LDAPConnections.
> Defaults to an
> instance of
> com.novell.ldap.LDAPJSSESecureSocketFactory, which
> is appropriate for SSL connections. Use
> com.novell.ldap.LDAPJSSEStartTLSFactory for TLS. -->
> <!-- property name="secureSocketFactory">
> <bean
> class="com.novell.ldap.LDAPJSSESecureSocketFactory" />
> </property -->
>
> <!-- Optional. Indicate if connection allocation should
> implicitly bind as ${ldapUser}. Defaults to false -->
> <property name="autoBind">
> <value>true</value>
> </property>
>
> <!-- Optional, but usually specified. Base DN for
> directory searches. -->
> <property name="basePath">
> <value>dc=mydomain,dc=net</value>
> </property>
>
> <!-- Optional. Indicate if connections should follow
> referrals. Defaults to
>
> JLDAPDirectoryProvider.DEFAULT_IS_FOLLOW_REFERRALS (false)-->
> <property name="followReferrals">
> <value>true</value>
> </property>
>
> <!-- Optional. LDAP operation timeout in millis. Defaults
> to
> JLDAPDirectoryProvider.DEFAULT_OPERATION_TIMEOUT_MILLIS (5000) -->
> <!-- property name="operationTimeout">
> <value>5000</value>
> </property -->
>
> <!-- Optional. User entry cache ttl in millis. Defaults
> to JLDAPDirectoryProvider.DEFAULT_CACHE_TTL
> (300000)-->
> <property name="cacheTTL">
> <value>300000</value>
> </property>
>
> <!-- Optional. Control case-sensitivity of cache keys
> (User.eid values).
> Defaults to false. (Note that this is a departure
> from historical
> behavior.) -->
> <property name="caseSensitiveCacheKeys">
> <value>false</value>
> </property>
>
> <!-- Optional. Control the return value of
>
> JLDAPDirectoryProvider.authenticateWithProviderFirst(String)
> on a global basis. Defaults to
>
> JLDAPDirectoryProvider.DEFAULT_AUTHENTICATE_WITH_PROVIDER_FIRST. -->
> <!-- property name="authenticateWithProviderFirst">
> <value>false</value>
> </property -->
>
> <!-- Optional. Control whether or not authentication is
> attempted
> on a global basis. "true" enables authentication
> attempts (but
> does not automatically grant all authN attempts),
> "false"
> short-circuits that process and refuses all authN
> attempts. Defaults to
> JLDAPDirectoryProvider.DEFAULT_ALLOW_AUTHENTICATION
> -->
> <!-- property name="allowAuthentication">
> <value>true</value>
> </property -->
>
> <!-- Optional. Defaults to an instance of
> edu.amc.sakai.user.SimpleLdapConnectionManager -->
> <!-- property name="ldapConnectionManager">
> <bean
> class="edu.amc.sakai.user.SimpleLdapConnectionManager" />
> </property -->
>
> <!-- Optional. Use Connection Pooling?
> Defaults to
> JLDAPDirectoryProvider.DEFAULT_POOLING (false).
> Has no effect if ldapConnectionManager has been
> explicitly
> assigned (unless that object honors this flag, of
> course). -->
> <!-- property name="pooling">
> <value>false</value>
> </property -->
>
> <!-- Optional. Maxmimum number of connections in the pool
> Defaults to
> JLDAPDirectoryProvider.DEFAULT_POOL_MAX_CONNS (10) -->
> <!-- property name="poolMaxConns">
> <value>10</value>
> </property -->
>
> <!-- Optional. Defaults to an instance of
> edu.amc.sakai.user.SimpleLdapAttributeMapper -->
> <property name="ldapAttributeMapper">
> <ref bean="edu.amc.sakai.user.LdapAttributeMapper" />
> </property>
>
> <!-- Optional. Only considered if ldapAttributeMapper is
> not explicitly
> assigned. That is, if you choose to use the default
> LdapAttributeMapper
> implementation, it is sufficient to specify attribute
> mappings here
> and dispense with defining a
> edu.amc.sakai.user.LdapAttributeMapper bean.
