Help comments:Permissions
[Edit]Dual LDAP/Local Login
I set up my wiki last week to use LDAP for authentication, but maintain roles in the wiki database. I struggled a bit with the directions on the page being a bit vague. Specifically there are sections that refer to commenting out the authentication provider configuration "above", but there are two sets of that information depending on which configuration you are going for.
Also there are parts of each of the top 2 authentication secions that must be left in place for everything to work, but i did not see that in the directions. I was not able to get the LDAP authentication #2 example to work as it is documented.
It is using some variable substitution based on part of the LDAP #1 setup, but when i tried it that way, it kept telling me it could not parse the LDAP url. I ended up taking out the variable substitution and putting my LDAP connection info directly into the second example and everything started working.
Lastly, we may want to make an enhancement that would allow both local and LDAP authentication. The way it is now, the admin account stops working once the authentication is moved over to LDAP. I would think there should be a facility to always authenticate locally in case there are LDAP problems afoot or in case LDAP authentication is turned on before the proper admin type accounts are set up.
dkp • (comments)
- Feel free to add a feature request for a dual LDAP/local login as that may be useful to a number of users. As to instructions for LDAP, please make any updates to the documentation that you feel necessary - I don't personally use LDAP, so I mostly rely on others to help keep this section up-to-date. -- Ryan • (comments) • 22-Nov-2010 08:38 PST
[Edit]Upgrade... and a customization special
Archived from the Feedback page:
Ok, 0.8.4 is still running, but I have one problem: after having had a short exchange with you three years ago I made a change to WEB-INF/applicationContext-acegi-security.xml by inserting
/**/NurDV/**=ROLE_ABT_DV /**/Special:*NurDV/**=ROLE_ABT_DV
and creation a special role. That was to allow the creation of special articles only accessible for the members of that role. It worked fine in 0.6.0... on updating to 0.8.4 I saved that file and copied it to the directory after installation (what was presumably a bit naive... ;-) ). Now everyone is able to access these files and I am forced to shutdown the wiki, because the "only admins" button for one of these articles didn't work, I was able to view that article although being logged out. Any idea, Ryan? Thanks in advance! Frank 28-Sep-2010 07:26 PDT
- Acegi is now Spring Security, so the
applicationContext-acegi-security.xmlwas renamed toapplicationContext-security.xmland the old file won't be read any longer. Configuration#Spring Security has an overview of how the security configuration file works, but what you'll want to do is to add a new "intercept-url" pattern that looks like:<intercept-url pattern="/**/NurDV/**" access="ROLE_ABT_DV" />
- If you then restart your server you should be mostly set. One important caveat: this won't protect people from viewing the edit screen for that page - see Configuration#Advanced_Topics for an overview of configuration changes needed to handle something like
Special:Edit?topic=NurDV. That's a bit tricky, so please let me know if you have any questions. -- Ryan • (comments) • 28-Sep-2010 08:44 PDT- Thanks, Ryan, it works (one has to take care to put the pattern before the general view pattern at the bottom of the list)
Regarding the Special:Edit issue, I wasn't able to find a matching pattern to block editing of my "NurDV/*" topics...:-/
Another issue: since I updated I always have to remove jamwiki.lck manually after a tomcat restart...Frank 29-Sep-2010 02:40 PDT
... and a second one: I'm logged out, then I visit a page. A click on "Edit page" leads me to the login page. After entering my login data a message appears telling me that the page I visited before doesn't exist...Frank 29-Sep-2010 04:51 PDT- I'll try to get the Spring documentation updated tonight with additional examples, but I think something like
<intercept-url pattern="/(.)+/Special\:(.)+\=NurDV" access="ROLE_ABT_DV" /> <intercept-url pattern="/(.)+/NurDV/(.)+" access="ROLE_ABT_DV" />
- ...should work. I'll need to investigate the other issues you've mentioned as I haven't encountered those. What OS are you on? -- Ryan • (comments) • 29-Sep-2010 08:12 PDT
- Our wiki servers are running RHEL 5.2 and Ubuntu 10.04.1 LTS.... the editor block doesn't work... I'm not familiar with the pattern syntax... but the Special: pattern ends with "NurDV", but our special articles all start with "NurDV/"
Are there any changes re Spring when upgrading to 1.0.0? Frank 30-Sep-2010 02:23 PDT- Hi Frank - I don't think I'll be able to look into this tonight, but will look at it over the weekend and try to reproduce. I haven't personally encountered the issues you've raised and have thus far been unable to reproduce them, so please give me some time to try to figure out what's going on. I don't think there are any similar bug reports, so it may be a mis-configuration somewhere. If so, I'll also see if I can get the documentation on jamwiki.org updated to make the upgrade process clearer. -- Ryan • (comments) • 30-Sep-2010 15:20 PDT
- Our wiki servers are running RHEL 5.2 and Ubuntu 10.04.1 LTS.... the editor block doesn't work... I'm not familiar with the pattern syntax... but the Special: pattern ends with "NurDV", but our special articles all start with "NurDV/"
- I'll try to get the Spring documentation updated tonight with additional examples, but I think something like
- Thanks, Ryan, it works (one has to take care to put the pattern before the general view pattern at the bottom of the list)
- (Re-indenting) Permissions#Advanced topic protection has been created and includes patterns that I've tested locally for protecting edit & history pages. Feel free to update that documentation with any clarifications that may be needed. -- Ryan • (comments) • 03-Oct-2010 16:35 PDT