HOW do I unsubscribe myself?
On 27 August 2013 23:34, Jim Willeke <j...@willeke.com> wrote:
> You might try remove the:
> userPattern="uid={0},ou=people,dc=mydomain,dc=com"
>
> and use (what I am using):
>
> userBase="ou=people,dc=mydomain,dc=com"
> userSearch="(uid={0})"
> userSubtree="true"
>
> We found the LDAP search to be much more flexible using this than the
> pattern matching.
> You should also be able to get some error from tomcat if it is failing.
> You can turn on access logging:
> http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Access_Logs
>
>
> If you drop the LDAPS, You might also get a trace. (Not sure if SUN can
> show the ldap requests) but tcdump (or wireshark) will.
>
>
> --
> -jim
> Jim Willeke
>
>
> On Tue, Aug 27, 2013 at 1:18 PM, John Pimentel <jpimen...@ra.rockwell.com
> >wrote:
>
> >
> > Hi Jim,
> >
> > Thanks for the response.
> >
> > We are using Sun LDAP. Let me give you an example from my user account.
> > Under my group container
> > cn=UN_CTM_AdminGroup,ou=Control-M,ou=group,dc=mydomain,dc=com
> > I have a attribute called uniqueMember.
> > The value for my account is as follows:
> > uid=JPimen,ou=people,dc=mydomain,dc=com
> >
> > I of course substituted our actual domain for mydomain in this example,
> but
> > everything else is verbatim.
> >
> > So our groups are nmed by cn but the users are named by uid.
> >
> > Unfortunately our LDAP server will not accept anything other than ldaps
> > connections, so I am stuck there.
> >
> > Also if you have any recommendation on how to enable security specific
> > debug I would appreciate that.
> >
> > I found what appears to be a log level entry in my jspwiki.properties
> file.
> > I changed
> > log4j.rootCategory=INFO,FileLog
> > To read
> > log4j.rootCategory=DEBUG,FileLog
> >
> > Now, I do see debug entries in the /web1/dyscq/tomcat/logs/jspwiki.log
> > file, but no entries appear when I try (and fail) to log in.
> >
> > Thanks again for any ideas.
> >
> > Regards,
> > John Pimentel
> >
> > (Embedded image moved to file: pic11833.gif)Description: Description:
> > ralogo_web
> > jpimen...@ra.rockwell.com
> > Office (414) 382-3354
> > Mobile (262) 501-4785
> >
> >
> >
> >
> > From: Jim Willeke <j...@willeke.com>
> > To: user@jspwiki.apache.org
> > Date: 08/27/2013 03:40 AM
> > Subject: Re: ldaps authentication to jspwiki
> >
> >
> >
> > I would guess, as you show no information on your LDAP setup, this line
> is
> > wrong:
> > userPattern="uid={0},ou=people,dc=mydomain,dc=com"
> >
> > Are your users named by uid or cn?
> > You show roles as named by cn and since you show dc=,dc= I would guess
> this
> > is AD
> >
> > Also, try using LDAP vs LDAPS to help troubleshoot.
> >
> > -jim
> >
> > --
> > -jim
> > Jim Willeke
> >
> >
> > On Mon, Aug 26, 2013 at 10:47 AM, John Pimentel
> > <jpimen...@ra.rockwell.com>wrote:
> >
> > >
> > > Greetings,
> > >
> > > I am having difficulties getting LDAPS authentication to work and I
> think
> > I
> > > must be missing some fundamental configuration.
> > >
> > > My current state is that the Site loads and displays content properly,
> > but
> > > when I go to edit content or I select the log in page directly, my LDAP
> > > credentials do not authenticate, and I am repeatedly presented with a
> > login
> > > page.
> > >
> > > I used the follwing information as my "How To" for this effort.
> > > http://www.ecyrd.com/JSPWiki/wiki/WebContainerAuthenticationViaLDAP
> > >
> > > This article is very good but appears to be incomplete.
> > >
> > > I have done the following configuration to get ldaps to work:
> > >
> > > 1. I have a previously configured LDAP Server and I stored /trusted the
> > > cert for this Sun LDAP server into the central java keystore using this
> > > command:
> > > /usr/lib64/jvm/jre/bin/keytool -import -alias sunldap
> > > -file /web1/sst/dysc/content/CA-RA-v3.crt
> > > -keystore /usr/lib64/jvm/jre/lib/security/cacerts
> > >
> > > 2. I have configured the realm and sorted out all the log errors using
> > the
> > > following realm in the server.xml file. I believe tomcat is
> successfully
> > > connecting to my LDAP server.