> This preserves forward compatibility of pre-2.5 config -->
> <!-- property name="attributeMappings">
> <map>
> <entry key="logicalAttrName">
> <value>physicalAttrName</value>
> </entry>
> </map>
> </property -->
>
> <!-- Optional. Defaults to allowing searches on any EID,
> including empty
> and null Strings. -->
> <!-- property name="eidValidator">
> <bean
> class="edu.amc.sakai.user.RegexpBlacklistEidValidator">
> <property name="regexpFlags">
> <bean
> id="java.util.regex.Pattern.CASE_INSENSITIVE"
>
> class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean"
> />
> </property>
> <property name="eidBlacklist">
> <list>
> <value>guest</value>
> <value>nobody</value>
> <value>adversary</value>
> </list>
> </property>
> </bean>
> </property -->
>
> </bean>
>
> <!-- An optional bean definition which can be used to customize LDAP
> attribute to Sakai User instance member mapping behaviors. This
> example describes availabel configuration options for
> SimpleLdapAttributeMapper
> (the default LdapAttributeMapper implementation). -->
> <bean id="edu.amc.sakai.user.LdapAttributeMapper"
> class="edu.amc.sakai.user.SimpleLdapAttributeMapper"
> init-method="init"
> singleton="true">
>
> <!-- A typical set of attribute mappings. Keys are logical
> names expected by the application. Values are physical LDAP
> attribute names. If not specified or empty, defaults to
> AttributeMappingConstants.DEFAULT_ATTR_MAPPINGS. -->
> <property name="attributeMappings">
> <map>
> <entry
> key="login"><value>sAMAccountName</value></entry>
> <entry
> key="firstName"><value>givenName</value></entry>
> <entry
> key="lastName"><value>sn</value></entry>
> <entry
> key="email"><value>mail</value></entry>
>
> </map>
> </property>
>
> <!-- Several options for calculating Sakai user types based
> on LDAP attributes. Defaults to an instance of
> EmptyStringUserTypeMapper -->
> <property name="userTypeMapper">
> <!-- Select one of the following beans -->
> <ref
> bean="edu.amc.sakai.user.EmptyStringUserTypeMapper" />
> <!-- ref
> bean="edu.amc.sakai.user.EntryAttributeToUserTypeMapper" /-->
> <!-- ref
> bean="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper" /-->
> </property>
>
> </bean>
>
>
> <!-- /// Begin Sample UserTypeMapper Beans /// -->
>
> <!-- Will usually only need at most one of the following
> UserTypeMapper
> beans. Three "standard" options shown here for documentation
> purposes. The
> "active" bean will be selected by a bean reference in the
> userTypeMapper
> property definition above. -->
>
> <!-- EmptyStringUserTypeMapper assigns gives all users an
> empty string as their Sakai "type" -->
> <bean id="edu.amc.sakai.user.EmptyStringUserTypeMapper"
> class="edu.amc.sakai.user.EmptyStringUserTypeMapper"
> singleton="true" />
>
> <!-- EntryAttributeToUserTypeMapper calculates Sakai user
> types by simply passing attribute values through a map with
> configurable "miss" behavior. -->
> <bean id="edu.amc.sakai.user.EntryAttributeToUserTypeMapper"
> class="edu.amc.sakai.user.EntryAttributeToUserTypeMapper"
> singleton="true">
>
> <!-- Optional. If not present or empty, behavior is
> determined by the value of
> returnLiteralAttributeValueIfNoMapping
> (see below). -->
> <!-- property name="attributeValueToSakaiUserTypeMap">
> <map>
> <entry
> key="faculty"><value>faculty</value></entry>
> <entry
> key="students"><value>student</value></entry>
> </map>
> </property -->
>
> <!-- Required. The logical name of the LDAP attribute which
> defines Sakai users' types. Value should be a key into the
> attribute mappings associated with this LdapAttributeMapper
> instance. -->
> <property name="logicalAttributeName">
> <value>groupMembership</value>
> </property>
>
> <!-- Optional. Defaults to false -->
> <!-- property name="returnLiteralAttributeValueIfNoMapping">
> <value>false</value>
> </property -->
>
> <!-- Optional. Only considered if
> returnLiteralAttributeValueIfNoMapping
> is false. Defaults to null. -->
> <!-- property name="defaultSakaiUserType">
> <null />
> </property -->
>
> </bean>
>
> <!-- EntryContainerRdnToUserTypeMapper calculates Sakai user
> types by filtering a user entry's most-local RDN through the
> assigned map. -->
> <bean id="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper"
> class="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper"
> singleton="true">
>
> <!-- Optional. Maps between container RDN values and
> Sakai user types -->
> <!-- property name="rdnToSakaiUserTypeMap">
> <map>
> <entry
> key="facultyStaff"><value>faculty</value></entry>
> <entry
> key="students"><value>student</value></entry>
> </map>
> </property -->
>
> <!-- Optional. Defaults to false. -->
> <!-- property name="returnLiteralRdnValueIfNoMapping">
> <value>false</value>
> </property -->
>
> </bean>
>
> <!-- /// End Sample UserTypeMapper Beans /// -->
>
> </beans>
>
>
>
> _______________________________________________
> production mailing list
> production at collab.sakaiproject.org
> <mailto:production at collab.sakaiproject.org>
> http://collab.sakaiproject.org/mailman/listinfo/production
>
> TO UNSUBSCRIBE: send email to
> production-unsubscribe at collab.sakaiproject.org
> <mailto:production-unsubscribe at collab.sakaiproject.org> with a subject
> of "unsubscribe"
>
>
>
> ------------------------------------------------------------------------
>
>
> Not spam
> Forget previous vote
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> production mailing list
> production at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/production
>
> TO UNSUBSCRIBE: send email to production-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
--
BEGIN-ANTISPAM-VOTING-LINKS
------------------------------------------------------
Teach CanIt if this mail (ID 10537024) is spam:
Spam: https://antispam.regis.edu/canit/b.php?i=10537024&m=8c18b8607ef8&c=s
Not spam: https://antispam.regis.edu/canit/b.php?i=10537024&m=8c18b8607ef8&c=n
Forget vote: https://antispam.regis.edu/canit/b.php?i=10537024&m=8c18b8607ef8&c=f
------------------------------------------------------
END-ANTISPAM-VOTING-LINKS
More information about the production
mailing list