btw, in fact, it IS possible to assign a jahia group to user inside a valve, but it just looks completely insane to me. a group assignation is a permanent modification, not just some session information.
thomas
Le 3 f�vr. 05, � 16:20, Dominique Pellat a �crit :
In fact, in Lemon, a user identify against a ldap directory which cannot be changed, except for adding a multivalued attribute which is the profile. I thought your idea was to create a Jahia group of user, and put ldap user in it, but if I understand well, one cannot map a Jahia group with a profile in a valve ? Is there another mean to do this ? Perhaps it is not the good solution: if we transmit the profile as a parameter to a portlet perhaps ? Dominique
On Thu, 3 Feb 2005 15:51:41 +0100, Thomas Draier <[EMAIL PROTECTED]> wrote:a valve cannot do this, it cannot assign a user to a group each time he
will make a request. but a group can be created in ldap. for each
"profile", create a group like :
dn: cn=groupForProfileXX,o=yourorg
objectclass: groupOfURLs
memberURL:
ldap:///o=yourorg??sub?(&(objectclass=person)(profile=valueXX))
and your user will be in. the profile value passed by lemonldap will
not be used, but the roles will be checked against the ldap directory.
thomas
Le 3 f�vr. 05, � 15:26, Dominique Pellat a �crit :
hi, Your second solution is exactly the one that is the best to work with lemon : mapping this profile to an existing group ! Is it easy to write a Valve which realize this ? I saw for the begining something like your HTTP valve :
int colonInd = cred.indexOf(':'); String profile = cred.substring(colonInd+1);
but how do you map this profile with one of the ldap group ? There is
no property 'theGroup' in paramBean like for the theUser ? And is
there no drawback not to fill in the user param in Jahia (no more call
to setTheUser() method in paramBean ?
regards, Dominique
On Thu, 3 Feb 2005 13:38:24 +0100, Thomas Draier <[EMAIL PROTECTED]> wrote:hi,
a specific valve can be written to log in the user with the dn, and
set
the profile into a request or session attribute. but if the profile
can
be simply mapped to a group, a better solution would be to create ldap
dynamic group for each profile, and assign portlet roles to these
groups - you could then use standard role check in your webapp.
thomas
Le 2 f�vr. 05, � 16:39, Dominique Pellat a �crit :
Hello Thomas,
LemonLdap is a ReverseProxy and act as a network service which
intercept all the HTTP requests going to an application like Jahia:
it
checks if a sessionid is already present for the user trying to
connect, either in a Database or in a cached memory, and if not,
display a login form and ask for identity of users in a LDAP server.
So tomcat will never be accessed without passing through the
lemonldap
module and communications is in SSL mode.
After, the aim is to transmit the profile to the portlets hosted by
Jahia: applications rights are defined as attributes in the LDAP
server for these applications, so:
- the dn of the user transmit by Lemonldap can be used by Jahia to
find the user (in LDAP server configured in Jahia) but this implies a
second check of the identity
- the profile has to be transmitted to the portlets by whatever mean:
as a parameter send to the portlet or simpler: if the profile is
mapped with a Jahia group, the portlet will use role as usual. Do you
think another valve can fullfill this requirement ?
Regards, Dominique Pellat
On Wed, 2 Feb 2005 11:52:13 +0100, Thomas Draier <[EMAIL PROTECTED]> wrote:hi,
i do not clearly understand how the authentication is done - the
first
part is the dn of the user, but what should we do with the profile ?
why should it be a jahia group ? jahia only needs a user identifier
like the dn, and some trusted credentials. i believe the profile
should
be checked against lemonldap server for authenticity, but i do not
see
how this can be done. or it can be ignored, if you are sure tomcat
will
never be accessed without passing through the lemonldap module, and
that the header cannot be faked. obviously the http valve will not
work
with this, but another valve based on that one can be quickly
developped for supporting lemonldap.
thomas
Le 1 f�vr. 05, � 15:12, Dominique Pellat a �crit :
Hello Thomas,
LemonLdap does not send user/password in Basic Authentification
but a
String which is an application profile for Jahia, like this - found
on
http://lemonldap.sourceforge.net/ - :
code before encoding: uid=egerman-cp,ou=personnes,ou=dgcp,ou=mefi,o=gouv,c=fr:1S code after encoding: dWlkPWVnZXJtYW4tY3Asb3U9cGVyc29ubmVzLG91PWRnY3Asb3U9bWVmaSx vPWdvdXYsYz1mcjoxUw==
where '1S' is the profile of the user to be transmitted to the Jahia authentification module.
So how do you think Jahia could manage this ? If the profile was
the
same name as a group of users in Jahia(ex: group name = '1S' in
Jahia), the authentication could be resolved by matching the
profile
coming in HTTP header and the group in Jahia: this way, mapping
between group and roles in portlet will be OK. Do you think it will
be
possible ? If it is, I can test this evolution and give feedback to
you because I have already a LemonLdap running.
Thanks by advance,
Regards, Dominique Pellat
On Tue, 1 Feb 2005 11:20:00 +0100, Thomas Draier <[EMAIL PROTECTED]> wrote:hi dominique,
you can activate the http authorization valve in jahia by adding
an
entry in the WEB-INF/etc/config/auth-pipeline.xml . just add this
entry
at the beginning :
<valveDescriptor>
<className>org.jahia.params.valves.HttpBasicAuthValveImpl</ className> </valveDescriptor> then you can log in into jahia by providing user/password with http-basic auth. that should work with lemonldap. thomas
Le 31 janv. 05, � 19:05, Dominique Pellat a �crit :
Hi,
I would like to know if this build includes the evolution to be
able
to run in SSO mode the proxy LemonLdap bounded with a Jahia
server.
Is
this version of Jahia decrypting the HTTP header AUTHORIZATION
coming
from LemonLdap and maps the found roles/profiles to a Jahia group
? I
saw SSOIFrame and SSOWebContent portlet included in this build
but
I
am not sure it concerns this evolution.
It is for a test purpose only: I have a proxy LemonLdap well
configured and I just want to plug it in on a Jahia version 4.1,
where
this evolution was scheduled.
Regards,
Dominique PELLAT
-- Dominique PELLAT EDS Answare 1, rue du Ch�teau de l'Eraudi�re BP 20651 44306 NANTES Cedex 3 France TEL : +(33) 02.51.89.78.68 Email : [EMAIL PROTECTED]
-- Dominique PELLAT EDS Answare 1, rue du Ch�teau de l'Eraudi�re BP 20651 44306 NANTES Cedex 3 France TEL : +(33) 02.51.89.78.68 Email : [EMAIL PROTECTED]
