Automatically put users from LDAP into /plateform/users?
philippelr May 18, 2010 3:11 AMHello,
I've read a lot of stuff to get rid of the 403 error after successfully connected GateIn, but as I don't have roles in my LDAP dictionnary, I can't use it.
I would like to import all users in the "/platform/users" group to automatically give them the right to access everything.
How could I do that? (I am with GateIn 3.0)
Here is my current idm-configuration.xml file:
<?xml version="1.0" encoding="ISO-8859-1"?> <!-- Copyright (C) 2009 eXo Platform SAS. This is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this software; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF site: http://www.fsf.org. --> <configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.exoplaform.org/xml/ns/kernel_1_1.xsd http://www.exoplaform.org/xml/ns/kernel_1_1.xsd" xmlns="http://www.exoplaform.org/xml/ns/kernel_1_1.xsd"> <component> <key>org.exoplatform.services.organization.idm.PicketLinkIDMCacheService</key> <type>org.exoplatform.services.organization.idm.PicketLinkIDMCacheService</type> </component> <component> <key>org.exoplatform.services.database.HibernateService</key> <jmx-name>database:type=HibernateService</jmx-name> <type>org.exoplatform.services.database.impl.HibernateServiceImpl</type> <init-params> <properties-param> <name>hibernate.properties</name> <description>Default Hibernate Service</description> <property name="hibernate.show_sql" value="false"/> <property name="hibernate.current_session_context_class" value="thread"/> <property name="hibernate.cache.use_second_level_cache" value="true"/> <property name="hibernate.cache.use_query_cache" value="true"/> <!--CHANGEME HashtableCacheProvider shold not be used in production env--> <property name="hibernate.cache.provider_class" value="org.hibernate.cache.HashtableCacheProvider"/> <property name="hibernate.connection.datasource" value="${gatein.idm.datasource.name}${container.name.suffix}"/> <property name="hibernate.connection.autocommit" value="true"/> <!-- Should be automatically detected. Force otherwise <property name="hibernate.dialect" value="org.hibernate.dialect.XXXDialect"/> --> </properties-param> </init-params> </component> <component> <key>org.exoplatform.services.organization.idm.PicketLinkIDMService</key> <type>org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl</type> <init-params> <value-param> <name>config</name> <!--<value>war:/conf/organization/picketlink-idm/picketlink-idm-config.xml</value>--> <!--Sample LDAP config--> <!--<value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-ldap-config.xml</value>--> <!--ACME LDAP Example--> <!--<value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-ldap-acme-config.xml</value>--> <!--MSAD LDAP Example--> <!--<value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-msad-config.xml</value>--> <!--MSAD Read Only LDAP Example--> <value>war:/conf/organization/picketlink-idm/examples/picketlink-idm-msad-readonly-config.xml</value> </value-param> <!-- In default PicketLink IDM configuration hibernate store will namespace identity objects using this realm name if you want to share DB between portal and also share the same identity data remove the "${container.name.suffix}" part--> <value-param> <name>portalRealm</name> <value>idm_realm${container.name.suffix}</value> </value-param> <value-param> <name>cacheConfig</name> <value>war:/conf/organization/picketlink-idm/jboss-cache.xml</value> </value-param> <value-param profiles="cluster"> <name>cacheConfig</name> <value>war:/conf/organization/picketlink-idm/jboss-cache-cluster.xml</value> </value-param> </init-params> </component> <component> <key>org.exoplatform.services.organization.OrganizationService</key> <type>org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</type> <init-params> <object-param> <name>configuration</name> <object type="org.exoplatform.services.organization.idm.Config"> <!-- For all ids not mapped with type in 'groupTypeMappings' use parent id path as a group type to store group in PicketLink IDM. The effect of setting this option to false and not providing any mappings under 'groupTypeMappings' option is that there can be only one group with a given name in all GateIn group tree--> <field name="useParentIdAsGroupType"> <boolean>true</boolean> </field> <!-- Group stored in PicketLink IDM with a type mapped in 'groupTypeMappings' will automatically be member under mapped parent. Normally groups are linked by PicketLink IDM group association - such relationship won't be needed then. It can be set to false if all groups are added via GateIn APIs This option may be useful with LDAP config as it will make (if set to true) every entry added to LDAP (not via GateIn management UI) appear in GateIn--> <field name="forceMembershipOfMappedTypes"> <boolean>true</boolean> </field> <!-- When 'userParentIdAsGroupType is set to true this value will be used to replace all "/" chars in id. This is because "/" is not allowed to be used in group type name in PicketLink IDM--> <field name="pathSeparator"> <string>.