> > >
> > > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > > connectionURL="ldaps://mkedsintp.ds.mydomain.com:636"
> > > connectionName="uid=[bind User
> > > UID],ou=admin,dc=rmydomain,dc=com"
> > > connectionPassword="[Password]"
> > > userPattern="uid={0},ou=people,dc=mydomain,dc=com"
> > > roleBase="ou=Control-M,ou=group,dc=mydomain,dc=com"
> > > roleSubtree="true"
> > > roleName="cn"
> > > roleSearch="(uniqueMember={0})"
> > > />
> > >
> > > 3. I uncommented the "CONTAINER-MANAGED AUTH" section
> > > from /web1/dyscq/webapps/apps/wiki/WEB-INF/web.xml
> > >
> > > There is a section at the bottom that says "Update JSPWiki security
> > policy"
> > > If you would like to set permissions to LDAP groups, you can simply add
> > > policy entries on authorize.Role. The following is an entry for
> > wiki-admin
> > > group (from LDAP).
> > > grant principal com.ecyrd.jspwiki.auth.authorize.Role "wiki-admin" {
> > > permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> > > };
> > >
> > > I'm thinking it might go into web.xml, but I am not sure of that..
> > >
> > > this section of the xml looks like this:
> > >
> > > <security-constraint>
> > > <web-resource-collection>
> > > <web-resource-name>Authenticated area</web-resource-name>
> > > <url-pattern>/Edit.jsp</url-pattern>
> > > <url-pattern>/Comment.jsp</url-pattern>
> > > <url-pattern>/Login.jsp</url-pattern>
> > > <url-pattern>/NewGroup.jsp</url-pattern>
> > > <url-pattern>/Rename.jsp</url-pattern>
> > > <url-pattern>/Upload.jsp</url-pattern>
> > > <http-method>DELETE</http-method>
> > > <http-method>GET</http-method>
> > > <http-method>HEAD</http-method>
> > > <http-method>POST</http-method>
> > > <http-method>PUT</http-method>
> > > </web-resource-collection>
> > >
> > > <web-resource-collection>
> > > <web-resource-name>Read-only Area</web-resource-name>
> > > <url-pattern>/attach</url-pattern>
> > > <http-method>DELETE</http-method>
> > > <http-method>POST</http-method>
> > > <http-method>PUT</http-method>
> > > </web-resource-collection>
> > >
> > > <auth-constraint>
> > > <role-name>Admin</role-name>
> > > <role-name>Authenticated</role-name>
> > > </auth-constraint>
> > > <!--
> > > <user-data-constraint>
> > > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > > </user-data-constraint>
> > > -->
> > >
> > > </security-constraint>
> > >
> > > <login-config>
> > > <auth-method>FORM</auth-method>
> > > <form-login-config>
> > > <form-login-page>/LoginForm.jsp</form-login-page>
> > > <form-error-page>/LoginForm.jsp</form-error-page>
> > > </form-login-config>
> > > </login-config>
> > >
> > > <security-role>
> > > <description>
> > > This logical role includes all authenticated users
> > > </description>
> > > <role-name>Authenticated</role-name>
> > > </security-role>
> > >
> > > <security-role>
> > > <description>
> > > This logical role includes all administrative users
> > > </description>
> > > <role-name>Admin</role-name>
> > > </security-role>
> > >
> > >
> > > Regards,
> > > John Pimentel
> > >
> > > (Embedded image moved to file: pic05844.gif)Description: Description:
> > > ralogo_web
> > > jpimen...@ra.rockwell.com
> > > Office (414) 382-3354
> > > Mobile (262) 501-4785
> > >
> > >
> > >
> > >
> > > From: user-h...@jspwiki.apache.org
> > > To: jpimen...@ra.rockwell.com
> > > Date: 08/26/2013 08:16 AM
> > > Subject: WELCOME to user@jspwiki.apache.org
> > >
> > >
> > >
> > > Hi! This is the ezmlm program. I'm managing the
> > > user@jspwiki.apache.org mailing list.
> > >
> > > I'm working for my owner, who can be reached
> > > at user-ow...@jspwiki.apache.org.
> > >
> > > Acknowledgment: I have added the address
> > >
> > > jpimen...@ra.rockwell.com
> > >
> > > to the user mailing list.
> > >
> > > Welcome to user@jspwiki.apache.org!
> > >
> > > Please save this message so that you know the address you are
> > > subscribed under, in case you later want to unsubscribe or change your
> > > subscription address.
