3 Replies Latest reply on Apr 30, 2010 5:01 AM by Boleslaw Dawidowicz

    LDAP Roles and Authorization

    Fred Curry Newbie

      I am using an LDAP directory for my authentication and roles within GateIn, however, the roles for my organization are at the top level of the tree (I have included a screenshot of my directory structure). I am able to authenticate all of my users, however, I am not able to provide any authorization for users members of my top-level groups – I always get a 403 error. It is not a problem for users who are members of the sample roles under gatein-portal-Platform-*.

       

      For my portal, I have been modifying 02portal.war based on Thomas’s suggestion in http://community.jboss.org/thread/147436.

       

      I have added my top-level roles to WEB-INF/conf/idm-configuration.xml and WEB-INF/conf/organization-configuration.xml. Are there changes that I need to make to folders or files in WEB-INF/conf/portal/group? How can I get my users in the top-level groups into the portal?

       

      Fred

        • 1. Re: LDAP Roles and Authorization
          Boleslaw Dawidowicz Master

          http://community.jboss.org/wiki/GateInIdentityandSecurityFAQ - Q3

           

          Just make all users to members in the /Platform/users group with group management portlet. If you have the /Platform/users group created in LDAP (as I can see in the screenshot) then you can also just add them manually in LDAP by adding all user DNs to the "member=" attribute values in this entry (cn=users, cn=Platform,o=portal,o=gatein,dc=example,dc=com)

          • 2. Re: LDAP Roles and Authorization
            Fred Curry Newbie

            Do I need to have the /Platform/users group? Ideally, I'd rather not use the out-of-the box roles at all, and drive the portal completely off of my top-level Roles container (eg platform/users becomes Roles/realtors, platform/administrators becomes Roles/administrators, etc...) . This would ultimately allow me to remove the gatein container entirely.

             

            Based on Question 3 in the FAQ, what path would I use to reference Roles/realtors?

             

             

            Fred

            • 3. Re: LDAP Roles and Authorization
              Boleslaw Dawidowicz Master

              Groups under /Platform are builtin and a lot of permisions rely on them. I think nothing is hardcoded but to get rid of them you will need to reedit portal configuration files that you can find under "gatein.ear/02portal.war/WEB-INF/conf/portal" and swap with your own group and users.

               

              For your group look in the group management portlet and see where it is displayed. This is the tree structure that you simply construct from root with /.