[jira] [Updated] (ISIS-1162) For Shiro Realm,Make LDAP attributes as permision generator

Wed, 17 Jun 2015 06:56:37 -0700 

     [ 
https://issues.apache.org/jira/browse/ISIS-1162?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

sebastien diaz updated ISIS-1162:
---------------------------------
    Description: 
Add attribute for permission ldap extraction 

I propose new permisions creation from LDAP attribute
Alternatively, permissions can be extracted from the base itself with the 
parameter searchUserBase,
the attribute list as userExtractedAttribute and the permission url as 
permissionByUserAttribute.
The idea is to extract attribute from the user or the group of the user and map 
directly to permission rule in replacing the string {attribute} by the 
extracted attribute (can me multiple).
See the sample for group and user attribute and mapping:
ldapRealm.searchUserBase = ou=users,o=mojo
ldapRealm.userObjectClass=inetOrgPerson
ldapRealm.userObjectClass=organizationnalPerson
ldapRealm.groupExtractedAttribute=street,country
ldapRealm.userExtractedAttribute=street,country
ldapRealm.permissionByGroupAttribute=attribute:Folder.{street}:Read,attribute:Portfolio.{country}
ldapRealm.permissionByUserAttribute=attribute:Folder.{street}:Read,attribute:Portfolio.{country}

> For Shiro Realm,Make LDAP attributes as permision generator
> -----------------------------------------------------------
>
>                 Key: ISIS-1162
>                 URL: https://issues.apache.org/jira/browse/ISIS-1162
>             Project: Isis
>          Issue Type: Improvement
>          Components: Core: Security: Shiro
>            Reporter: sebastien diaz
>            Assignee: Dan Haywood
>
> Add attribute for permission ldap extraction 
> I propose new permisions creation from LDAP attribute
> Alternatively, permissions can be extracted from the base itself with the 
> parameter searchUserBase,
> the attribute list as userExtractedAttribute and the permission url as 
> permissionByUserAttribute.
> The idea is to extract attribute from the user or the group of the user and 
> map directly to permission rule in replacing the string {attribute} by the 
> extracted attribute (can me multiple).
> See the sample for group and user attribute and mapping:
> ldapRealm.searchUserBase = ou=users,o=mojo
> ldapRealm.userObjectClass=inetOrgPerson
> ldapRealm.userObjectClass=organizationnalPerson
> ldapRealm.groupExtractedAttribute=street,country
> ldapRealm.userExtractedAttribute=street,country
> ldapRealm.permissionByGroupAttribute=attribute:Folder.{street}:Read,attribute:Portfolio.{country}
> ldapRealm.permissionByUserAttribute=attribute:Folder.{street}:Read,attribute:Portfolio.{country}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to