portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Le Strat <dlest...@yahoo.com>
Subject Re: FW: Jetspeed LDAP connectivity
Date Thu, 05 Jan 2006 23:29:47 GMT

Thanks for your feedback, this is a pretty accurate
description of the state of the LDAP implementation. 
Authentication was the primary focus of the last
release.  Though authorization is partially
implemented, it is not fully functional as you
rightfully point out.

>From your comments, I see a few actions points:

- We need to wrap up the RoleSecurityHandler
implementation as well as the user/role/group mapping
for LDAP.  Your suggestion to leverage uniqueMember,
or memberOf is definitely a possibility.
- We need to support Sun LDAP for authentication.

Regarding your general questions, around extended LDAP
support in J2, I think it is reasonable to say that we
would like to improve it based on the community needs
and feedback.  So your email helps out greatly there.

Also, we are always looking for good patches ;)


David Le Strat

> Hi,
> After having a look at the LDAP Configuration
> section on the apache
> website, I decided to connect my Sun Directory
> Server to my Jetspeed2
> installation.
> After fiddling around with the LDAP schema, Jetspeed
> source code &
> Spring configuration, I managed to get certain
> things up & running.
> My general question, besides the one below, is if
> there is some kind of
> roadmap or planning when it comes to extending the
> LDAP support in the
> Jetspeed security module?
> SecurityHandlers
> ----------------
> When I downloaded the jetspeed distribution, the
> authorization config
> (security-spi-atz.xml) didn't use any LDAP specific
> SecurityHandlers.
> (The codebase does contain handlers for credentials,
> groups and users,
> but apparently lacks support for roles).

> Is it correct that there is a dependency between the
> SecurityHandlers
> and the SecurityMapper ? I had the impression that
> during the creation
> of the groups, everything was stored correctly in
> LDAP, but when it came
> to assigning those groups to users, Jetspeed
> expected to find the groups
> in the database, and didn't bother to check the
> SecurityMappers
> ---------------
> So after replacing the default handlers with LDAP
> specific handlers, I
> tried using the LdapSecurityMapper instead of the
> DefaultSecurityMapper
> A few hiccups aside, everything seemed to be working
> pretty well. I was
> able to store users/groups in LDAP, and even managed
> to get the group
> assignment working through the LdapSecurityMapper.
> However, the fact that the role part was
> unimplemented rendered this
> solution unusable for now.
> Encrypted passwords in LDAP
> ---------------------------
> The Sun Directory Server stores encrypted passwords.
> Jetspeed doesn't
> have any means to decrypt them, so the only way to
> authenticate a user
> is to use the encrypted password string from LDAP,
> and use that to
> perform a login.
> What are the plans to handle this?
> Using uniqueMember of memberOf attributes
> -----------------------------------------
> Assigning users to groups/roles apparently depends
> on the
> j2-group/j2-role multi-value attributes that are
> stored on the user
> level. Are there any plans to support uniqueMember,
> or memberOf
> attributes? This would facilitate the integration of
> existing corporate
> LDAP trees with Jetspeed.
> To conclude this, I would just like to say that the
> first time I ever
> encountered Jetspeed was about 4 years ago when we
> evaluated it for a
> portal based solution. Unfortunately, the project at
> the time wasn't
> nearly as mature as it is now, and it also suffered
> tremendous
> performance issues. It's great to see how the
> project has evolved! Keep
> up the good work!
> Greetings,
> Davy
> To unsubscribe, e-mail:
> jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail:
> jetspeed-dev-help@portals.apache.org

David Le Strat
Blogging @ http://dlsthoughts.blogspot.com

Yahoo! DSL – Something to write home about. 
Just $16.99/mo. or less. 

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

View raw message