Using Blojsom 3.2 with Active Directory

View: New views

13 Messages — Rating Filter: Alert me

Using Blojsom 3.2 with Active Directory

by Justin-116 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Has anyone used a recent version of Blojsom with Active Directory? I followed the instructions for setting up LDAP and even specified each of the init-param's.

http://wiki.blojsom.com/wiki/display/blojsom3/LDAP+Authorization+Provider

I'm fairly certain I have the correct DN as I ran a separate discovery tool to print it out.

http://weblogs.java.net/blog/kohsuke/archive/2008/01/active_director.html

All I get in /var/log/tomcat5/catalina.out is:
Jan 12 18:16:10 DEBUG [ajp-8009-1] servlet.BlojsomServlet - blojsom plugin execution: org.blojsom.plugin.admin.BaseAdminPlugin
Jan 12 18:16:10 DEBUG [ajp-8009-1] admin.BaseAdminPlugin - No username/password provided or username/password was empty

...or when I use the form login page:
Jan 12 18:43:32 DEBUG [ajp-8009-1] servlet.BlojsomServlet - blojsom plugin execution: org.blojsom.plugin.admin.BaseAdminPlugin
Jan 12 18:43:32 DEBUG [ajp-8009-1] ldap.LDAPAuthorizationProvider - Using LDAP authentication for LDAP connection
Jan 12 18:43:32 ERROR [ajp-8009-1] ldap.LDAPAuthorizationProvider - Authorization failed for blog: default for username: justin; LDAP not properly configured
Jan 12 18:43:32 DEBUG [ajp-8009-1] admin.BaseAdminPlugin - Failed authentication for username: justin
Jan 12 18:43:32 DEBUG [ajp-8009-1] admin.BaseAdminPlugin - Setting redirect_to attribute to: /blojsom/blog/default/?flavor=admin&

It would be nice to have autodiscovery of users like Hudson has where the form login page is unnecessary since our users already authenticate with Apache/SSL/Kerberos/AD.

Blojsom is strike two so far after evaluating Pebble. I'm looking for a fairly capable Weblog that works with Active Directory.

Any help would be appreciated!
Justin

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Blojsom-users mailing list
Blojsom-users@...
https://lists.sourceforge.net/lists/listinfo/blojsom-users

Re: Using Blojsom 3.2 with Active Directory

by Timothy Stone :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Jan 12, 2009, at 7:57 PM, Justin wrote:

> Has anyone used a recent version of Blojsom with Active Directory?
> I followed the instructions for setting up LDAP and even specified
> each of the init-param's.
>
> http://wiki.blojsom.com/wiki/display/blojsom3/LDAP+Authorization+Provider
>
> I'm fairly certain I have the correct DN as I ran a separate
> discovery tool to print it out.
>
> http://weblogs.java.net/blog/kohsuke/archive/2008/01/active_director.html
>

... snip ...

> Jan 12 18:43:32 DEBUG [ajp-8009-1] ldap.LDAPAuthorizationProvider -
> Using LDAP authentication for LDAP connection
> Jan 12 18:43:32 ERROR [ajp-8009-1] ldap.LDAPAuthorizationProvider -
> Authorization failed for blog: default for username: justin; LDAP
> not properly configured
> Jan 12 18:43:32 DEBUG [ajp-8009-1] admin.BaseAdminPlugin - Failed
> authentication for username: justin
> Jan 12 18:43:32 DEBUG [ajp-8009-1] admin.BaseAdminPlugin - Setting
> redirect_to attribute to: /blojsom/blog/default/?flavor=admin&
>
> It would be nice to have autodiscovery of users like Hudson has
> where the form login page is unnecessary since our users already
> authenticate with Apache/SSL/Kerberos/AD.

... snip ...

While not obvious to a "user/implementor" the source code points to a
possible clue:

* @param username Username. In this implementation, this
value must match
that of the blog user's ID.

I'm not sure that is helpful, but your error is being thrown in the
authorize method of the mentioned class. Is your blog user named the
same as the AD user?

Full disclosure: I have never used LDAP in any implementation of
blojsom, I have had some success and failures implementing AD
integration in MediaWiki. It works sometimes, and fails other times,
all based on things like GPOs and other memberships in the AD
directory. Blame it on blojsom, Microsoft (for the rather hackneyed
way AD implements the LDAP spec), or your AD administrators, the
latter two often the sources of problems we've had.

