Created
February 3, 2020 10:05
-
-
Save fvanderbiest/e3afb00cd47a406cddaa2991d7171d01 to your computer and use it in GitHub Desktop.
geOrchestra datadir diff between 19.04 & 20.1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/console/console.properties b/console/console.properties | |
| index 77ecc84..f69c362 100644 | |
| --- a/console/console.properties | |
| +++ b/console/console.properties | |
| @@ -42,6 +42,25 @@ | |
| # default: see default.properties - uncomment to override | |
| #ldapPort= | |
| +# LDAP connection pool | |
| +# Whether objects will be validated before being borrowed from the pool. If the object fails to validate, it will be dropped from the pool, and an attempt to borrow another will be made. | |
| +#ldap.pool.testOnBorrow=true | |
| + | |
| +# maximum number of active connections of each type (read-only|read-write) that can be allocated from this pool at the same time, or -1 for no limit. | |
| +#ldap.pool.maxActive=8 | |
| + | |
| +# minimum number of active connections of each type (read-only|read-write) that can remain idle in the pool, without extra ones being created, or zero to create none. | |
| +#ldap.pool.minIdle=1 | |
| + | |
| +# maximum number of active connections of each type (read-only|read-write) that can remain idle in the pool, without extra ones being released, or -1 for no limit. | |
| +#ldap.pool.maxIdle=8 | |
| + | |
| +# overall maximum number of active connections (for all types) that can be allocated from this pool at the same time, or non-positive for no limit. | |
| +#ldap.pool.maxTotal=-1 | |
| + | |
| +# maximum number of milliseconds that the pool will wait (when there are no available connections) for a connection to be returned before throwing an exception, or -1 to wait indefinitely. | |
| +#ldap.pool.maxWait=-1 | |
| + | |
| # Base DN of the LDAP directory | |
| # default: see default.properties - uncomment to override | |
| #ldapBaseDn= | |
| @@ -100,6 +119,16 @@ | |
| # default: false | |
| #readonlyUid=false | |
| +# Show an "I agree to privacy policy" checkbox at account creation | |
| +# default: false | |
| +#privacy.policy.agreement.activated=false | |
| + | |
| +# URL of the privacy policy (it can correspond to a PDF, a webpage...) | |
| +# example: ${scheme}://${domainName}/policy.html | |
| +# MUST be set to a valid URL if privacy.policy.agreement.activated is set to | |
| +# true (see above) | |
| +privacy.policy.agreement.url=${scheme}://${domainName}/policy.html | |
| + | |
| # Delay in days before the "I lost my password" token expires | |
| # default: 1 | |
| #delayInDays=1 | |
| @@ -245,7 +274,7 @@ | |
| # Email proxy configuration | |
| # Basically, this webapp can send emails on behalf of LDAP users. | |
| # The service endpoint is available at /console/emailProxy | |
| -# Usage is restricted to users having the MOD_EMAILPROXY role by default, | |
| +# Usage is restricted to users having the EMAILPROXY role by default, | |
| # cf https://github.com/georchestra/datadir/blob/master/security-proxy/security-mappings.xml | |
| # see https://github.com/georchestra/georchestra/pull/1572 for more information. | |
| # The following restrictions have been implemented to prevent spammers. | |
| diff --git a/console/protectedroles.properties b/console/protectedroles.properties | |
| index 091f4ed..4606a94 100644 | |
| --- a/console/protectedroles.properties | |
| +++ b/console/protectedroles.properties | |
| @@ -1,2 +1,2 @@ | |
| # protected roles list separated by comma. Case sensitive. Reg ex is allowed | |
| -protectedRolesList=SUPERUSER,ADMINISTRATOR,ORGADMIN,USER,EXTRACTORAPP,GN_.* | |
| +protectedRolesList=ADMINISTRATOR,EXTRACTORAPP,GN_.*,ORGADMIN,REFERENT,USER,SUPERUSER | |
| diff --git a/console/templates/README.md b/console/templates/README.md | |
| index 17ce16e..e8ec5c8 100644 | |
