I'm no LDAP expert, but I can tell you how we are going to do authentication and authorization:
We have 4 groups of users (Simple, Extended, Member, Employee) which are hierarchically organized this way:
+-Simple
+-User1
+-...
+-Extended
+-User2
+-...
+-Member
+-User3
+-...
+-Employee
+-User4
+-...They are organized this way, because the everyone can be treated as a simple user (has just username, password and email address), whereas extended users, members and employees can be treated as extended users (validated additional data is available) and so on ...
This can be achieved by a subtree search.
We use the InetOrgPerson class and store the role information in the attribute 'groupOfUniqueNames'.
We store default roles (which are application dependent) for every group but can attach additional roles to certain users.
I don't know if it will really work this way, but that's how we planned it to do ;-)
Perhaps it's will be of help for you.
BTW we use LDAP *only* for authorization and authentication. All additional user data (postal address, profiles, ...) is stored in a mysql database.
Bye,
AndreasCarsten Ziegeler wrote:
Hi,
if you have different users with different roles, then I would store the information with your users in the LDAP. However, I don't know LDAP, so perhaps someone else can help here?
Carsten
[EMAIL PROTECTED] wrote:
Hello,
Yes, I don't have roles since I'm using the LDAP authentication, all users are "Admin" at this moment.
Do you think to create a static list in a file or database and check which role has the user?
I have thought about creating a static list but my problem is that I have to enter ~1000 users in this list (I have about 20'000 users but only ~1000 have special roles). The solution is maybe to use the groups defined in the LDAP repository, you would have ~10 groups instead of ~1000 users in the static list. But in you have groups, you have to use a LDAP query to know if the authenticated user is in a group. It seems a bit complicated, no?
What do you think about the best practise?
Thanks Regards Sylvain
-----Message d'origine----- De: Carsten Ziegeler [mailto:[EMAIL PROTECTED] Date: lundi, 1. septembre 2003 16:28 �: [EMAIL PROTECTED] Objet: RE: Cocoon 2.1 Authentication Bug? *Please* Help
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] wrote:
OK, I understand the mechanism.
About the roles, since I used LDAP for the authentication I have a problem how to define the roles. By default the authentication uses the file sunrise-user.xml and the role is defined for each user inside this file. With LDAP authentication I retrieve the users from a LDAP repository and the role isn't defined in this repository. Have you an idea how I could define the role for each users?
I guess from the above that you don't have roles. So, I would give each user a default role and create a static list of roles with this one role.
HTH Carsten