HTH,
Tim

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Blojsom-users mailing list
Blojsom-users@...
https://lists.sourceforge.net/lists/listinfo/blojsom-users

Re: Using Blojsom 3.2 with Active Directory

by Justin-116 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Since the default blog is owned by the user default... errr, by default... I did jump into MySQL and change the blog owner to my username. I received the same result. If the credentials were not approved, I would expect a message to that effect instead of an error message suggesting a problem with the LDAP configuration.

Thanks for the response though!
Justin

From: Timothy Stone <blojsom.user@...>
Date: Monday, January 12, 2009, 7:51 PM

While not obvious to a "user/implementor" the source code points to a
possible clue:

* @param username Username. In this implementation, this
value must match
that of the blog user's ID.

I'm not sure that is helpful, but your error is being thrown in the
authorize method of the mentioned class. Is your blog user named the
same as the AD user?

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Blojsom-users mailing list
Blojsom-users@...
https://lists.sourceforge.net/lists/listinfo/blojsom-users

Re: Using Blojsom 3.2 with Active Directory

by Timothy Stone :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Is 'justin' the AD user too?

I wish I had an AD instanece to test against. Even a LDAP directory.
Do you have any help from your AD admins? Any logging from there?

On 1/12/09, Justin <crynax@...> wrote:

> Since the default blog is owned by the user default... errr, by default... I
> did jump into MySQL and change the blog owner to my username. I received
> the same result. If the credentials were not approved, I would expect a
> message to that effect instead of an error message suggesting a problem with
> the LDAP configuration.
>
> Thanks for the response though!
> Justin
>
>
> From: Timothy Stone <blojsom.user@...>
> Date: Monday, January 12, 2009, 7:51 PM
>
> While not obvious to a "user/implementor" the source code points to a
> possible clue:
>
> * @param username Username. In this implementation, this
> value must match
> that of the blog user's ID.
>
> I'm not sure that is helpful, but your error is being thrown in the
> authorize method of the mentioned class. Is your blog user named the
> same as the AD user?
>
>
>
>
>

Re: Using Blojsom 3.2 with Active Directory

by Justin-116 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Yes, "justin" is the AD user, "justin" is the username I tried on the form, "justin" is the username I tried w/ and w/o bindinguser, "justin" and "Full Name" are the UID and CN respectively I tried w/ and w/o in blog-ldap-authorization-dn, and "justin" is now the owner of the default blog as configured in the database. I even tried bindingpassword temporarily, although I doubt my admins would ever allow a hardcoded password. I have no idea if anyone has even gotten AD to work with Blojsom recently.

One behavioral question I have yet to answer is whether I should see a login form page at all once LDAP is correctly configured. Credentials can be fetched from the current browser session which is what I believe Hudson does (see reference in earlier post). I'm sure users don't want to login twice.

From: Timothy Stone <blojsom.user@...>
Date: Tuesday, January 13, 2009, 11:40 AM

Is 'justin' the AD user too?

Do you have any help from your AD admins? Any logging from there?

Re: Using Blojsom 3.2 with Active Directory

by Timothy Stone :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Anything in this article helpful?

http://www.afp548.com/article.php?story=20050115043536163

I think for you to enable login-less administration will require some
level of SSO (possibly, but if the blojsom instance is the first
application encountered, you still have to login to kick SSO into
action). It appears that even with LDAP all you get is authentication
against LDAP over a flatfile. You still have to log in.

I'm going to take look at how we configured our mediawiki tomorrow to
see if it provides some clues, and may even do a local install of
blojsom at work to experiment. This is intriguing for a project I'm
working on as well (in blojsom).

Regards,
Tim

On Jan 13, 2009, at 6:57 PM, Justin wrote:

> Yes, "justin" is the AD user, "justin" is the username I tried on
> the form, "justin" is the username I tried w/ and w/o bindinguser,
> "justin" and "Full Name" are the UID and CN respectively I tried w/
> and w/o in blog-ldap-authorization-dn, and "justin" is now the owner
> of the default blog as configured in the database. I even tried
> bindingpassword temporarily, although I doubt my admins would ever
> allow a hardcoded password. I have no idea if anyone has even
> gotten AD to work with Blojsom recently.
>
> One behavioral question I have yet to answer is whether I should see
> a login form page at all once LDAP is correctly configured.
> Credentials can be fetched from the current browser session which is
> what I believe Hudson does (see reference in earlier post). I'm
> sure users don't want to login twice.
>
>
> From: Timothy Stone <blojsom.user@...>
> Date: Tuesday, January 13, 2009, 11:40 AM
>
> Is 'justin' the AD user too?
>
> Do you have any help from your AD admins? Any logging from there?
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword_______________________________________________
> Blojsom-users mailing list
> Blojsom-users@...
> https://lists.sourceforge.net/lists/listinfo/blojsom-users

Re: Using Blojsom 3.2 with Active Directory

by Justin-116 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

I did read that article from 4 years ago. I don't think radeox is necessary (it's not mentioned in Blojsom 3's LDAP documentation). Also, the blog data is now managed in a database instead of blojsom-blog-home. In fact, blojsom.properties doesn't even exist any more; the provider needs assigned in classes/blojsom.xml.

Between the AD user (already authenticated with Apache and named on the login form), the blog owner, the DN w/ and w/o CN and UID, bindinguser, and bindingpassword, there are many combinations of things to try and I may have missed one. I know firewalls and other system level software aren't interfering because Subversion, Hudson, Sventon and other services all authenticate with AD and run just fine on the same system. I'm about to give up.

--- On Tue, 1/13/09, Timothy Stone <blojsom.user@...> wrote:

From: Timothy Stone <blojsom.user@...>
Date: Tuesday, January 13, 2009, 9:01 PM

Anything in this article helpful?

http://www.afp548.com/article.php?story=20050115043536163

Re: Using Blojsom 3.2 with Active Directory

by Timothy Stone :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Jan 14, 2009, at 3:54 PM, Justin wrote:

I'm curious how the mentioned services are performing the NTLM
authentication. That's the missing piece.

blojsom admin cannot auto login without performing a NTLM auth, or
getting that auth from a higher scope, like the context.

I'm thinking about a listener that performs that auth when the admin
is requested. This would forego the need to login as the context would
have the authorization for the blog user providing it to the
session...I think.

I need research that and to play with that a little bit to see.

Regards,
Tim

>
>
>
> --- On Tue, 1/13/09, Timothy Stone <blojsom.user@...> wrote:
>
> From: Timothy Stone <blojsom.user@...>
> Date: Tuesday, January 13, 2009, 9:01 PM
>
> Anything in this article helpful?
>
> http://www.afp548.com/article.php?story=20050115043536163
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword_______________________________________________
> Blojsom-users mailing list
> Blojsom-users@...
> https://lists.sourceforge.net/lists/listinfo/blojsom-users

Re: Using Blojsom 3.2 with Active Directory

by Timothy Stone :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

My research is proving fruitful... but this is new to me, so I'm bound
to be making some mistakes. Moving this thread to the dev list to
continue.

I think the answer is in the difference between NTLM and LDAP.

The LDAP plugin provides only a database to auth against and cannot
provide a "password-less" admin. NTLM would provide you with the
"password-less" admin facility you seek by looking at the requested
blog to be admin'd.

There is potential for serious security problem with NTLM auth (not
present in a scenario like MediaWiki): Bob could admin Alice's blog
(if Alice did not first configure explicit permissions for Bob).

Hoping to help,
Tim

On Jan 14, 2009, at 3:54 PM, Justin wrote:

> I did read that article from 4 years ago. I don't think radeox is
> necessary (it's not mentioned in Blojsom 3's LDAP documentation).
> Also, the blog data is now managed in a database instead of blojsom-
> blog-home. In fact, blojsom.properties doesn't even exist any more;
> the provider needs assigned in classes/blojsom.xml.
>
> Between the AD user (already authenticated with Apache and named on
> the login form), the blog owner, the DN w/ and w/o CN and UID,
> bindinguser, and bindingpassword, there are many combinations of
> things to try and I may have missed one. I know firewalls and other
> system level software aren't interfering because Subversion, Hudson,
> Sventon and other services all authenticate with AD and run just
> fine on the same system. I'm about to give up.
>
>
> --- On Tue, 1/13/09, Timothy Stone <blojsom.user@...> wrote:
>
> From: Timothy Stone <blojsom.user@...>
> Date: Tuesday, January 13, 2009, 9:01 PM
>
> Anything in this article helpful?
>
> http://www.afp548.com/article.php?story=20050115043536163
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword_______________________________________________
> Blojsom-users mailing list
> Blojsom-users@...
> https://lists.sourceforge.net/lists/listinfo/blojsom-users

Re: Using Blojsom 3.2 with Active Directory

by Justin-116 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

The Hudson developer did follow up with another blog that I just read:

http://weblogs.java.net/blog/kohsuke/archive/2008/06/more_active_dir.html

Perhaps this information can help in authenticating AD users in Blojsom without hardcoding usernames and passwords in configuration files and without presenting a form page if the user is already authenticated with the server.

--- On Fri, 1/16/09, Timothy Stone <blojsom.user@...> wrote:

> From: Timothy Stone <blojsom.user@...>
> Date: Friday, January 16, 2009, 8:43 PM
>
> I think the answer is in the difference between NTLM and
> LDAP.
>
> The LDAP plugin provides only a database to auth against
> and cannot
> provide a "password-less" admin. NTLM would
> provide you with the
> "password-less" admin facility you seek by
> looking at the requested
> blog to be admin'd.

Re: Using Blojsom 3.2 with Active Directory

by Ingo Jobling :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Since you have a good handle on this, perhaps you could contribute the code
to authenticate AD users in Blojsom without hardcoding usernames and
passwords in configuration files and without presenting a form page if the
user is already authenticated with the server.

----- Original Message -----
From: "Justin" <crynax@...>
To: <blojsom-users@...>
Sent: Tuesday, January 27, 2009 11:30 AM
Subject: Re: [Blojsom-users] Using Blojsom 3.2 with Active Directory

> The Hudson developer did follow up with another blog that I just read:
>
> http://weblogs.java.net/blog/kohsuke/archive/2008/06/more_active_dir.html
>
> Perhaps this information can help in authenticating AD users in Blojsom
> without hardcoding usernames and passwords in configuration files and
> without presenting a form page if the user is already authenticated with
> the server.
>
>
> --- On Fri, 1/16/09, Timothy Stone <blojsom.user@...> wrote:
>
>> From: Timothy Stone <blojsom.user@...>
>> Date: Friday, January 16, 2009, 8:43 PM
>>
>> I think the answer is in the difference between NTLM and
>> LDAP.
>>
>> The LDAP plugin provides only a database to auth against
>> and cannot
>> provide a "password-less" admin. NTLM would
>> provide you with the
>> "password-less" admin facility you seek by
>> looking at the requested
>> blog to be admin'd.
>
>
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Blojsom-users mailing list
> Blojsom-users@...
> https://lists.sourceforge.net/lists/listinfo/blojsom-users

Re: Using Blojsom 3.2 with Active Directory

by Justin-116 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

LOL. I'm certainly not claiming to have a good handle on this as I have never used Blojsom, looked at its source code, or managed Active Directory. I'm simply a prospective user who was potentially misled by the features listed on Pebble's home page. I thought I would forward my findings in case they are helpful to developers or other users.

Single-sign on (SSO) and Active Directory was discussed by developers back in 2004:

http://www.simongbrown.com/blog/2004/11/04/1099588633312.html

But I have yet to find documentation or read confirmation that the features exist and work in Blojsom 3.2.

I did try to get my feet wet in the code only to realize that Acegi Security has been replaced by Spring Security. I believe the learning curve for everything here requires more time than I have available.

--- On Wed, 1/28/09, Ingo Jobling <ingo.jobling@...> wrote:

> From: Ingo Jobling <ingo.jobling@...>
> Date: Wednesday, January 28, 2009, 12:08 AM
> Since you have a good handle on this, perhaps you could
> contribute the code to authenticate AD users in Blojsom

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Blojsom-users mailing list
Blojsom-users@...
https://lists.sourceforge.net/lists/listinfo/blojsom-users

Re: Using Blojsom 3.2 with Active Directory

by Justin-116 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

My apologies... now I'm confusing Blojsom with Pebble as I'm trying to make one of them work. Blojsom's home page only specifies LDAP, not necessarily Active Directory. Searching via Google turns up some references that Active Directory has worked, but I haven't learned how.

--- On Wed, 1/28/09, Justin <crynax@...> wrote:

> From: Justin <crynax@...>
> Date: Wednesday, January 28, 2009, 5:47 PM

> listed on Pebble's home page.

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Blojsom-users mailing list
Blojsom-users@...
https://lists.sourceforge.net/lists/listinfo/blojsom-users