| --- a/console/templates/README.md | |
| +++ b/console/templates/README.md | |
| @@ -7,15 +7,15 @@ This is set with the `moderatedSignup` variable from the [console.properties](/c | |
| When account creation is moderated: | |
| * [newaccount-requires-moderation-template.txt](newaccount-requires-moderation-template.txt) is sent to members of the SUPERUSER role and also to users holding a delegation (if any) for the organisation that was declared by the new user. | |
| - * [account-creation-in-progress-template.txt](account-creation-in-progress-template.txt) is sent to the requesting user (this is an ACK mail). | |
| - | |
| -It's the responsibility of the platform admin to inform the user that his account was granted roles. | |
| -This is usually done by replying to the `newaccount-requires-moderation-template` email. | |
| + * [account-creation-in-progress-template.txt](account-creation-in-progress-template.txt) is sent to the requesting user (this is an ACK mail, the account is pending moderation). | |
| + * [newaccount-was-created-template.txt](newaccount-was-created-template.txt) is sent to the requesting user upon account validation, his account is now active. | |
| When account creation is not moderated: | |
| * [newaccount-notification-template.txt](newaccount-notification-template.txt) is sent to members of the SUPERUSER role and also to users holding a delegation (if any) for the organisation that was declared by the new user. | |
| * [newaccount-was-created-template.txt](newaccount-was-created-template.txt) is sent to the requesting user (this is a welcoming email). | |
| +In both cases, it's the responsibility of the platform admin to inform the user that his account was granted roles. | |
| + | |
| [account-uid-renamed.txt](account-uid-renamed.txt) is sent to the user whose login have been modified by a platform admin. | |
| [changepassword-email-template.txt](changepassword-email-template.txt) is sent when the user requests a new password with the "I lost my password" link from the CAS login page. | |
| diff --git a/console/templates/newaccount-notification-template.txt b/console/templates/newaccount-notification-template.txt | |
| index ebc666d..e4e6eb5 100644 | |
| --- a/console/templates/newaccount-notification-template.txt | |
| +++ b/console/templates/newaccount-notification-template.txt | |
| @@ -5,6 +5,7 @@ A new user signed up on {publicUrl}/ ! | |
| User name: {name} | |
| User email: {email} | |
| User ID: {uid} | |
| +User Organization: {org} | |
| --- | |
| Sent by {instanceName} ({publicUrl}/) | |
| diff --git a/console/templates/newaccount-requires-moderation-template.txt b/console/templates/newaccount-requires-moderation-template.txt | |
| index 84b73c1..fbbc5c9 100644 | |
| --- a/console/templates/newaccount-requires-moderation-template.txt | |
| +++ b/console/templates/newaccount-requires-moderation-template.txt | |
| @@ -4,8 +4,9 @@ A new account has been created on {publicUrl}/ and is waiting for validation. | |
| User name: {name} | |
| User ID: {uid} | |
| +User Organization: {org} | |
| -Visit {publicUrl}/console/manager/#!/browse/pending/users to review the pending users. | |
| +Visit {publicUrl}/console/manager/browse/pending/users?login to review the pending users. | |
| --- | |
| Sent by {instanceName} ({publicUrl}/) | |
| diff --git a/geonetwork/config/config-datadir-georchestra.xml b/geonetwork/config/config-datadir-georchestra.xml | |
| index 4a515cc..055ef6d 100644 | |
| --- a/geonetwork/config/config-datadir-georchestra.xml | |
| +++ b/geonetwork/config/config-datadir-georchestra.xml | |
| @@ -11,7 +11,6 @@ | |
| <bean id="GeonetworkDataDirectory" class="org.fao.geonet.kernel.GeonetworkDataDirectory" lazy-init="true"> | |
| <property name="systemDataDir" ref="GNSystemDataDir"/> | |
| <property name="schemaPluginsDir" ref="GNSchemaPluginsDir"/> | |
