In fact, in Lemon, a user identify against a ldap directory which cannot be changed, except for adding a multivalued attribute which is the profile. I thought your idea was to create a Jahia group of user, and put ldap user in it, but if I understand well, one cannot map a Jahia group with a profile in a valve ? Is there another mean to do this ? Perhaps it is not the good solution: if we transmit the profile as a parameter to a portlet perhaps ? Dominique
On Thu, 3 Feb 2005 15:51:41 +0100, Thomas Draier <[EMAIL PROTECTED]> wrote: > a valve cannot do this, it cannot assign a user to a group each time he > will make a request. but a group can be created in ldap. for each > "profile", create a group like : > dn: cn=groupForProfileXX,o=yourorg > objectclass: groupOfURLs > memberURL: > ldap:///o=yourorg??sub?(&(objectclass=person)(profile=valueXX)) > and your user will be in. the profile value passed by lemonldap will > not be used, but the roles will be checked against the ldap directory. > thomas > > Le 3 f�vr. 05, � 15:26, Dominique Pellat a �crit : > > > hi, > > Your second solution is exactly the one that is the best to work with > > lemon : mapping this profile to an existing group ! Is it easy to > > write a Valve which realize this ? I saw for the begining something > > like your HTTP valve : > > > > int colonInd = cred.indexOf(':'); > > String profile = cred.substring(colonInd+1); > > > > but how do you map this profile with one of the ldap group ? There is > > no property 'theGroup' in paramBean like for the theUser ? And is > > there no drawback not to fill in the user param in Jahia (no more call > > to setTheUser() method in paramBean ? > > > > regards, > > Dominique > > > > > > > > > > > > > > On Thu, 3 Feb 2005 13:38:24 +0100, Thomas Draier > > <[EMAIL PROTECTED]> wrote: > >> hi, > >> a specific valve can be written to log in the user with the dn, and > >> set > >> the profile into a request or session attribute. but if the profile > >> can > >> be simply mapped to a group, a better solution would be to create ldap > >> dynamic group for each profile, and assign portlet roles to these > >> groups - you could then use standard role check in your webapp. > >> thomas > >> > >> Le 2 f�vr. 05, � 16:39, Dominique Pellat a �crit : > >> > >>> Hello Thomas, > >>> > >>> LemonLdap is a ReverseProxy and act as a network service which > >>> intercept all the HTTP requests going to an application like Jahia: > >>> it > >>> checks if a sessionid is already present for the user trying to > >>> connect, either in a Database or in a cached memory, and if not, > >>> display a login form and ask for identity of users in a LDAP server. > >>> So tomcat will never be accessed without passing through the > >>> lemonldap > >>> module and communications is in SSL mode. > >>> After, the aim is to transmit the profile to the portlets hosted by > >>> Jahia: applications rights are defined as attributes in the LDAP > >>> server for these applications, so: > >>> - the dn of the user transmit by Lemonldap can be used by Jahia to > >>> find the user (in LDAP server configured in Jahia) but this implies a > >>> second check of the identity > >>> - the profile has to be transmitted to the portlets by whatever mean: > >>> as a parameter send to the portlet or simpler: if the profile is > >>> mapped with a Jahia group, the portlet will use role as usual. Do you > >>> think another valve can fullfill this requirement ? > >>> > >>> Regards, > >>> Dominique Pellat > >>> > >>> > >>> On Wed, 2 Feb 2005 11:52:13 +0100, Thomas Draier > >>> <[EMAIL PROTECTED]> wrote: > >>>> hi, > >>>> i do not clearly understand how the authentication is done - the > >>>> first > >>>> part is the dn of the user, but what should we do with the profile ? > >>>> why should it be a jahia group ? jahia