yes lemonldap only *reads* attributes from ldap for the profile. Only
administrators can change this profile for users in ldap directory.
But group can be created in Jahia, so the solutions are:
- passing profile as a request attribute or keep it in in the header
- administrator creates groups IN JAHIA and not in the ldap directory
and put ldap users in it so we have groups assignation for a given
profile, for instance :
S1 profile is associate to S1 group in Jahia with user member
(ldapuser1, ldapuser3)
S2 profile is associate to S2 group in Jahia with user member
(ldapuser2, ldapuser4)
S3 profile is associate to S3 group in Jahia with user member
(ldapuser1, ldapuser5)
where groups S1, S2 and S3 have been created BEFORE any assignation.
Do you think it could be work ? So Jahia do not modify anything in the
group assignation.
Dominique
On Thu, 3 Feb 2005 19:23:45 +0100, Thomas Draier
<[EMAIL PROTECTED]> wrote:
> from what i understood of lemonldap, it *reads* attributes from ldap
> for the profile, but it has no write access to it ..? otherwise, where
> does it get the profile information from ..? anyway, if you do not have
> any control on the ldap directory, and cannot create groups, the only
> solution i see is by passing the profile as a request attribute or
> anywhere else. but if you manage to get some write access, creating a
> few groups would be a better solution.
> btw, in fact, it IS possible to assign a jahia group to user inside a
> valve, but it just looks completely insane to me. a group assignation
> is a permanent modification, not just some session information.
> thomas
>
> Le 3 f�vr. 05, � 16:20, Dominique Pellat a �crit :
>
> > In fact, in Lemon, a user identify against a ldap directory which
> > cannot be changed, except for adding a multivalued attribute which is
> > the profile. I thought your idea was to create a Jahia group of user,
> > and put ldap user in it, but if I understand well, one cannot map a
> > Jahia group with a profile in a valve ? Is there another mean to do
> > this ? Perhaps it is not the good solution: if we transmit the profile
> > as a parameter to a portlet perhaps ?
> > Dominique
> >
> >
> > On Thu, 3 Feb 2005 15:51:41 +0100, Thomas Draier
> > <[EMAIL PROTECTED]> wrote:
> >> a valve cannot do this, it cannot assign a user to a group each time
> >> he
> >> will make a request. but a group can be created in ldap. for each
> >> "profile", create a group like :
> >> dn: cn=groupForProfileXX,o=yourorg
> >> objectclass: groupOfURLs
> >> memberURL:
> >> ldap:///o=yourorg??sub?(&(objectclass=person)(profile=valueXX))
> >> and your user will be in. the profile value passed by lemonldap will
> >> not be used, but the roles will be checked against the ldap directory.
> >> thomas
> >>
> >> Le 3 f�vr. 05, � 15:26, Dominique Pellat a �crit :
> >>
> >>> hi,
> >>> Your second solution is exactly the one that is the best to work with
> >>> lemon : mapping this profile to an existing group ! Is it easy to
> >>> write a Valve which realize this ? I saw for the begining something
> >>> like your HTTP valve :
> >>>
> >>> int colonInd = cred.indexOf(':');
> >>> String profile = cred.substring(colonInd+1);
> >>>
> >>> but how do you map this profile with one of the ldap group ? There is
> >>> no property 'theGroup' in paramBean like for the theUser ? And is
> >>> there no drawback not to fill in the user param in Jahia (no more
> >>> call
> >>> to setTheUser() method in paramBean ?
> >>>
> >>> regards,
> >>> Dominique
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On Thu, 3 Feb 2005 13:38:24 +0100, Thomas Draier
> >>> <[EMAIL PROTECTED]> wrote:
> >>>> hi,
> >>>> a specific valve can be written to log in the user with the dn, and
> >>>> set
> >>>> the profile into a request or session attribute. but if the profile
> >>>> can
> >>>> be simply mapped to a group, a better solution would be to create
> >>>> ldap
> >>>> dynamic group for each profile, and assign portlet roles to these
> >>>> groups - you could then use standard role check in your webapp.
