hi,
Your second solution is exactly the one that is the best to work with
lemon : mapping this profile to an existing group ! Is it easy to
write a Valve which realize this ? I saw for the begining something
like your HTTP valve :
int colonInd = cred.indexOf(':');
String profile = cred.substring(colonInd+1);
but how do you map this profile with one of the ldap group ? There is
no property 'theGroup' in paramBean like for the theUser ? And is
there no drawback not to fill in the user param in Jahia (no more call
to setTheUser() method in paramBean ?
regards,
Dominique
On Thu, 3 Feb 2005 13:38:24 +0100, Thomas Draier
<[EMAIL PROTECTED]> wrote:
> hi,
> a specific valve can be written to log in the user with the dn, and set
> the profile into a request or session attribute. but if the profile can
> be simply mapped to a group, a better solution would be to create ldap
> dynamic group for each profile, and assign portlet roles to these
> groups - you could then use standard role check in your webapp.
> thomas
>
> Le 2 f�vr. 05, � 16:39, Dominique Pellat a �crit :
>
> > Hello Thomas,
> >
> > LemonLdap is a ReverseProxy and act as a network service which
> > intercept all the HTTP requests going to an application like Jahia: it
> > checks if a sessionid is already present for the user trying to
> > connect, either in a Database or in a cached memory, and if not,
> > display a login form and ask for identity of users in a LDAP server.
> > So tomcat will never be accessed without passing through the lemonldap
> > module and communications is in SSL mode.
> > After, the aim is to transmit the profile to the portlets hosted by
> > Jahia: applications rights are defined as attributes in the LDAP
> > server for these applications, so:
> > - the dn of the user transmit by Lemonldap can be used by Jahia to
> > find the user (in LDAP server configured in Jahia) but this implies a
> > second check of the identity
> > - the profile has to be transmitted to the portlets by whatever mean:
> > as a parameter send to the portlet or simpler: if the profile is
> > mapped with a Jahia group, the portlet will use role as usual. Do you
> > think another valve can fullfill this requirement ?
> >
> > Regards,
> > Dominique Pellat
> >
> >
> > On Wed, 2 Feb 2005 11:52:13 +0100, Thomas Draier
> > <[EMAIL PROTECTED]> wrote:
> >> hi,
> >> i do not clearly understand how the authentication is done - the first
> >> part is the dn of the user, but what should we do with the profile ?
> >> why should it be a jahia group ? jahia only needs a user identifier
> >> like the dn, and some trusted credentials. i believe the profile
> >> should
> >> be checked against lemonldap server for authenticity, but i do not see
> >> how this can be done. or it can be ignored, if you are sure tomcat
> >> will
> >> never be accessed without passing through the lemonldap module, and
> >> that the header cannot be faked. obviously the http valve will not
> >> work
> >> with this, but another valve based on that one can be quickly
> >> developped for supporting lemonldap.
> >> thomas
> >>
> >> Le 1 f�vr. 05, � 15:12, Dominique Pellat a �crit :
> >>
> >>> Hello Thomas,
> >>>
> >>> LemonLdap does not send user/password in Basic Authentification but a
> >>> String which is an application profile for Jahia, like this - found
> >>> on
> >>> http://lemonldap.sourceforge.net/ - :
> >>>
> >>> code before encoding:
> >>> uid=egerman-cp,ou=personnes,ou=dgcp,ou=mefi,o=gouv,c=fr:1S
> >>> code after encoding:
> >>> dWlkPWVnZXJtYW4tY3Asb3U9cGVyc29ubmVzLG91PWRnY3Asb3U9bWVmaSx
> >>> vPWdvdXYsYz1mcjoxUw==
> >>>
> >>> where '1S' is the profile of the user to be transmitted to the Jahia
> >>> authentification module.
> >>>
> >>> So how do you think Jahia could manage this ? If the profile was the
> >>> same name as a group of users in Jahia(ex: group name = '1S' in
> >>> Jahia), the authentication could be resolved by matching the profile
> >>> coming in HTTP header and the group in Jahia: this way, mapping
> >>> between group and roles in portlet will be OK. Do you think it will
> >>> be
> >>> possible ? If it is, I can test this evolution and give feedback to
> >>> you because I have already a LemonLdap running.
> >>>
> >>> Thanks by advance,
> >>>
> >>> Regards,
> >>> Dominique Pellat
> >>>
> >>>
> >>> On Tue, 1 Feb 2005 11:20:00 +0100, Thomas Draier
> >>> <[EMAIL PROTECTED]> wrote:
> >>>> hi dominique,
> >>>> you can activate the http authorization valve in jahia by adding an
> >>>> entry in the WEB-INF/etc/config/auth-pipeline.xml . just add this
> >>>> entry
> >>>> at the beginning :
> >>>> <valveDescriptor>
> >>>>
> >>>> <className>org.jahia.params.valves.HttpBasicAuthValveImpl</
> >>>> className>
> >>>> </valveDescriptor>
> >>>> then you can log in into jahia by providing user/password with
> >>>> http-basic auth. that should work with lemonldap.
> >>>> thomas
> >>>>
> >>>> Le 31 janv. 05, � 19:05, Dominique Pellat a �crit :
> >>>>
> >>>>> Hi,
> >>>>>
> >>>>> I would like to know if this build includes the evolution to be
> >>>>> able
> >>>>> to run in SSO mode the proxy LemonLdap bounded with a Jahia server.
> >>>>> Is
> >>>>> this version of Jahia decrypting the HTTP header AUTHORIZATION
> >>>>> coming
> >>>>> from LemonLdap and maps the found roles/profiles to a Jahia group
> >>>>> ? I
> >>>>> saw SSOIFrame and SSOWebContent portlet included in this build but
> >>>>> I
> >>>>> am not sure it concerns this evolution.
> >>>>>
> >>>>> It is for a test purpose only: I have a proxy LemonLdap well
> >>>>> configured and I just want to plug it in on a Jahia version 4.1,
> >>>>> where
> >>>>> this evolution was scheduled.
> >>>>>
> >>>>> Regards,
> >>>>>
> >>>>> Dominique PELLAT
> >>>>
> >>>>
> >>
> >>
>
>
--
Dominique PELLAT
EDS Answare
1, rue du Ch�teau de l'Eraudi�re
BP 20651
44306 NANTES Cedex 3
France
TEL : +(33) 02.51.89.78.68
Email : [EMAIL PROTECTED]