| - <property name="spatialIndexPath" ref="GNSpatialIndexPath"/> | |
| <property name="configDir" ref="GNConfigDir"/> | |
| <property name="luceneDir" ref="GNLuceneDir"/> | |
| <property name="thesauriDir" ref="GNThesauriDir"/> | |
| @@ -30,10 +29,6 @@ | |
| <constructor-arg index="0" value="${geonetwork.schema.dir}"/> | |
| <constructor-arg index="1"><array /></constructor-arg> | |
| </bean> | |
| - <bean id="GNSpatialIndexPath" class="java.nio.file.Paths" factory-method="get"> | |
| - <constructor-arg index="0" value="${geonetwork.spatial.dir}"/> | |
| - <constructor-arg index="1"><array /></constructor-arg> | |
| - </bean> | |
| <bean id="GNConfigDir" class="java.nio.file.Paths" factory-method="get"> | |
| <constructor-arg index="0" value="${geonetwork.config.dir}"/> | |
| <constructor-arg index="1"><array /></constructor-arg> | |
| diff --git a/geonetwork/config/config-db-georchestra.xml b/geonetwork/config/config-db-georchestra.xml | |
| index 0627ace..72fbe30 100644 | |
| --- a/geonetwork/config/config-db-georchestra.xml | |
| +++ b/geonetwork/config/config-db-georchestra.xml | |
| @@ -36,6 +36,7 @@ | |
| <property name="removeAbandonedTimeout" value="${jdbc.basic.removeAbandonedTimeout}" /> | |
| <property name="logAbandoned" value="${jdbc.basic.logAbandoned}" /> | |
| <property name="maxActive" value="${jdbc.basic.maxActive}" /> | |
| + <property name="minIdle" value="${jdbc.basic.minIdle}" /> | |
| <property name="maxIdle" value="${jdbc.basic.maxIdle}" /> | |
| <property name="maxWait" value="${jdbc.basic.maxWait}" /> | |
| <property name="testOnBorrow" value="${jdbc.basic.testOnBorrow}" /> | |
| @@ -94,4 +95,3 @@ | |
| </bean> | |
| </beans> | |
| - | |
| diff --git a/geonetwork/config/config-security-georchestra.xml b/geonetwork/config/config-security-georchestra.xml | |
| index 9daf092..b3162e9 100644 | |
| --- a/geonetwork/config/config-security-georchestra.xml | |
| +++ b/geonetwork/config/config-security-georchestra.xml | |
| @@ -32,17 +32,17 @@ | |
| </bean> | |
| <bean id="ldapUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> | |
| - <constructor-arg index="0" value="${ldap.base.search.base}"/> | |
| - <constructor-arg index="1" value="${ldap.base.dn.pattern}"/> | |
| + <constructor-arg index="0" value="${ldap.users.search.base}"/> | |
| + <constructor-arg index="1" value="uid={0}"/> | |
| <constructor-arg index="2" ref="contextSource" /> | |
| </bean> | |
| <!-- config-security-ldap.xml customized for geOrchestra --> | |
| - | |
| <ctx:property-override location="WEB-INF/config-security/config-security-overrides.properties" order="2"/> | |
| <ctx:property-override location="file:${georchestra.datadir}/geonetwork/geonetwork-security-overrides.properties" order="1" ignore-resource-not-found="true" /> | |
| <!-- using the one from the geOrchestra datadir first (if available) --> | |
| <ctx:property-placeholder location="file:${georchestra.datadir}/geonetwork/geonetwork.properties" ignore-resource-not-found="true" ignore-unresolvable="true" order="1"/> | |
| + | |
| <!-- Add ldap authentication to authentication manager --> | |
| <bean id="ldapAuthenticationProviderPostProcessor" class="jeeves.config.springutil.AddAuthenticationProviderPostProcessor"> | |
| <constructor-arg ref="ldapAuthProvider"/> | |
| @@ -50,26 +50,28 @@ | |
| <bean id="ldapUtils" class="org.fao.geonet.kernel.security.ldap.LDAPUtils"/> | |
| - <!-- LDAP configuration--> | |
| + <!-- LDAP configuration --> | |
| <bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> | |
| - <constructor-arg value="${ldap.base.provider.url}/${ldap.base.dn}"/> | |
| + <constructor-arg value="${ldap.url}/${ldap.base.dn}"/> | |
| <!-- For non anonymous binding --> | |
| <property name="userDn" value="${ldap.security.principal}"/> | |
