[ http://issues.apache.org/jira/browse/JS2-188?page=comments#action_59581 ]
mike long commented on JS2-188:
-------------------------------
This morning I need to wrap up the LDAP authentication and authorization. So I
will attach my latest work and take a couple paragraphs to document where my
implementation is incomplete.
First of all I want to thank Dolf for his comments. The original version of the
LDAP authentication code I checked in did a bind. In my zeal to refactor my
code I unwisely decided to use the same technique to get the password that I
used to get other fields from the LDAP objects.
I spent a couple days last week working on the LDAP authorization piece.
Following is a schema I devised for authorization.
attributetype ( 1.3.6.1.4.1.8100.1.2.3.1 NAME 'j2-classname'
DESC 'The java class name of the object.'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.8100.1.2.3.2 NAME 'j2-action'
DESC 'An action associated with a permission. This is a multi-valued
attribute.'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.8100.1.2.3.3 NAME 'j2-role'
DESC 'The UID of an associated Role. This is a multi-valued attribute.'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.8100.1.2.3.4 NAME 'j2-group'
DESC 'The UID of an associated Group. This is a multi-valued attribute.'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.8100.1.2.3.5 NAME 'j2-permission'
DESC 'The UID of an associated Permission'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.8100.1.2.3.6 NAME 'creation-date'
DESC 'create date'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.8100.1.2.3.7 NAME 'modified-date'
DESC 'modified date'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
objectclass ( 1.3.6.1.4.1.8100.1.2.4.1 NAME 'jetspeed-2-group'
DESC 'Jetspeed-2 group'
MUST ( j2-classname $
uid)
MAY ( j2-role $
creation-date $
modified-date) )
objectclass ( 1.3.6.1.4.1.8100.1.2.4.2 NAME 'jetspeed-2-permission'
DESC 'Jetspeed-2 permission'
MUST ( j2-classname $
uid)
MAY ( j2-action $
creation-date $
modified-date) )
objectclass ( 1.3.6.1.4.1.8100.1.2.4.3 NAME 'jetspeed-2-role'
DESC 'Jetspeed-2 role'
MUST ( j2-classname $
uid)
MAY ( creation-date $
modified-date) )
objectclass ( 1.3.6.1.4.1.8100.1.2.4.4 NAME 'jetspeed-2-user'
DESC 'Jetspeed-2 user'
SUP inetOrgPerson
MUST ( cn $
uid)
MAY ( j2-role $
j2-group $
j2-permission $
creation-date $
modified-date))
Please note the following inadequacies in this schema and in my code:
1) I have arbitrarily used the 1.3.6.1.4.1.8100 name for the attributes and
object classes. If you are going to use this schema please get "official" LDAP
names by going through the proper LDAP channels.
2) I probably could have found existing object classes that mapped users to
roles and groups but did not have time.
3) As Dolf noted, I am not doing a "bind" for authentication.
4) I have hard-wired everything about the connection to LDAP.
5) I have not completely implemented authorization. I have done the following:
only gotten as far as implementing the group-based methods
> Implement the LDAP
> ------------------
>
> Key: JS2-188
> URL: http://issues.apache.org/jira/browse/JS2-188
> Project: Jetspeed 2
> Type: Improvement
> Components: Security
> Reporter: J, Edgar Zavala
> Attachments: jetspeed-2-ldap-authentication.tar.gz
>
> Implement the LDAP integration using the SPI, provide the LDAP authenitcation
> option.
> TODO:
> 1.- Complete the current implementation and complete the David work in:
> a) org.apache.jetspeed.security.spi.impl.LdapCredentialHandler
> b) org.apache.jetspeed.security.spi.impl.LdapUserSecurityHandler
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
