Hi, Thanks for the reply.
On Wed, Mar 9, 2011 at 5:22 PM, Dimuthu Leelarathne <[email protected]>wrote: > Hi, > > On Wed, Mar 9, 2011 at 4:10 PM, Hasini Gunasinghe <[email protected]> wrote: > >> Hi, >> >> This is implemented in user core now and I would like to mention some of >> the implementation level decisions made while doing the $subject, which are >> different from JDBCUserStoreManager. >> If you see any flaws or better alternatives, please let me know. >> >> 1. 'Everyone role' and 'registry anonymous role' are carbon server >> specific. Hence they are not written to LDAP user store. >> They are handled by hybrid role manager as it has been done with read only >> LDAP user store. >> >> > +1 > > >> 2. In LDAP groups, there's a requirement that at least one user should be >> a member. >> Therefore; >> When creating a role, we need to include at least one user to that >> role. Otherwise an error is set to be shown through management console. >> Also, when deleting a user, if that user has been the only member >> of any of the existing role, user is not allowed to be removed. (As an >> alternative, may be we can remove the role also when its last user entry is >> removed). >> >> I am wondering whether above would be confusing to user since it is >> different from previous behavior. >> > > I think if we give a proper error message to minimize confusion. > Yes, currently the an message is shown saying there should be at least one user in the role in the above two scenarios. > > >> >> Then I would like to clarify following things too regarding this: >> >> i. There are some user-level functionalites which include several LDAP >> operations. And currently these are not atomic. Do we need to make them >> atomic? >> > > Shall we list these specific functions? Then we can discuss and see whether > atomicity is a must. > Sure. There are couple of such functionalities as below: 1. When deleting a user entry, his membership entries in the groups that he belonged to are deleted first. If an error occurs while deleting from one of those groups (due to a reason like above), the status in LDAP will be: user's membership is removed from some groups, but not from all, and user entry is also not deleted. 2. When updating user-list of role, and also role-list of user, if an error occurs at one LDAP operation, only the set or operations executed previous to error are reflected in LDAP. In both the above cases, proper error message is printed. Thanks, Hasini. > > Thanks, > Dimuthu > > >> (LDAP itself does not support transaction concept. But I read about a >> spring API which allows to make LDAP operations atomic[1].) >> >> Currently "WriteLDAPGroups" property is set to false by default in >> user-mgt.xml. >> Before configuring it to true by default, I would really appreciate any >> comments, feedback on the above >> >> [1] >> http://static.springsource.org/spring-ldap/docs/1.3.x/reference/html/transactions.<http://static.springsource.org/spring-ldap/docs/1.3.x/reference/html/transactions.html> >> >> Thanks, >> Hasini. >> > >
_______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