> > >
> > >
> > > --- Administrative commands for the user list ---
> > >
> > > I can handle administrative requests automatically. Please
> > > do not send them to the list address! Instead, send
> > > your message to the correct command address:
> > >
> > > To subscribe to the list, send a message to:
> > > <user-subscr...@jspwiki.apache.org>
> > >
> > > To remove your address from the list, send a message to:
> > > <user-unsubscr...@jspwiki.apache.org>
> > >
> > > Send mail to the following for info and FAQ for this list:
> > > <user-i...@jspwiki.apache.org>
> > > <user-...@jspwiki.apache.org>
> > >
> > > Similar addresses exist for the digest list:
> > > <user-digest-subscr...@jspwiki.apache.org>
> > > <user-digest-unsubscr...@jspwiki.apache.org>
> > >
> > > To get messages 123 through 145 (a maximum of 100 per request), mail:
> > > <user-get.123_...@jspwiki.apache.org>
> > >
> > > To get an index with subject and author for messages 123-456 , mail:
> > > <user-index.123_...@jspwiki.apache.org>
> > >
> > > They are always returned as sets of 100, max 2000 per request,
> > > so you'll actually get 100-499.
> > >
> > > To receive all messages with the same subject as message 12345,
> > > send a short message to:
> > > <user-thread.12...@jspwiki.apache.org>
> > >
> > > The messages should contain one line or word of text to avoid being
> > > treated as sp@m, but I will ignore their content.
> > > Only the ADDRESS you send to is important.
> > >
> > > You can start a subscription for an alternate address,
> > > for example "john@host.domain", just add a hyphen and your
> > > address (with '=' instead of '@') after the command word:
> > > <user-subscribe-john=host.dom...@jspwiki.apache.org>
> > >
> > > To stop subscription for this address, mail:
> > > <user-unsubscribe-john=host.dom...@jspwiki.apache.org>
> > >
> > > In both cases, I'll send a confirmation message to that address. When
> > > you receive it, simply reply to it to complete your subscription.
> > >
> > > If despite following these instructions, you do not get the
> > > desired results, please contact my owner at
> > > user-ow...@jspwiki.apache.org. Please be patient, my owner is a
> > > lot slower than I am ;-)
> > >
> > > --- Enclosed is a copy of the request I received.
> > >
> > > Return-Path: <jpimen...@ra.rockwell.com>
> > > Received: (qmail 84748 invoked by uid 99); 26 Aug 2013 13:16:04 -0000
> > > Received: from athena.apache.org (HELO athena.apache.org)
> > (140.211.11.136)
> > > by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013 13:16:04
> > > +0000
> > > X-ASF-Spam-Status: No, hits=-0.0 required=5.0
> > > tests=SPF_PASS
> > > X-Spam-Check-By: apache.org
> > > Received-SPF: pass (athena.apache.org: local policy)
> > > Received: from [205.175.240.251] (HELO ramilwsmtp01.ra.rockwell.com)
> > > (205.175.240.251)
> > > by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013 13:16:00
> > > +0000
> > > In-Reply-To: <1377522681.70768.ez...@jspwiki.apache.org>
> > > References: <1377522681.70768.ez...@jspwiki.apache.org>
> > > Subject: Re: confirm subscribe to user@jspwiki.apache.org
> > > X-KeepSent: D7D57B0D:E2A05A18-86257BD3:0048D45A;
> > > type=4; name=$KeepSent
> > > To:
> > > user-sc.1377522681.pagaldeamkeafdeakcap-jpimentel=
> > > ra.rockwell....@jspwiki.apache.org
> > >
> > > X-Mailer: Lotus Notes Release 8.5.2FP2 March 23, 2011
> > > Message-ID:
> > >
> > <
> ofd7d57b0d.e2a05a18-on86257bd3.0048d45a-86257bd3.0048d...@ra.rockwell.com
> > > >
> > > From: John Pimentel <jpimen...@ra.rockwell.com>
> > > Date: Mon, 26 Aug 2013 08:15:38 -0500
> > > X-MIMETrack: Serialize by Router on RAMilwSMTP01/Milwaukee/RA/Rockwell
> at
> > > 08/26/2013 08:15:59
> > > AM
> > > MIME-Version: 1.0
> > > Content-type: multipart/mixed;
> > >
> > > Boundary="0__=09BBF140DFDB52CA8f9e8a93df938690918c09BBF140DFDB52CA"
> > > Content-Disposition: inline
> > > X-Virus-Checked: Checked by ClamAV on apache.org
> > >
> > >
> >
>
