>-----Original Message----- >From: Peter Crowther [mailto:[EMAIL PROTECTED] >Sent: Friday, November 11, 2005 4:20 AM >To: Tomcat Users List >Subject: RE: SSO question > >> From: Klotz Jr, Dennis [mailto:[EMAIL PROTECTED] >> Is it possible using LDAP, whether it is using custom JAAS code or a >> third party product such as Vintela's VSJ >> (http://www.vintela.com/products/vsj/), to do the following: >> >> "... prevent, control or limit the simultaneous active usage >> of the same >> user id. The number of simultaneous active sessions shall be settable >> per user id." >> >> The show stopper for me is whether I can inform the LDAP >> server when the >> user has logged out. The default JNDIRealm does not, to my knowledge, >> provide that ability. JNDIRealm is just for authenticating and role >> retrieval.
>You *could* do something like this by storing a custom attribute in LDAP >and incrementing/decrementing that when a user logs in/out. I'm not >sure where it'd get you, though, given users' distressing habits of >closing browsers without logging out of an app and hence leaving the >session open for a period. That sounds like it's come straight out of a >requirements doc. I'd ask who wrote the requirements doc, what's the >business reason behind that requirement, and can it be accomplished >another way? > > - Peter In our case the client is a single applet where we "will" know when the user leaves the page or logs out. Hopefully we will be able to send a message to the server when the applet is being unloaded. You are correct about this coming from a requirements spec and unfortunately the people that wrote it do not know or care whether my code is controlling / preventing the multiple logins or an LDAP server. I'm simply trying to figure out if LDAP servers have that functionality built in. For example, can I specify login limitations for a specific user within an LDAP server such as Active Directory? One co-worker mentioned that Active Directory has no way of limiting logins per "group". For example, if I make a "tomcat" group and assign that to the users LDAP "memberof" attribute, AD has no way of limiting or knowing that a login from a tomcat server is tied to that Group ID and thus limiting the logins. That does make sense to me. What I hope isn't happening is that our marketing people are confusing who is actually doing the work. The main requirement is LDAP integration so that IT doesn't have to manage two different user databases. In addition to that they've been asked to provide this other functionality such as limiting logins etc.. Does that mean we provide tighter integration with LDAP so that the LDAP server can do that job? Or is that something completely out of the scope of a LDAP server and I need to code it on our tomcat server side? If that is the case, that I need to code the per user limit for logging into our tomcat server, am I not defeating the whole purpose of LDAP? Won't I have to maintain another user database on our side to limit per user logins? A person could keep attributes per user that are updated by a JAAS realm but is this how this functionality is typically implemented? That is why I questioned whether LDAP servers have that functionality built in. Any help is greatly appreciated. -Dennis --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
