[
https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15216182#comment-15216182
]
Keith Wall edited comment on QPID-7116 at 3/29/16 4:18 PM:
-----------------------------------------------------------
There is also a second common way of representing group membership within a
Directory. The group names may also be held as values of the a {{memberOf}}
attribute within the user's directory entry itself. For this, no separate
group query is required. It is not clear to me if we can hint to the bind to
bring back this extra attribute, or in a separate search is required including
{{memberOf}}.
was (Author: k-wall):
There is also a second common way of representing group membership within a
Directory. The group names may also be hold as values of the a {{memberOf}}
attribute within the user's directory entry itself. For this, no separate
group query is required. It is not clear to me if we can hint to the bind to
bring back this extra attribute, or in a separate search is required including
{{memberOf}}.
> Ability to utilise group information from a LDAP compatible directory
> ---------------------------------------------------------------------
>
> Key: QPID-7116
> URL: https://issues.apache.org/jira/browse/QPID-7116
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker
> Reporter: Keith Wall
> Fix For: qpid-java-6.1
>
>
> The Java Broker can already authenticate users against an LDAP compatible
> directory. It should also be able to use the same information source as a
> source of group information too.
> The authentication provide needs to accept optional attributes governing
> where the group information will be found:
> {{groupSearchContext}} - the base entry for the role search. If not
> specified, the search base is the top-level directory context.
> {{groupSearchFilter}} - the LDAP search filter for selecting group entries.
> A {0} token within the filter will be replaced by the distinguish name of the
> authenticated user.
> {{groupAttributeName}} - the name of the attribute that contains the name of
> the role.
> After the authentication provider has successfully bound (authenticated) the
> user, it should perform a second query for the groups. It should build a
> {{GroupPrincipal}} for each group to which the user belongs and return this
> as part of the AuthenticationResult. If the group search attributes are not
> found, the group search should be skipped.
> A future version if the LDAP Authentication Provider may offer the ability to
> cache the group results for a DN period of time. This would serve to avoid
> hitting the Directory several times authentication (it already hits the
> Directory twice if {{bindWithoutSearch}} is false, this will add a third).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