| <property name="password" value="${ldap.security.credentials}"/> | |
| </bean> | |
| + | |
| <bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> | |
| <constructor-arg> | |
| <bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> | |
| <constructor-arg ref="contextSource"/> | |
| <property name="userDnPatterns"> | |
| <list> | |
| - <value>${ldap.base.dn.pattern}</value> | |
| + <value>uid={0}</value> | |
| </list> | |
| </property> | |
| </bean> | |
| </constructor-arg> | |
| <property name="userDetailsContextMapper" ref="ldapUserContextMapper"/> | |
| </bean> | |
| + | |
| <!-- Get all user information from the LDAP user's attributes excluding profiles and groups | |
| which are searched in another LDAP location. For profiles and groups, define the search | |
| location and the extraction pattern. --> | |
| @@ -85,41 +87,48 @@ | |
| <entry key="USER" value="RegisteredUser" /> | |
| </map> | |
| </property> | |
| - <property name="importPrivilegesFromLdap" value="${ldap.privilege.import}"/> | |
| - <property name="createNonExistingLdapGroup" value="${ldap.privilege.create.nonexisting.roles}"/> | |
| - <property name="createNonExistingLdapUser" value="${ldap.privilege.create.nonexisting.users}"/> | |
| + <property name="importPrivilegesFromLdap" value="true"/> | |
| + <property name="createNonExistingLdapGroup" value="true"/> | |
| + <property name="createNonExistingLdapUser" value="true"/> | |
| <property name="ldapManager" ref="ldapUserDetailsService"/> | |
| - <property name="groupAttribute" value="${ldap.privilege.search.role.attribute}"/> | |
| - <property name="groupObject" value="${ldap.privilege.search.role.object}"/> | |
| - <property name="groupQuery" value="${ldap.privilege.search.role.query}"/> | |
| - <property name="groupQueryPattern" value="${ldap.privilege.search.privilege.pattern}"/> | |
| - <property name="privilegeAttribute" value="${ldap.privilege.search.privilege.attribute}"/> | |
| - <property name="privilegeObject" value="${ldap.privilege.search.privilege.object}"/> | |
| - <property name="privilegeQuery" value="${ldap.privilege.search.privilege.query}"/> | |
| - <property name="privilegeQueryPattern" value="${ldap.privilege.search.privilege.pattern}"/> | |
| + | |
| + <property name="groupAttribute" value="cn"/> | |
| + <property name="groupObject" value="${ldap.groups.search.base}"/> | |
| + <property name="groupQuery" value="(&(objectClass=groupOfMembers)(member=uid={0},${ldap.users.search.base},${ldap.base.dn}))"/> | |
| + <property name="groupQueryPattern" value="(.*)"/> | |
| + | |
| + <property name="privilegeAttribute" value="cn"/> | |
| + <property name="privilegeObject" value="${ldap.roles.search.base}"/> | |
| + <property name="privilegeQuery" value="(&(objectClass=groupOfMembers)(member=uid={0},${ldap.users.search.base},${ldap.base.dn}))"/> | |
| + <property name="privilegeQueryPattern" value="GN_(.*)"/> | |
| + | |
| <property name="contextSource" ref="contextSource"/> | |
| </bean> | |
| + | |
| <bean name="ldapSynchronizer" class="org.springframework.scheduling.quartz.JobDetailFactoryBean"> | |
| <property name="jobClass" value="org.fao.geonet.kernel.security.ldap.LDAPSynchronizerJob"/> | |
| <property name="jobDataAsMap"> | |
| <map> | |
| <entry key="contextSource" value-ref="contextSource"/> | |
| - <entry key="ldapUserSearchBase" value="${ldap.sync.user.search.base}"/> | |
| - <entry key="ldapUserSearchFilter" value="${ldap.sync.user.search.filter}"/> | |
| - <entry key="ldapUserSearchAttribute" value="${ldap.sync.user.search.attribute}"/> | |
| - <entry key="createNonExistingLdapGroup" value="${ldap.privilege.create.nonexisting.roles}"/> | |
| - <entry key="ldapGroupSearchBase" value="${ldap.sync.role.search.base}"/> | |
| - <entry key="ldapGroupSearchFilter" value="${ldap.sync.role.search.filter}"/> | |