> >>>> thomas
> >>>>
> >>>> Le 2 f�vr. 05, � 16:39, Dominique Pellat a �crit :
> >>>>
> >>>>> Hello Thomas,
> >>>>>
> >>>>> LemonLdap is a ReverseProxy and act as a network service which
> >>>>> intercept all the HTTP requests going to an application like Jahia:
> >>>>> it
> >>>>> checks if a sessionid is already present for the user trying to
> >>>>> connect, either in a Database or in a cached memory, and if not,
> >>>>> display a login form and ask for identity of users in a LDAP
> >>>>> server.
> >>>>> So tomcat will never be accessed without passing through the
> >>>>> lemonldap
> >>>>> module and communications is in SSL mode.
> >>>>> After, the aim is to transmit the profile to the portlets hosted by
> >>>>> Jahia: applications rights are defined as attributes in the LDAP
> >>>>> server for these applications, so:
> >>>>> - the dn of the user transmit by Lemonldap can be used by Jahia to
> >>>>> find the user (in LDAP server configured in Jahia) but this
> >>>>> implies a
> >>>>> second check of the identity
> >>>>> - the profile has to be transmitted to the portlets by whatever
> >>>>> mean:
> >>>>> as a parameter send to the portlet or simpler: if the profile is
> >>>>> mapped with a Jahia group, the portlet will use role as usual. Do
> >>>>> you
> >>>>> think another valve can fullfill this requirement ?
> >>>>>
> >>>>> Regards,
> >>>>> Dominique Pellat
> >>>>>
> >>>>>
> >>>>> On Wed, 2 Feb 2005 11:52:13 +0100, Thomas Draier
> >>>>> <[EMAIL PROTECTED]> wrote:
> >>>>>> hi,
> >>>>>> i do not clearly understand how the authentication is done - the
> >>>>>> first
> >>>>>> part is the dn of the user, but what should we do with the
> >>>>>> profile ?
> >>>>>> why should it be a jahia group ? jahia only needs a user
> >>>>>> identifier
> >>>>>> like the dn, and some trusted credentials. i believe the profile
> >>>>>> should
> >>>>>> be checked against lemonldap server for authenticity, but i do not
> >>>>>> see
> >>>>>> how this can be done. or it can be ignored, if you are sure tomcat
> >>>>>> will
> >>>>>> never be accessed without passing through the lemonldap module,
> >>>>>> and
> >>>>>> that the header cannot be faked. obviously the http valve will not
> >>>>>> work
> >>>>>> with this, but another valve based on that one can be quickly
> >>>>>> developped for supporting lemonldap.
> >>>>>> thomas
> >>>>>>
> >>>>>> Le 1 f�vr. 05, � 15:12, Dominique Pellat a �crit :
> >>>>>>
> >>>>>>> Hello Thomas,
> >>>>>>>
> >>>>>>> LemonLdap does not send user/password in Basic Authentification
> >>>>>>> but a
> >>>>>>> String which is an application profile for Jahia, like this -
> >>>>>>> found
> >>>>>>> on
> >>>>>>> http://lemonldap.sourceforge.net/ - :
> >>>>>>>
> >>>>>>> code before encoding:
> >>>>>>> uid=egerman-cp,ou=personnes,ou=dgcp,ou=mefi,o=gouv,c=fr:1S
> >>>>>>> code after encoding:
> >>>>>>> dWlkPWVnZXJtYW4tY3Asb3U9cGVyc29ubmVzLG91PWRnY3Asb3U9bWVmaSx
> >>>>>>> vPWdvdXYsYz1mcjoxUw==
> >>>>>>>
> >>>>>>> where '1S' is the profile of the user to be transmitted to the
> >>>>>>> Jahia
> >>>>>>> authentification module.