</string> </field> <!-- Name of a group stored in PicketLink IDM that acts as root group in GateIn - "/" --> <field name="rootGroupName"> <string>GTN_ROOT_GROUP</string> </field> <!-- Map groups added with GateIn API as a childs of a given group ID to be stored with a given group type name in PicketLink IDM. If parent ID ends with "/*" then all child groups will have the mapped group type. Otherwise only direct (first level) children will use this type. This can be leveraged by LDAP setup. Given LDAP DN configured in PicketLink IDM to store specific group type will then store one given branch in GateIn group tree while all other groups will remain in DB. --> <field name="groupTypeMappings"> <map type="java.util.HashMap"> <entry> <key><string>/</string></key> <value><string>root_type</string></value> </entry> <!-- Uncomment for sample LDAP configuration --> <!-- <entry> <key><string>/platform/*</string></key> <value><string>platform_type</string></value> </entry> <entry> <key><string>/organization/*</string></key> <value><string>organization_type</string></value> </entry> --> <!-- Uncomment for ACME LDAP example --> <!-- <entry> <key><string>/acme/roles/*</string></key> <value><string>acme_roles_type</string></value> </entry> <entry> <key><string>/acme/organization_units/*</string></key> <value><string>acme_ou_type</string></value> </entry> --> <!-- Uncomment for MSAD ReadOnly LDAP example --> <entry> <key><string>/platform/*</string></key> <value><string>users</string></value> </entry> </map> </field> <!-- If this option is used then each Membership created with MembrshipType that is equal to value specified here will be stored in PicketLink IDM as simple Group-User association--> <field name="associationMembershipType"> <string>member</string> </field> <!-- if "associationMembershipType" option is used and this option is set to true then Membership with MembershipType configured to be stored as PicketLink IDM association will not be stored as PicketLink IDM Role --> <field name="ignoreMappedMembershipType"> <boolean>false</boolean> </field> <!-- If 'true' will use JTA UserTransaction. If 'false' will use IDM transaction API --> <field name="useJTA"> <boolean>false</boolean> </field> </object> </object-param> </init-params> </component> <external-component-plugins> <target-component>org.exoplatform.services.naming.InitialContextInitializer</target-component> <component-plugin> <name>bind.datasource</name> <set-method>addPlugin</set-method> <type>org.exoplatform.services.naming.BindReferencePlugin</type> <init-params> <value-param> <name>bind-name</name> <value>${gatein.idm.datasource.name}${container.name.suffix}</value> </value-param> <value-param> <name>class-name</name> <value>javax.sql.DataSource</value> </value-param> <value-param> <name>factory</name> <value>org.apache.commons.dbcp.BasicDataSourceFactory</value> </value-param> <properties-param> <name>ref-addresses</name> <description>ref-addresses</description> <property name="driverClassName" value="${portal.container.gatein.idm.datasource.driver}"/> <property name="url" value="${portal.container.gatein.idm.datasource.url}"/> <property name="username" value="${portal.container.gatein.idm.datasource.username}"/> <property name="password" value="${portal.container.gatein.idm.datasource.password}"/> </properties-param> </init-params> </component-plugin> </external-component-plugins> <external-component-plugins> <target-component>org.exoplatform.services.database.HibernateService</target-component> <component-plugin> <name>add.hibernate.mapping</name> <set-method>addPlugin</set-method> <type>org.exoplatform.services.database.impl.AddHibernateMappingPlugin</type> <init-params> <values-param> <name>hibernate.mapping</name> <value>picketlink-idm/mappings/HibernateRealm.hbm.xml</value> <value>picketlink-idm/mappings/HibernateIdentityObjectCredentialBinaryValue.hbm.xml</value> <value>picketlink-idm/mappings/HibernateIdentityObjectAttributeBinaryValue.hbm.xml</value> <value>picketlink-idm/mappings/HibernateIdentityObject.hbm.xml</value> <value>picketlink-idm/mappings/HibernateIdentityObjectCredential.hbm.xml</value> <value>picketlink-idm/mappings/HibernateIdentityObjectCredentialType.hbm.xml</value> <value>picketlink-idm/mappings/HibernateIdentityObjectAttribute.hbm.xml</value> <value>picketlink-idm/mappings/HibernateIdentityObjectType.hbm.xml</value> <value>picketlink-idm/mappings/HibernateIdentityObjectRelationship.hbm.xml</value> <value>picketlink-idm/mappings/HibernateIdentityObjectRelationshipType.hbm.xml</value> <value>picketlink-idm/mappings/HibernateIdentityObjectRelationshipName.hbm.xml</value> </values-param> </init-params> </component-plugin> </external-component-plugins> </configuration>
Thank you in advance... GateIn currently work with my "strangely" designed LDAP dictionnary, so I want to continue with it...