Versions Compared

Old Version 9

changes.mady.by.user Shaun Forbes

Saved on

compared with

New Version 10

changes.mady.by.user Shaun Forbes

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Setting up the smbAuthenticationProvider is just a matter of configuring the SmbNtlmAuthenticationProvider with the authorizationProvider provider to be used.

Code Block
xml
xml
2titleA SMB NTLM aware authentication provider
linenumberstrue
	<bean id="smbAuthenticationProvider" class="org.acegisecurity.providers.smb.SmbNtlmAuthenticationProvider">
		<property name="authorizationProvider">
			<ref local="nullDaoAuthenticationProvider"/>
		</property>
	</bean>

In this case we're referencing yet another item, the nullDaoAuthenticationProvider authentication provider.
The nullDaoAuthenticationProvider is a simple authentication provider that uses a separate UserDetailsService to retrieve the information about what roles a user has, and if you're using the default security.xml file for this that will be the users.properties file.
Alternatively the UserDetailsService could be accessing a database to retrieve the users roles, and later we'll be looking at changing this to use Active Directory (via LDAP) to determine the users roles.

Code Block
xml
xml
2titleA SMB simple password authenticator
linenumberstrue
	<bean id="nullDaoAuthenticationProvider" class="org.acegisecurity.providers.smb.NullPasswordDaoAuthenticationProvider">
		<property name="userDetailsService" ref="userDetailsService"/>
		<property name="userCache">
			<bean class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
				<property name="cache">
					<bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
						<property name="cacheManager">
							<bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
						</property>
						<property name="cacheName" value="userCache"/>
					</bean>
				</property>
			</bean>
		</property>
	</bean>

...

This information is obtained from an AD domain controller using the LDAP protocol.

Info

When setting up the LDAP integration it's recommended that the JXplorer tool be used to test the settings, because the JXplorer uses the LDAP server in the same way as Weave but provides an interactive method for verifying the settings.
Image Added

To enable LDAP as a source of authentication information the ntlmAuthenticationManager we created earlier needs to be altered to use an LdapAuthenticationProvider rather than the SmbAuthenticationProvider.

...

Code Block
xml
xml
titleSetting up a connection to the LDAP server
linenumberstrue
	<bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
		<constructor-arg value="ldap://192.168.0.16:389/"/>
		<property name="managerDn">
			<value>CN=Administrator,OU=Users,DC=cohga,DC=local</value>
		</property>
		<property name="managerPassword">
			<value>password</value>
		</property>
	</bean>
Info

Connecting to the LDAP server with JXplorer
Image Added

Connected to the LDAP server with JXplorer
Image Added

Here the ip address, manager distinguished name and manager passwords must be set to appropriate values for a user that can read for the active directory server.
I've used the Administrator user to connect to LDAP in the example above but you do not want to do that on a production system (and you should be worried if your IT department gives you the password for this user just to do this). Instead you should have IT create a limited user account that you can connect with.

Note

The dsquery.exe program can be used to find the distinguished name of the user
Image Removed
dsquery.exe * -filter "(&(objectCategory=Person)(objectClass=User))"

Image Added

The two final beans, the userSearchLdap and populatorLdap also require information that is specific to the environment you're running within, the userSearchLdap beans would be something like the following:

Code Block
xml
xml
titleSetting up an LDAP search for a user
linenumberstrue
	<bean id="userSearchLdap" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
		<constructor-arg>
			<value>OU=WeaveUsers,DC=cohga,DC=local</value>
		</constructor-arg>
		<constructor-arg>
			<value>(sAMAccountName={0})</value>
		</constructor-arg>
		<constructor-arg>
			<ref local="initialDirContextFactory" />
		</constructor-arg>
		<property name="searchSubtree">
			<value>true</value>
		</property>
	</bean>

This configuration assumes that there is a branch in the tree matching the first constructor arg and that the sAMAccountName value of any users found there will match the username they logged into Windows with.

Note

JXplorer showing a users entry
Image Added

Finally the populatorLdap is responsible for mapping the username to the roles and would be configured as follows

...

This configuration is setup to search for groups and use the member attribute of the group to determine if the user belongs.
This setup is assuming that there has been a security group created in the Active Directory server called Weave and that the roles/groups for Weave are created under there.
This "should" take the active directory groups that the user belongs to and convert them to a format that's usable in Weave, and also assigns a default ROLE_USERS role to all users (which you can remove if it's not appropriate).

Note

JXplorer showing a group entry
Image Added

You will then need to create Weave Access Control Lists utilising the roles that users will be assigned.

...