| - <entry key="ldapGroupSearchAttribute" value="${ldap.sync.role.search.attribute}"/> | |
| - <entry key="ldapGroupSearchPattern" value="${ldap.sync.role.search.pattern}"/> | |
| + <entry key="ldapUserSearchBase" value="${ldap.users.search.base}"/> | |
| + <entry key="ldapUserSearchFilter" value="(&(objectClass=*)(mail=*@*)(givenName=*))"/> | |
| + <entry key="ldapUserSearchAttribute" value="uid"/> | |
| + <entry key="createNonExistingLdapGroup" value="true"/> | |
| + <entry key="ldapGroupSearchBase" value="${ldap.groups.search.base}"/> | |
| + <entry key="ldapGroupSearchFilter" value="(objectClass=groupOfMembers)"/> | |
| + <entry key="ldapGroupSearchAttribute" value="cn"/> | |
| + <entry key="ldapGroupSearchPattern" value="(.*)"/> | |
| + <entry key="ldapGroupLabelAttribute" value="o"/> | |
| </map> | |
| </property> | |
| </bean> | |
| + | |
| <bean id="cronTrigger" class="org.springframework.scheduling.quartz.CronTriggerFactoryBean"> | |
| <property name="jobDetail" ref="ldapSynchronizer"/> | |
| <property name="cronExpression" value="${ldap.sync.cron}"/> | |
| - <property name="startDelay" value="${ldap.sync.startDelay}"/> | |
| + <property name="startDelay" value="60000"/> | |
| </bean> | |
| + | |
| <bean class="org.springframework.scheduling.quartz.SchedulerFactoryBean"> | |
| <property name="jobFactory"> | |
| <bean class="org.fao.geonet.util.spring.AutowiringSpringBeanJobFactory"/> | |
| @@ -130,17 +139,19 @@ | |
| </list> | |
| </property> | |
| </bean> | |
| + | |
| <bean id="ldapUserDetailsService" class="org.fao.geonet.kernel.security.ldap.LdapUserDetailsManager"> | |
| <constructor-arg ref="contextSource"/> | |
| - <constructor-arg name="groupMemberAttributeName" value="${ldap.privilege.search.role.queryprop}"/> | |
| - <constructor-arg name="query" value="${ldap.privilege.search.role.query}"/> | |
| - <property name="groupSearchBase" value="${ldap.privilege.search.role.object}"/> | |
| + <constructor-arg name="groupMemberAttributeName" value="member"/> | |
| + <constructor-arg name="query" value="(&(objectClass=groupOfMembers)(member=uid={0},${ldap.users.search.base},${ldap.base.dn}))"/> | |
| + <property name="groupSearchBase" value="${ldap.groups.search.base}"/> | |
| <property name="usernameMapper" ref="usernameMapper"/> | |
| <property name="userDetailsMapper" ref="ldapUserContextMapper"/> | |
| </bean> | |
| + | |
| <bean id="usernameMapper" class="org.springframework.security.ldap.DefaultLdapUsernameToDnMapper"> | |
| - <constructor-arg index="0" type="java.lang.String" name="userDnBase" value="${ldap.base.search.base}"/> | |
| - <constructor-arg index="1" type="java.lang.String" name="usernameAttribute" value="${ldap.sync.user.search.attribute}"/> | |
| + <constructor-arg index="0" type="java.lang.String" name="userDnBase" value="${ldap.users.search.base}"/> | |
| + <constructor-arg index="1" type="java.lang.String" name="usernameAttribute" value="uid"/> | |
| </bean> | |
| <!-- redirect to cas when need to be logged in --> | |
| diff --git a/geonetwork/geonetwork-security-overrides.properties b/geonetwork/geonetwork-security-overrides.properties | |
| index f32e27a..f273677 100644 | |
| --- a/geonetwork/geonetwork-security-overrides.properties | |
| +++ b/geonetwork/geonetwork-security-overrides.properties | |
| @@ -2,6 +2,7 @@ | |
| ldapUserContextMapper.mapping[name]=givenName, | |
| ldapUserContextMapper.mapping[surname]=sn, | |
| ldapUserContextMapper.mapping[mail]=mail,data@myorganization.org | |
| +# FIXME: https://github.com/georchestra/georchestra/issues/2714 | |
| ldapUserContextMapper.mapping[organisation]=o,myorganization | |
| ldapUserContextMapper.mapping[kind]=title, | |
| ldapUserContextMapper.mapping[address]=, | |
| @@ -12,5 +13,3 @@ ldapUserContextMapper.mapping[country]=, | |
| ldapUserContextMapper.mapping[privilege]=, | |
| ldapUserContextMapper.mapping[phone]=telephoneNumber, | |
