Tag Archives: acegi

Setting up LDAP with Pebble 2.0 M2 (and Acegi)

Here’s what you’ll want to do:

First, modify WEB-INF/applicationContext-acegi-security.xml.

First, add the LDAP provider to the list in the provider manager:

<bean id="authenticationManager"
  class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
	<list>
      <ref local="ldapAuthProvider"/>
      <ref local="daoAuthenticationProvider"/>
      <ref local="rememberMeAuthenticationProvider"/>
    </list>
  </property>
</bean>

Next add the LDAP provider configuration:

<!-- LDAP CONFIGURATION -->
<bean id="initialDirContextFactory"
  class="org.acegisecurity.providers.ldap.DefaultInitialDirContextFactory">
  <constructor-arg value="ldap://localhost:389/<b>BASE_DN_HERE</b>"/>
<property name="managerDn">
    <value><b>ADMIN_DN_HERE</b></value>
  </property>
<property name="managerPassword">
    <value><b>ADMIN_PASSWORD_HERE</b></value>
  </property>
</bean>

<bean id="ldapAuthProvider"
  class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
  <constructor-arg>
    <bean
      class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
      <constructor-arg>
        <ref local="initialDirContextFactory"/>
      </constructor-arg>
<property name="userDnPatterns">
	<list>
          <value>uid={0},ou=People</value>
        </list>
      </property>
    </bean>
  </constructor-arg>
  <constructor-arg>
    <bean
      class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
      <constructor-arg>
        <ref local="initialDirContextFactory"/>
      </constructor-arg>
      <constructor-arg>
        <value>ou=PebbleRoles</value>
      </constructor-arg>
<property name="groupRoleAttribute">
        <value>ou</value>
      </property>
    </bean>
  </constructor-arg>
</bean>

This is almost straight from the Acegi docs. It assumes that your users reside under the organizational unit People in the base DN.

Then, to do the roles you need to create the organizational unit PebbleRoles, and list under that a number of entries of class groupOfNames. They can be named anything friendly, but each should have a list of members under the People unit, eg: uid=brett,ou=People,dc=maven,dc=org. Each also needs to have it's own ou entry set to the Pebble role name, without the ROLE_ prefix, eg. PEBBLE_ADMIN, BLOG_CONTRIBUTOR, BLOG_OWNER.

This is enough to authenticate your user with appropriate roles (assuming the user has a password set in LDAP).

The last thing you'll find is that the posts are all listed "by null". It turns out Pebble doesn't load anything but auth data from LDAP, so you'll still need the same realm.properties as you'll need for the DAO auth. provider setup. The password and roles can be anything (just not blank), but the name, emailAddress and website are all used. Hopefully that'll change in later versions.

Advertisements