Uploaded image for project: 'Jetspeed 2'
  1. Jetspeed 2
  2. JS2-491

Enhance J2 LDAP Security Documentation


    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.1-dev
    • Fix Version/s: 2.1-dev, 2.1
    • Component/s: Security
    • Labels:


      From Davy De Waele email to the list:

      Judging from the recent activity on the mailing list I noticed some
      interest in using LDAP & Jetspeed

      Some thoughts come to mind:

      1. The instructions located at
      .html are really only applicable for people who are building jetspeed
      from source.
      Due to the fact that the security-spi-ldap*.xml files shown there are
      coming from SVN (interface changes, additional objects in the
      configuration files that are not in the 2.0 binary release), users who
      have installed jetspeed2 via the installer attempting to follow these
      instructions will run into configuration issues.

      What would be the best way to address this?

      I think we should make a difference between users who are familiar with
      Maven, SVN, compiling/building/deploying, and users who just want to
      the thing up & running using the installer.

      Shouldn't we put this information into perspective by:

      a) Clearly indicating that this is only intended for people building
      from source
      b) Provide an additional manual on what needs to be done starting from
      binary release (2.0 version)

      The user would have to

      • copy the security-spi-ldap*.xml files (we provide
        downloadable spring XML files acting as examples)
      • remove their default security-spi-atn.xml
      • restart tomcat
      • preparing their LDAP server

      As far as LDAP support goes, we should provide instructions on how
      existing LDAP servers can be used with jetspeed. We can also provide
      downloadable schema files & LDIF sample data for all major vendors +

      I could provide such manuals for OpenLDAP,SunDS and ApacheDS.

      2. The major problem that users will be facing today is that encrypted
      passwords are not supported in the jetspeed2.0 release. Given that this
      functionality has been committed to the codebase, how do you feel
      towards providing a downloadable JAR file to users that would act as a
      replacement for their current jetspeed-security-2.0.jar - doesn't have
      to be anything official, could be included as a link in the

      The user would have to

      • replace his jetspeed-security-2.0.jar
      • restart tomcat

      The user would have support for encrypted passwords and group/role
      membership via LDAP.

      3. OpenLDAP schema file

      I had to add groupOfUniqueNames as a parent to the jetspeed-2-group and
      jetspeed-2-role objectClasses in order for the group/role assignment to
      work in OpenLDAP.
      ApacheDS doesn't really care when objects are created in the LDAP tree
      containing attributes that aren't defined in the LDAP schema. OpenLDAP
      does I've attached the new jetspeed.schema file.


        1. ldap_patch_with_jdk_fix.patch
          326 kB
          Davy De Waele
        2. jetspeed-ldap-final.patch
          217 kB
          Davy De Waele
        3. jetspeed LDAP.doc
          655 kB
          Davy De Waele
        4. jetspeed2-ldap-11102006.patch
          378 kB
          Davy De Waele

          Issue Links



              • Assignee:
                adouma Ate Douma
                dlestrat David Le Strat
              • Votes:
                2 Vote for this issue
                5 Start watching this issue


                • Created: