Aaron Mulder wrote, On 8/18/2005 4:13 PM:
So in the security settings, each login module has a login domain
name. This is so that a single realm could distinguish between principles
(with the same name) from two login modules of the same class. For
example, if you have two LDAP login modules pointing to different servers,
you could distinguish based on principal class and login domain name so
"administrator" from server A is different than "administrator" from
server B.
However, in our role mapping, we let you specify a realm,
principal class, and principal name, but not a login domain name. In
other words, all LDAP-group-administrator entries look the same,
regardless of which server they originate from.
I think the mapping should have a login-domain-name attribute on
the "principal" XML type. I'd say it should be optional so you only have
to use it if you care to distinguish (it would be obnoxious to need to
specify it every time). We could also do this with another surrounding
element like (but within) "realm" -- I guess I don't care all that much
either way.
What I don't have a handle on is the changes required to our
security processing infrastructure to make this work. I'm not sure
whether or how the login domain name propogates on the principals we
create, though I have a vague memory that the principal wrappers were
going to hold the login domain names.
Does this sound familiar to anyone? David J? Alan?
The realm is a holdover from when login domains used to be called login
realms. I imagine that there was some confusion during one of the
updates and it ended up actually being a realm. From our discussions on
IRC, I believe that we need to allow scoping of the principal to
optionally include both the realm and login domain. The reason for
"adding" the realm is that login domains may be shared by security
realms; it would be nice to be able to keep the name of the login
domains the same to keep things tractable.
Regards,
Alan