| ldapUserContextMapper.mapping[profile]=,RegisteredUser | |
| - | |
| - | |
| diff --git a/geonetwork/geonetwork.properties b/geonetwork/geonetwork.properties | |
| index c248d50..ce4ebce 100644 | |
| --- a/geonetwork/geonetwork.properties | |
| +++ b/geonetwork/geonetwork.properties | |
| @@ -1,5 +1,11 @@ | |
| -# geonetwork datadir subdirs | |
| +# GeoNetwork datadir location: | |
| geonetwork.dir=/tmp/gn_data | |
| +# Note that it can/should be overriden at runtime with -Dgeonetwork.dir=/path/to/... | |
| + | |
| +# GeoNetwork datadir subdirectories are embedded by default, | |
| +# but they can be eventually relocated elsewhere, eg to use geonetwork-provided | |
| +# schemas: | |
| +# geonetwork.schema.dir=/var/lib/jetty/webapps/geonetwork/WEB-INF/data/config/schema_plugins/ | |
| geonetwork.config.dir=${geonetwork.dir}/config/ | |
| geonetwork.schema.dir=${geonetwork.config.dir}/schema_plugins/ | |
| geonetwork.lucene.dir=${geonetwork.dir}/index/ | |
| @@ -20,37 +26,46 @@ jdbc.schema=geonetwork | |
| jdbc.username=geonetwork | |
| jdbc.password=georchestra | |
| -jdbc.basic.maxActive=33 | |
| +# The maximum number of active connections that can be allocated from this pool | |
| +# at the same time, or negative for no limit | |
| +jdbc.basic.maxActive=50 | |
| +# The minimum number of active connections that can remain idle in the pool, | |
| +# without extra ones being created, or 0 to create none | |
| +jdbc.basic.minIdle=1 | |
| +# The maximum number of connections that can remain idle in the pool, without | |
| +# extra ones being released, or negative for no limit | |
| +jdbc.basic.maxIdle=10 | |
| +# The maximum number of open statements that can be allocated from the statement | |
| +# pool at the same time, or non-positive for no limit | |
| +jdbc.basic.maxOpenPreparedStatements=100 | |
| +# The maximum number of milliseconds that the pool will wait (when there are no | |
| +# available connections) for a connection to be returned before throwing an | |
| +# exception, or <= 0 to wait indefinitely | |
| jdbc.basic.maxWait=200 | |
| -jdbc.basic.maxOpenPreparedStatements=1200 | |
| +# The indication of whether objects will be validated before being borrowed from | |
| +# the pool: | |
| +jdbc.basic.testOnBorrow=true | |
| +# The SQL query that will be used to validate connections from this pool before | |
| +# returning them to the caller | |
| +jdbc.basic.validationQuery=SELECT 1 | |
| -# ldap configuration (config-security/config-security-ldap.xml) | |
| -ldap.base.provider.url=ldap://localhost:389 | |
| +# LDAP configuration | |
| +ldap.url=ldap://localhost:389 | |
| ldap.base.dn=dc=georchestra,dc=org | |
| ldap.security.principal=cn=admin,dc=georchestra,dc=org | |
| ldap.security.credentials=secret | |
| -ldap.base.dn.pattern=uid={0} | |
| -ldap.sync.user.search.base=ou=users | |
| -ldap.sync.user.search.filter=(&(objectClass=*)(mail=*@*)(givenName=*)) | |
| -ldap.sync.user.search.attribute=uid | |
| -ldap.privilege.create.nonexisting.roles=true | |
| -ldap.privilege.create.nonexisting.users=true | |
| -ldap.sync.role.search.base=ou=roles | |
| -ldap.sync.role.search.filter=(&(objectClass=groupOfMembers)(cn=EL_*)) | |
| -ldap.sync.role.search.attribute=cn | |
| -ldap.sync.role.search.pattern=EL_(.*) | |
| +# Users are found in the following OU: | |
| +ldap.users.search.base=ou=users | |
| +# geOrchestra synchronises LDAP orgs as GN groups: | |
| +ldap.groups.search.base=ou=orgs | |
| +# geOrchestra roles are found in the following OU: | |
| +ldap.roles.search.base=ou=roles | |
| +# LDAP synchronization job runs every minute: | |
| ldap.sync.cron=0 * * * * ? | |
| -ldap.sync.startDelay=60000 | |
| -ldap.privilege.import=true | |
| -ldap.privilege.search.role.queryprop=member | |