only needs a user identifier > >>>> like the dn, and some trusted credentials. i believe the profile > >>>> should > >>>> be checked against lemonldap server for authenticity, but i do not > >>>> see > >>>> how this can be done. or it can be ignored, if you are sure tomcat > >>>> will > >>>> never be accessed without passing through the lemonldap module, and > >>>> that the header cannot be faked. obviously the http valve will not > >>>> work > >>>> with this, but another valve based on that one can be quickly > >>>> developped for supporting lemonldap. > >>>> thomas > >>>> > >>>> Le 1 f�vr. 05, � 15:12, Dominique Pellat a �crit : > >>>> > >>>>> Hello Thomas, > >>>>> > >>>>> LemonLdap does not send user/password in Basic Authentification > >>>>> but a > >>>>> String which is an application profile for Jahia, like this - found > >>>>> on > >>>>> http://lemonldap.sourceforge.net/ - : > >>>>> > >>>>> code before encoding: > >>>>> uid=egerman-cp,ou=personnes,ou=dgcp,ou=mefi,o=gouv,c=fr:1S > >>>>> code after encoding: > >>>>> dWlkPWVnZXJtYW4tY3Asb3U9cGVyc29ubmVzLG91PWRnY3Asb3U9bWVmaSx > >>>>> vPWdvdXYsYz1mcjoxUw== > >>>>> > >>>>> where '1S' is the profile of the user to be transmitted to the > >>>>> Jahia > >>>>> authentification module. > >>>>> > >>>>> So how do you think Jahia could manage this ? If the profile was > >>>>> the > >>>>> same name as a group of users in Jahia(ex: group name = '1S' in > >>>>> Jahia), the authentication could be resolved by matching the > >>>>> profile > >>>>> coming in HTTP header and the group in Jahia: this way, mapping > >>>>> between group and roles in portlet will be OK. Do you think it will > >>>>> be > >>>>> possible ? If it is, I can test this evolution and give feedback to > >>>>> you because I have already a LemonLdap running. > >>>>> > >>>>> Thanks by advance, > >>>>> > >>>>> Regards, > >>>>> Dominique Pellat > >>>>> > >>>>> > >>>>> On Tue, 1 Feb 2005 11:20:00 +0100, Thomas Draier > >>>>> <[EMAIL PROTECTED]> wrote: > >>>>>> hi dominique, > >>>>>> you can activate the http authorization valve in jahia by adding > >>>>>> an > >>>>>> entry in the WEB-INF/etc/config/auth-pipeline.xml . just add this > >>>>>> entry > >>>>>> at the beginning : > >>>>>> <valveDescriptor> > >>>>>> > >>>>>> <className>org.jahia.params.valves.HttpBasicAuthValveImpl</ > >>>>>> className> > >>>>>> </valveDescriptor> > >>>>>> then you can log in into jahia by providing user/password with > >>>>>> http-basic auth. that should work with lemonldap. > >>>>>> thomas > >>>>>> > >>>>>> Le 31 janv. 05, � 19:05, Dominique Pellat a �crit : > >>>>>> > >>>>>>> Hi, > >>>>>>> > >>>>>>> I would like to know if this build includes the evolution to be > >>>>>>> able > >>>>>>> to run in SSO mode the proxy LemonLdap bounded with a Jahia > >>>>>>> server. > >>>>>>> Is > >>>>>>> this version of Jahia decrypting the HTTP header AUTHORIZATION > >>>>>>> coming > >>>>>>> from LemonLdap and maps the found roles/profiles to a Jahia group > >>>>>>> ? I > >>>>>>> saw SSOIFrame and SSOWebContent portlet included in this build > >>>>>>> but > >>>>>>> I > >>>>>>> am not sure it concerns this evolution. > >>>>>>> > >>>>>>> It is for a test purpose only: I have a proxy LemonLdap well > >>>>>>> configured and I just want to plug it in on a Jahia version 4.1, > >>>>>>> where > >>>>>>> this evolution was scheduled. > >>>>>>> > >>>>>>> Regards, > >>>>>>> > >>>>>>> Dominique PELLAT > >>>>>> > >>>>>> > >>>> > >>>> > >> > >> > > > > > > -- > > Dominique PELLAT > > EDS Answare > > 1, rue du Ch�teau de l'Eraudi�re > > BP 20651 > > 44306 NANTES Cedex 3 > > France > > TEL : +(33) 02.51.89.78.68 > > Email : [EMAIL PROTECTED] > > -- Dominique PELLAT EDS Answare 1, rue du Ch�teau de l'Eraudi�re BP 20651 44306 NANTES Cedex 3 France TEL : +(33) 02.51.89.78.68 Email : [EMAIL PROTECTED]
