portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sami Leino" <sami.le...@netorek.fi>
Subject Re: Implementing Jetspeed using LDAP
Date Thu, 25 Sep 2003 11:03:45 GMT
> 1.  Can I merge the jetspeed LDAP tree with the existing trees so the
> authentication and authorization can be under the same branch.   I
> notice  the default implementation is cn/ldapadmin%ou/jetspeed%o/apache.

It depends on the structure of your existing tree. Currently, the base dn
for LDAP entries (ou=jetspeed, o=apache) can be configured, but the
entry-type specific portion (ou=users, ou=groups, ou=roles,
ou=permissions) cannot. In other words, if your users are stored in the
branch "ou=users, xx=yyyy,xx=yyyy,xx=yyyy...." where xx=yyyy can be
anything, you should get it working.

I think Ender Kilicoglu has been working on a new version of the LDAP
implementation, which is more flexible than the current one.

2.  If I can not merge, then, can I use one tree to authenticate
    and  another branch of tree to store authorization information?

Well, I'm not sure what you mean by "authorization information" here, but
the user's role is attached to the user entry. The role, on the other
hand, determines which portlets you can have access to. The profiles which
contain the portlet configuration for different users cannot currently be
stored in LDAP, but users, permissions, roles and groups can. See the
answer to question 4 for a description how authentication is performed.

> What do I need  to do?  What will the related registries look like?

Take a look at the "jetspeed.ldif" file, which contains the default
Jetspeed users. You notice that there are many "standard" attributes like
"givenName" and "sn", so the entry should be quite compatible with other
kinds of user entries.

> 3.  If I can't merge, when is the best time to populate the
> authorization  portion of the LDAP?  Should I simulate add new user or
> should I do it  when user first logon?  What do I configure the registry
> for this?

As I understand it, there's no "authorization portion" in LDAP, since
there are only the "usergrouprole" attribute in user entry which concerns
authorization, as well as the "ou=roles" organization unit, which contains
the available roles.

> 4. Is the services.ldap.managerdn registry entry used to
> provide suffix to  authentication or authorization or both?

The JNDI bind is always performed using the manager dn account. When user
is authenticated, Jetspeed binds to LDAP tree using the manager account,
and retrieves the user entry. After that, the user is authenticated
programmatically (take a look at the LDAPAuthentication class).

The account is not used as a suffix, but the entry "services.ldap.basedn"
is. All the entry types (groups, users, roles and permission) currently
have to be under this base dn.

I think that a better authentication alternative would be to bind the
actual user to the tree, not the manager. It would make it possible - for
example - that the users could have differently encrypted passwords in the
LDAP tree, but authentication could still be performed correctly. Now, you
are limited to using one encryption algorithm, and this algorithm is
currently hard-wired to being UNIX crypt.

I'm sure I couldn't explain everything clearly enough, but feel free to
drop me email if you want to know more.




Sami Leino
Software Developer, Netorek Oy, Turku, Finland
Email: sami@netorek.fi
Phone: +358 44 0140499

View raw message