> >>>>>>>
> >>>>>>> So how do you think Jahia could manage this ? If the profile was
> >>>>>>> the
> >>>>>>> same name as a group of users in Jahia(ex: group name = '1S' in
> >>>>>>> Jahia), the authentication could be resolved by matching the
> >>>>>>> profile
> >>>>>>> coming in HTTP header and the group in Jahia: this way, mapping
> >>>>>>> between group and roles in portlet will be OK. Do you think it
> >>>>>>> will
> >>>>>>> be
> >>>>>>> possible ? If it is, I can test this evolution and give feedback
> >>>>>>> to
> >>>>>>> you because I have already a LemonLdap running.
> >>>>>>>
> >>>>>>> Thanks by advance,
> >>>>>>>
> >>>>>>> Regards,
> >>>>>>> Dominique Pellat
> >>>>>>>
> >>>>>>>
> >>>>>>> On Tue, 1 Feb 2005 11:20:00 +0100, Thomas Draier
> >>>>>>> <[EMAIL PROTECTED]> wrote:
> >>>>>>>> hi dominique,
> >>>>>>>> you can activate the http authorization valve in jahia by adding
> >>>>>>>> an
> >>>>>>>> entry in the WEB-INF/etc/config/auth-pipeline.xml . just add
> >>>>>>>> this
> >>>>>>>> entry
> >>>>>>>> at the beginning :
> >>>>>>>> <valveDescriptor>
> >>>>>>>>
> >>>>>>>> <className>org.jahia.params.valves.HttpBasicAuthValveImpl</
> >>>>>>>> className>
> >>>>>>>> </valveDescriptor>
> >>>>>>>> then you can log in into jahia by providing user/password with
> >>>>>>>> http-basic auth. that should work with lemonldap.
> >>>>>>>> thomas
> >>>>>>>>
> >>>>>>>> Le 31 janv. 05, � 19:05, Dominique Pellat a �crit :
> >>>>>>>>
> >>>>>>>>> Hi,
> >>>>>>>>>
> >>>>>>>>> I would like to know if this build includes the evolution to be
> >>>>>>>>> able
> >>>>>>>>> to run in SSO mode the proxy LemonLdap bounded with a Jahia
> >>>>>>>>> server.
> >>>>>>>>> Is
> >>>>>>>>> this version of Jahia decrypting the HTTP header AUTHORIZATION
> >>>>>>>>> coming
> >>>>>>>>> from LemonLdap and maps the found roles/profiles to a Jahia
> >>>>>>>>> group
> >>>>>>>>> ? I
> >>>>>>>>> saw SSOIFrame and SSOWebContent portlet included in this build
> >>>>>>>>> but
> >>>>>>>>> I
> >>>>>>>>> am not sure it concerns this evolution.
> >>>>>>>>>
> >>>>>>>>> It is for a test purpose only: I have a proxy LemonLdap well
> >>>>>>>>> configured and I just want to plug it in on a Jahia version
> >>>>>>>>> 4.1,
> >>>>>>>>> where
> >>>>>>>>> this evolution was scheduled.
> >>>>>>>>>
> >>>>>>>>> Regards,
> >>>>>>>>>
> >>>>>>>>> Dominique PELLAT
> >>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> Dominique PELLAT
> >>> EDS Answare
> >>> 1, rue du Ch�teau de l'Eraudi�re
> >>> BP 20651
> >>> 44306 NANTES Cedex 3
> >>> France
> >>> TEL : +(33) 02.51.89.78.68
> >>> Email : [EMAIL PROTECTED]
> >>
> >>
> >
> >
> > --
> > Dominique PELLAT
> > EDS Answare
> > 1, rue du Ch�teau de l'Eraudi�re
> > BP 20651
> > 44306 NANTES Cedex 3
> > France
> > TEL : +(33) 02.51.89.78.68
> > Email : [EMAIL PROTECTED]
>
>
--
Dominique PELLAT
EDS Answare
1, rue du Ch�teau de l'Eraudi�re
BP 20651
44306 NANTES Cedex 3
France
TEL : +(33) 02.51.89.78.68
Email : [EMAIL PROTECTED]