| -ldap.privilege.search.role.query=(&(objectClass=groupOfMembers)(member=uid={0},${ldap.base.search.base},${ldap.base.dn})(cn=EL_*)) | |
| -ldap.privilege.search.role.object=ou=roles | |
| -ldap.base.search.base=ou=users | |
| -ldap.privilege.search.privilege.pattern=GN_(.*) | |
| -ldap.privilege.search.privilege.query=(&(objectClass=groupOfMembers)(member=uid={0},${ldap.base.search.base},${ldap.base.dn})) | |
| -ldap.privilege.search.privilege.object=ou=roles | |
| -ldap.privilege.search.privilege.attribute=cn | |
| -ldap.privilege.search.role.attribute=cn | |
| +# Schematron validation job, which scans non-harvested metadatas regularly, | |
| +# then updates the validation table in the database, runs every 2 hours: | |
| +schematron.job.activated=true | |
| +schematron.job.cronExpression=0 0 0/2 * * ? | |
| diff --git a/mapfishapp/js/GEOR_custom.js b/mapfishapp/js/GEOR_custom.js | |
| index df9e92e..b31b342 100644 | |
| --- a/mapfishapp/js/GEOR_custom.js | |
| +++ b/mapfishapp/js/GEOR_custom.js | |
| @@ -128,6 +128,13 @@ GEOR.custom = { | |
| */ | |
| //NO_THUMBNAIL_IMAGE_URL: 'app/img/nopreview.png', | |
| + /** | |
| + * Constant: ALLOW_LAYER_DOWNLOAD | |
| + * Boolean - If set to false, deactivate layer download via WFS. | |
| + * Defaults to true | |
| + */ | |
| + //ALLOW_LAYER_DOWNLOAD: true, | |
| + | |
| /** | |
| * Constant: THESAURUS_SEARCH | |
| * Whether to display the thesaurus tab or not in the layer finder. | |
| diff --git a/security-proxy/security-mappings.xml b/security-proxy/security-mappings.xml | |
| index 0410cec..0c1d56c 100644 | |
| --- a/security-proxy/security-mappings.xml | |
| +++ b/security-proxy/security-mappings.xml | |
| @@ -11,12 +11,20 @@ | |
| <intercept-url pattern="/console/public/.*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> | |
| <intercept-url pattern="/console/manager/public/.*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> | |
| <intercept-url pattern="/console/manager/.*" access="ROLE_SUPERUSER,ROLE_ORGADMIN" /> | |
| - <intercept-url pattern="/console/account/userdetails" access="IS_AUTHENTICATED_FULLY" /> | |
| - <intercept-url pattern="/console/account/changePassword" access="IS_AUTHENTICATED_FULLY" /> | |
| + <!-- /console/account ressources are private except account/new and account/passwordRecovery --> | |
| + <intercept-url pattern="/console/account/new" access="IS_AUTHENTICATED_ANONYMOUSLY" /> | |
| + <intercept-url pattern="/console/account/newPassword.*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> | |
| + <intercept-url pattern="/console/account/passwordRecovery" access="IS_AUTHENTICATED_ANONYMOUSLY" /> | |
| + <intercept-url pattern="/console/account/js/.*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> | |
| + <intercept-url pattern="/console/account/css/.*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> | |
| + <intercept-url pattern="/console/account/fonts/.*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> | |
| + <intercept-url pattern="/console/account/.*" access="IS_AUTHENTICATED_FULLY" /> | |
| + <!-- /console/sendEmail features are reserved to SUPERUSER & delegated admins --> | |
| <intercept-url pattern="/console/.*/emails" access="ROLE_SUPERUSER,ROLE_ORGADMIN" /> | |
| <intercept-url pattern="/console/.*/sendEmail" access="ROLE_SUPERUSER,ROLE_ORGADMIN" /> | |
| <intercept-url pattern="/console/attachments" access="ROLE_SUPERUSER,ROLE_ORGADMIN" /> | |
| <intercept-url pattern="/console/emailTemplates" access="ROLE_SUPERUSER,ROLE_ORGADMIN" /> | |
| + <!-- /console/emailProxy is activated for members having the EMAILPROXY role --> | |
| <intercept-url pattern="/console/emailProxy" access="ROLE_EMAILPROXY" /> | |
| <intercept-url pattern="/testPage" access="IS_AUTHENTICATED_FULLY" /> | |
| <intercept-url pattern=".*/ogcproxy/.*" access="ROLE_NO_ONE" /> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment