...
| Bloc de code |
|---|
<!--
| This bean is the ContextSource instance that will be used to connect to LDAP.
+-->
<bean id="ldapContext" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldap://ldapserveurfrmp0165.frml.bull.fr:389"/>
<property name="userDn" value="uid=root,dc=exampleuniv,dc=orgfr"/>
<property name="password" value="XXXsecret"/>
</bean>
<!--
| BaseDnPeriod, thatin willseconds, beafter passedwhich toSmartLdap thewill searchdrop (not toand re-init the groups context).
|
tree. A value |of WARNING:zero or Ifless you(negative) getdisables an error like this...
| ...PartialResultException: [LDAP: error code 10...this feature.
| it probably means your baseDn isn't correct!
+-->
<bean id="baseDngroupsTreeRefreshIntervalSeconds" class="java.lang.StringLong">
<constructor-arg><value>ou=groups,dc=example,dc=org</arg><value>900</value></constructor-arg>
</bean>
<!--
| ESUPBaseDn Parameter.
that will be passed to |the This parameter is used search (not to extract the id path of the groupsthe context).
|
| formWARNING: their dn.If Theyou idget pathan iserror expected to be catched from the first grouplike this...
| ...PartialResultException: [LDAP: error code 10...
| of the regex.
it probably means your baseDn isn't correct!
+-->
<bean id="childGroupKeyRegexbaseDn" class="java.lang.String">
<constructor-arg><value>cn=(.*),ouarg><value>ou=groups,dc=exampleuniv,dc=org<fr</value></constructor-arg>
</bean>
<bean id="keyIndexMatchingGroup" class="java.lang.Integer"><!--
| ESUP <constructor-arg><value>1</value></constructor-arg>Parameter.
</bean>
| This <!--
parameter is used to extract |the LDAPid querypath stringof thatthe willgroups be
passed to the search.
| from their dn. +-->
<bean id="filter" class="java.lang.String">
<constructor-arg><value>(objectClass=eduMember)</value></constructor-arg>
</bean>
<!--| The id path is caught from the nth group of the regex where n is the value
| Thisof beankeyIndexMatchingGroup.
identifies the name of the Person Attribute that
| lists the SmartLdap groups each person is a member of.
+-->| (http://docs.oracle.com/javase/7/docs/api/java/util/regex/Matcher.html#group%28int%29)
-->
<bean id="childGroupKeyRegex" class="java.lang.String">
<constructor-arg><value>cn=(.*),ou=groups,dc=univ,dc=fr</value></constructor-arg>
</bean>
<bean id="memberOfAttributeNamekeyIndexMatchingGroup" class="java.lang.StringInteger">
<constructor-arg><value>isMemberOf<arg><value>1</value></constructor-arg>
</bean>
<!--
| This bean identifies the org.springframework.ldap.core.AttributesMapper
| implementation used in reading the groups records from LDAPNOTE: The remaining examples in this file are configured correctly for
| Active Directory servers.
+-->
<bean id="contextMapper" class="org.jasig.portal.groups.smartldap.SimpleContextMapper">
<!--<!--
| LDAP query string that will be passed to the search.
+-->
| Name of the group attribute that tells you its key.<bean id="filter" class="java.lang.String">
+--><constructor-arg><value>(objectClass=groupOfNames)</value></constructor-arg>
</bean>
<property name="keyAttributeName"><!--
| These beans tell smartLdap whether to <value>cn</value>
gather additional groups that are
</property>
| members of groups returned by <!--
the first baseDn and filter, and where to
| Name of| thelook groupif attributeso.
that tells you its name.|
| +-->- resolveMemberGroups=[true|false]
| <property- name="groupNameAttributeName">
resolveDn={a different, broader baseDn than the one above}
<value>cn</value>|
| Here's how </property>
it works: smartLdap will first collect all <!--
groups under the
| NamebaseDn ofspecified theabove. group attributeIf that'resolveMemberGroups' listsis its members.
enabled, it will
| also +-->
search for additional groups (found within the 'resolveDn' <property name="membershipAttributeName">specified
| here) that are members of groups in the first <value>member</value>collection.
+-->
</property>
<bean id="resolveMemberGroups" class="java.lang.Boolean">
</bean> |
Le code utilise les attributs suivant comme suit :
- Recherche de tous les groupes
- Pour chaque groupe
- Extraire l'attribut qui servira clé (keyAttributeName)
- Extraire l'attribut qui servira de nom (groupNameAttributeName)
- Extraire la liste des membres (membershipAttributeName)
- Pour chaque membre
- Vérifier s'il s'agit d'un groupe (en vérifiant que l'expression matche childGroupKeyRegex)
- S'il s'agit bien d'un groupe, extraire la clé en utilisant le groupe dont l'index est keyIndexMatchingGroup
- Insérer le sous-groupe en tant qu'enfant du groupe
Lors de la recherche de l'appartenance d'une personne à un groupe, le test se fera en parcourant l'attribut memberOfAttributeName et en effectuant une comparaison avec la clé des groupes.
