a specific valve can be written to log in the user with the dn, and set the profile into a request or session attribute. but if the profile can be simply mapped to a group, a better solution would be to create ldap dynamic group for each profile, and assign portlet roles to these groups - you could then use standard role check in your webapp.
thomas
Le 2 f�vr. 05, � 16:39, Dominique Pellat a �crit :
Hello Thomas,
LemonLdap is a ReverseProxy and act as a network service which intercept all the HTTP requests going to an application like Jahia: it checks if a sessionid is already present for the user trying to connect, either in a Database or in a cached memory, and if not, display a login form and ask for identity of users in a LDAP server. So tomcat will never be accessed without passing through the lemonldap module and communications is in SSL mode. After, the aim is to transmit the profile to the portlets hosted by Jahia: applications rights are defined as attributes in the LDAP server for these applications, so: - the dn of the user transmit by Lemonldap can be used by Jahia to find the user (in LDAP server configured in Jahia) but this implies a second check of the identity - the profile has to be transmitted to the portlets by whatever mean: as a parameter send to the portlet or simpler: if the profile is mapped with a Jahia group, the portlet will use role as usual. Do you think another valve can fullfill this requirement ?
Regards, Dominique Pellat
On Wed, 2 Feb 2005 11:52:13 +0100, Thomas Draier <[EMAIL PROTECTED]> wrote:hi,
i do not clearly understand how the authentication is done - the first
part is the dn of the user, but what should we do with the profile ?
why should it be a jahia group ? jahia only needs a user identifier
like the dn, and some trusted credentials. i believe the profile should
be checked against lemonldap server for authenticity, but i do not see
how this can be done. or it can be ignored, if you are sure tomcat will
never be accessed without passing through the lemonldap module, and
that the header cannot be faked. obviously the http valve will not work
with this, but another valve based on that one can be quickly
developped for supporting lemonldap.
thomas
Le 1 f�vr. 05, � 15:12, Dominique Pellat a �crit :
Hello Thomas,
LemonLdap does not send user/password in Basic Authentification but a
String which is an application profile for Jahia, like this - found on
http://lemonldap.sourceforge.net/ - :
code before encoding: uid=egerman-cp,ou=personnes,ou=dgcp,ou=mefi,o=gouv,c=fr:1S code after encoding: dWlkPWVnZXJtYW4tY3Asb3U9cGVyc29ubmVzLG91PWRnY3Asb3U9bWVmaSx vPWdvdXYsYz1mcjoxUw==
where '1S' is the profile of the user to be transmitted to the Jahia authentification module.
So how do you think Jahia could manage this ? If the profile was the
same name as a group of users in Jahia(ex: group name = '1S' in
Jahia), the authentication could be resolved by matching the profile
coming in HTTP header and the group in Jahia: this way, mapping
between group and roles in portlet will be OK. Do you think it will be
possible ? If it is, I can test this evolution and give feedback to
you because I have already a LemonLdap running.
Thanks by advance,
Regards, Dominique Pellat
On Tue, 1 Feb 2005 11:20:00 +0100, Thomas Draier <[EMAIL PROTECTED]> wrote:hi dominique, you can activate the http authorization valve in jahia by adding an entry in the WEB-INF/etc/config/auth-pipeline.xml . just add this entry at the beginning : <valveDescriptor>
<className>org.jahia.params.valves.HttpBasicAuthValveImpl</ className>
</valveDescriptor>
then you can log in into jahia by providing user/password with
http-basic auth. that should work with lemonldap.
thomas
Le 31 janv. 05, � 19:05, Dominique Pellat a �crit :
Hi,
I would like to know if this build includes the evolution to be able
to run in SSO mode the proxy LemonLdap bounded with a Jahia server.
Is
this version of Jahia decrypting the HTTP header AUTHORIZATION coming
from LemonLdap and maps the found roles/profiles to a Jahia group ? I
saw SSOIFrame and SSOWebContent portlet included in this build but I
am not sure it concerns this evolution.
It is for a test purpose only: I have a proxy LemonLdap well configured and I just want to plug it in on a Jahia version 4.1, where this evolution was scheduled.
Regards,
Dominique PELLAT
