Hello Thomas, LemonLdap is a ReverseProxy and act as a network service which intercept all the HTTP requests going to an application like Jahia: it checks if a sessionid is already present for the user trying to connect, either in a Database or in a cached memory, and if not, display a login form and ask for identity of users in a LDAP server. So tomcat will never be accessed without passing through the lemonldap module and communications is in SSL mode. After, the aim is to transmit the profile to the portlets hosted by Jahia: applications rights are defined as attributes in the LDAP server for these applications, so: - the dn of the user transmit by Lemonldap can be used by Jahia to find the user (in LDAP server configured in Jahia) but this implies a second check of the identity - the profile has to be transmitted to the portlets by whatever mean: as a parameter send to the portlet or simpler: if the profile is mapped with a Jahia group, the portlet will use role as usual. Do you think another valve can fullfill this requirement ?
Regards, Dominique Pellat On Wed, 2 Feb 2005 11:52:13 +0100, Thomas Draier <[EMAIL PROTECTED]> wrote: > hi, > i do not clearly understand how the authentication is done - the first > part is the dn of the user, but what should we do with the profile ? > why should it be a jahia group ? jahia only needs a user identifier > like the dn, and some trusted credentials. i believe the profile should > be checked against lemonldap server for authenticity, but i do not see > how this can be done. or it can be ignored, if you are sure tomcat will > never be accessed without passing through the lemonldap module, and > that the header cannot be faked. obviously the http valve will not work > with this, but another valve based on that one can be quickly > developped for supporting lemonldap. > thomas > > Le 1 f�vr. 05, � 15:12, Dominique Pellat a �crit : > > > Hello Thomas, > > > > LemonLdap does not send user/password in Basic Authentification but a > > String which is an application profile for Jahia, like this - found on > > http://lemonldap.sourceforge.net/ - : > > > > code before encoding: > > uid=egerman-cp,ou=personnes,ou=dgcp,ou=mefi,o=gouv,c=fr:1S > > code after encoding: > > dWlkPWVnZXJtYW4tY3Asb3U9cGVyc29ubmVzLG91PWRnY3Asb3U9bWVmaSx > > vPWdvdXYsYz1mcjoxUw== > > > > where '1S' is the profile of the user to be transmitted to the Jahia > > authentification module. > > > > So how do you think Jahia could manage this ? If the profile was the > > same name as a group of users in Jahia(ex: group name = '1S' in > > Jahia), the authentication could be resolved by matching the profile > > coming in HTTP header and the group in Jahia: this way, mapping > > between group and roles in portlet will be OK. Do you think it will be > > possible ? If it is, I can test this evolution and give feedback to > > you because I have already a LemonLdap running. > > > > Thanks by advance, > > > > Regards, > > Dominique Pellat > > > > > > On Tue, 1 Feb 2005 11:20:00 +0100, Thomas Draier > > <[EMAIL PROTECTED]> wrote: > >> hi dominique, > >> you can activate the http authorization valve in jahia by adding an > >> entry in the WEB-INF/etc/config/auth-pipeline.xml . just add this > >> entry > >> at the beginning : > >> <valveDescriptor> > >> > >> <className>org.jahia.params.valves.HttpBasicAuthValveImpl</className> > >> </valveDescriptor> > >> then you can log in into jahia by providing user/password with > >> http-basic auth. that should work with lemonldap. > >> thomas > >> > >> Le 31 janv. 05, � 19:05, Dominique Pellat a �crit : > >> > >>> Hi, > >>> > >>> I would like to know if this build includes the evolution to be able > >>> to run in SSO mode the proxy LemonLdap bounded with a Jahia server. > >>> Is > >>> this version of Jahia decrypting the HTTP header AUTHORIZATION coming > >>> from LemonLdap and maps the found roles/profiles to a Jahia group ? I > >>> saw SSOIFrame and SSOWebContent portlet included in this build but I > >>> am not sure it concerns this evolution. > >>> > >>> It is for a test purpose only: I have a proxy LemonLdap well > >>> configured and I just want to plug it in on a Jahia version 4.1, > >>> where > >>> this evolution was scheduled. > >>> > >>> Regards, > >>> > >>> Dominique PELLAT > >> > >> > >