Configuration du SmartLdapGroupStore avec un cn dans l'entrée de personne
- Configurer le SmartLdapGroupStore dans uportal-war/src/main/resources/properties/groups/SmartLdapGroupStoreConfig.xml
| Bloc de code |
|---|
<!-- | This bean is the ContextSource instance that will be used to connect to LDAP. +--> <bean id="ldapContext" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="url" value="ldap://ldapserveur:389"/> <property name="userDn" value="uid=root,dc=example,dc=org"/ <constructor-arg><value>false</value></constructor-arg> </bean> <bean id="resolveDn" class="java.lang.String"> <constructor-arg><value>changeme</value></constructor-arg> </bean> <!-- | This bean identifies the name of the Person Attribute that | lists the SmartLdap groups each person is a member of. +--> <bean id="memberOfAttributeName" class="java.lang.String"> <constructor-arg><value>isMemberOf</value></constructor-arg> </bean> <!-- | This bean identifies the org.springframework.ldap.core.AttributesMapper | implementation used in reading the groups records from LDAP. +--> <bean id="contextMapper" class="org.jasig.portal.groups.smartldap.SimpleContextMapper"> <property name="password" value="XXX"/><!-- </bean> <!-- | Name of the |group BaseDnattribute that tells willyou beits passedkey. to the search (not to | If ommited, will use the context)dn. | | WARNING:+--> If you get an error like this...<property name="keyAttributeName"> | ...PartialResultException: [LDAP: error code 10... <value>cn</value> | it probably means your baseDn isn't correct! +--> <bean id="baseDn" class="java.lang.String"> </property> <!-- | Name of the group attribute that tells you its name. <constructor-arg><value>ou=groups,dc=example,dc=org</value></constructor-arg>+--> </bean> <!--<property name="groupNameAttributeName"> | ESUP Parameter. |<value>cn</value> This parameter is used to extract the id</property> path of the groups <!-- | form their dn. The id path is expected| toName beof catchedthe fromgroup theattribute firstthat group lists its members. | of the regex. +--> <bean id="childGroupKeyRegex" class="java.lang.String <property name="membershipAttributeName"> <constructor-arg><value>cn=(.*),ou=groups,dc=example,dc=org</value></constructor-arg> <value>member</value> </bean> <bean id="keyIndexMatchingGroup" class="java.lang.Integer"> <constructor-arg><value>1</value></constructor-arg> </property> </bean> |
Le code utilise les attributs suivant comme suit :
- Recherche de tous les groupes
- Pour chaque groupe
- Extraire l'attribut qui servira clé (keyAttributeName ou bien le dn du groupe si le keyAttributeName n'existe pas)
- Extraire l'attribut qui servira de nom (groupNameAttributeName)
- Extraire la liste des membres (membershipAttributeName)
- Pour chaque membre
- Vérifier s'il s'agit d'un groupe (en vérifiant que l'expression matche childGroupKeyRegex)
- S'il s'agit bien d'un groupe, extraire la clé en utilisant le groupe dont l'index est keyIndexMatchingGroup
- Insérer le sous-groupe en tant qu'enfant du groupe
Lors de la recherche de l'appartenance d'une personne à un groupe, le test se fera en parcourant l'attribut memberOfAttributeName et en effectuant une comparaison avec la clé des groupes.
Configuration du SmartLdapGroupStore avec un cn dans l'entrée de personne
- Configurer le SmartLdapGroupStore dans uportal-war/src/main/resources/properties/groups/SmartLdapGroupStoreConfig.xml
| Bloc de code |
|---|
<!-- | LDAP query string that will be passed to the search. +--> <bean id="filter" class="java.lang.String"> <constructor-arg><value>(objectClass=eduMember)</value></constructor-arg> </bean> <!-- | This bean identifies the name of the Person Attribute that | lists the SmartLdap groups each person is a member of. +--> <bean id="memberOfAttributeName" class="java.lang.String"> <constructor-arg><value>isMemberOf</value></constructor-arg> </bean> <!-- | This bean identifiesis the org.springframework.ldap.core.AttributesMapper | implementation used in reading the groups records from ContextSource instance that will be used to connect to LDAP. +--> <bean id="contextMapperldapContext" class="org.jasigspringframework.portalldap.groupscore.smartldapsupport.SimpleContextMapperLdapContextSource"> <!--<property name="url" value="ldap://frmp0165.frml.bull.fr:389"/> <property | Name of the group attribute that tells you its key.name="userDn" value="uid=root,dc=univ,dc=fr"/> <property name="password" value="secret"/> </bean> +<!--> | Period, in seconds, <property name="keyAttributeName"> after which SmartLdap will drop and re-init the groups <value>cn</value> | tree. A value of zero </property> or less (negative) disables this feature. <!+--> <bean id="groupsTreeRefreshIntervalSeconds" class="java.lang.Long"> | Name of the group attribute that tells you its name. <constructor-arg><value>900</value></constructor-arg> </bean> +<!--> | BaseDn that <property name="groupNameAttributeName"> will be passed to the search (not to the context). <value>cn</value>| | WARNING: </property> If you get an error like this... <!-- | ...PartialResultException: [LDAP: error | Name of the group attribute that lists its members. code 10... | it probably means your baseDn isn't correct! +--> <bean <property name="membershipAttributeNameid="baseDn" class="java.lang.String"> <constructor-arg><value>ou=groups,dc=univ,dc=fr</value></constructor-arg> <value>member<</value>bean> <!-- | </property> </bean> |
Dans les cas où l'entrée de personne contient le dn du groupe au lieu du cn, il faudra modifier les propriété suivante :
| attribut | valeur | |
|---|---|---|
keyIndexMatchingGroup | 0 | On extrait le nom entier du groupe pour servir de clé |
memberOfAttributeName | memberOf | Le nom de l'attribut qui permet de calculer les groupes dont l'utilisateur est membre |
keyAttributeName | dn | La clé du groupe |
groupNameAttributeName | cn | Le nom du groupe |
ESUP Parameter.
| This parameter is used to extract the id path of the groups
| from their dn.
| The id path is caught from the nth group of the regex where n is the value
| of keyIndexMatchingGroup.
| (http://docs.oracle.com/javase/7/docs/api/java/util/regex/Matcher.html#group%28int%29)
-->
<bean id="childGroupKeyRegex" class="java.lang.String">
<constructor-arg><value>cn=(.*),ou=groups,dc=univ,dc=fr</value></constructor-arg>
</bean>
<bean id="keyIndexMatchingGroup" class="java.lang.Integer">
<constructor-arg><value>0</value></constructor-arg>
</bean>
<!--
| NOTE: The remaining examples in this file are configured correctly for
| Active Directory servers.
+-->
<!--
| LDAP query string that will be passed to the search.
+-->
<bean id="filter" class="java.lang.String">
<constructor-arg><value>(objectClass=groupOfNames)</value></constructor-arg>
</bean>
<!--
| These beans tell smartLdap whether to gather additional groups that are
| members of groups returned by the first baseDn and filter, and where to
| look if so.
|
| - resolveMemberGroups=[true|false]
| - resolveDn={a different, broader baseDn than the one above}
|
| Here's how it works: smartLdap will first collect all groups under the
| baseDn specified above. If 'resolveMemberGroups' is enabled, it will
| also search for additional groups (found within the 'resolveDn' specified
| here) that are members of groups in the first collection.
+-->
<bean id="resolveMemberGroups" class="java.lang.Boolean">
<constructor-arg><value>false</value></constructor-arg>
</bean>
<bean id="resolveDn" class="java.lang.String">
<constructor-arg><value>changeme</value></constructor-arg>
</bean>
<!--
| This bean identifies the name of the Person Attribute that
| lists the SmartLdap groups each person is a member of.
+-->
<bean id="memberOfAttributeName" class="java.lang.String">
<constructor-arg><value>isMemberOf</value></constructor-arg>
</bean>
<!--
| This bean identifies the org.springframework.ldap.core.AttributesMapper
| implementation used in reading the groups records from LDAP.
+-->
<bean id="contextMapper" class="org.jasig.portal.groups.smartldap.SimpleContextMapper">
<!--
| Name of the group attribute that tells you its key.
| If ommited, will use the dn.
+-->
<!--
<property name="keyAttributeName">
<value>cn</value>
</property>
-->
<!--
| Name of the group attribute that tells you its name.
+-->
<property name="groupNameAttributeName">
<value>cn</value>
</property>
<!--
| Name of the group attribute that lists its members.
+-->
<property name="membershipAttributeName">
<value>member</value>
</property>
</bean>
|
- Ajouter les groupes smartLDAP à votre arboresence des groupes. Par exemple, vous pouvez modifier le fichier Everyone.group-membership.xml comme suit :
| Bloc de code |
|---|
<group script="classpath://org/jasig/portal/io/import-group_membership_v3-2.crn">
<name>Everyone</name>
<entity-type>org.jasig.portal.security.IPerson</entity-type>
<creator>system</creator>
<description>All Users</description>
<children>
<group>Authenticated Users</group>
<group>PAGS Root</group>
<group>Faculty</group>
<group>Guests</group>
<group>Portal System</group>
<group>Staff</group>
<group>Students</group>
<!-- Ajout des groupes SmartLdap -->
<group>SmartLdap ROOT</group>
</children>
</group> |
Appel d'un groupe provenant du SmartLdapGroupStore
...
On cible un groupe
...
en le désignant par son nom (et non par la clé). Par exemple, dans un fichier de channel, on écrira :
| Bloc de code |
|---|
<group>admin:appli:appli1</group> |
...