[ http://issues.apache.org/jira/browse/JS2-188?page=comments#action_59586 ]
mike long commented on JS2-188:
-------------------------------
Sorry if this is a duplicate. I hit the tab and enter key by mistake before I
had completed this paper.
This morning I need to wrap up the LDAP authentication and authorization. So I
will attach my latest work and take a couple paragraphs to document where my
implementation is incomplete. I will send a tar file of my latest version to
David if I cannot attach it to this JIRA.
First of all I want to thank Dolf for his comments. The original version of the
LDAP authentication code I checked in did a bind. In my zeal to refactor my
code I unwisely decided to use the same technique to get the password that I
used to get other fields from the LDAP objects.
I spent a couple days last week working on the LDAP authorization piece.
Following is a schema I devised for authorization. Note the way I mapped the
many-to-many relationships as nulti-valued fields. Also note that the field
called "uid". This field is meant to serve as a unique identifier. Note how I
have used separate LDAP clases to represent the User, Group, and Role
principals instead of mapping them to a single LDAP abstraction like in the
current J2 data model.
attributetype ( 1.3.6.1.4.1.8100.1.2.3.1 NAME 'j2-classname'
DESC 'The java class name of the object.'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.8100.1.2.3.2 NAME 'j2-action'
DESC 'An action associated with a permission. This is a multi-valued
attribute.'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.8100.1.2.3.3 NAME 'j2-role'
DESC 'The UID of an associated Role. This is a multi-valued attribute.'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.8100.1.2.3.4 NAME 'j2-group'
DESC 'The UID of an associated Group. This is a multi-valued attribute.'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.8100.1.2.3.5 NAME 'j2-permission'
DESC 'The UID of an associated Permission'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.8100.1.2.3.6 NAME 'creation-date'
DESC 'create date'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.8100.1.2.3.7 NAME 'modified-date'
DESC 'modified date'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
objectclass ( 1.3.6.1.4.1.8100.1.2.4.1 NAME 'jetspeed-2-group'
DESC 'Jetspeed-2 group'
MUST ( j2-classname $
uid)
MAY ( j2-role $
creation-date $
modified-date) )
objectclass ( 1.3.6.1.4.1.8100.1.2.4.2 NAME 'jetspeed-2-permission'
DESC 'Jetspeed-2 permission'
MUST ( j2-classname $
uid)
MAY ( j2-action $
creation-date $
modified-date) )
objectclass ( 1.3.6.1.4.1.8100.1.2.4.3 NAME 'jetspeed-2-role'
DESC 'Jetspeed-2 role'
MUST ( j2-classname $
uid)
MAY ( creation-date $
modified-date) )
objectclass ( 1.3.6.1.4.1.8100.1.2.4.4 NAME 'jetspeed-2-user'
DESC 'Jetspeed-2 user'
SUP inetOrgPerson
MUST ( cn $
uid)
MAY ( j2-role $
j2-group $
j2-permission $
creation-date $
modified-date))
Please note the following inadequacies in this schema and in my code:
1) I have arbitrarily used the 1.3.6.1.4.1.8100 name for the attributes and
object classes. If you are going to use this schema please get "official" LDAP
names by going through the proper LDAP channels.
2) I probably could have found existing object classes that mapped users to
roles and groups but did not have time.
3) As Dolf noted, I am not doing a "bind" for authentication.
4) I have hard-wired everything about the connection to LDAP, including the
URL, fields, and object class names. This is inadequate. Any LDAP schema that
supports the kind of relationships we need should be mappable to the code.
5) I have not completely implemented authorization. I will document what I have
and have not done.
a) I have implemented the UserSecurityHandler, CredentialHandler,
GroupSecuirityHandler, and SecurityMappingHandler interfaces. I have not
implemented the permissions table/interfaces in LDAP.
b) I have not implemented the RoleSecurityHandler and the methods that deal
with the relationships between users and roles on the SecurityMappingHandler
implementation. However, the relationships and code are analogs to the
user-group relationship.
c) All my unit tests run. However, not all the Jetspeed-2 unit tests run. I
got hung up Friday on the meaning of full-path name for groups and roles.
David will have to resolve what I should do there. I hope my intent is clear
enough.
d) The authentication tests that have to do with password expiration and the
reuse of passwords fail because I never implemented this feature in my LDAP
authentication code.
e) I implemented a goofy workaround to a problem I had where I could not
store names containing slashes in an LDAP object class. I substitited an
ampersand. This is wrong and needs to be changes to use an LDAP composite name
or some other "official" technique. I simply ran out of time.
f) My code that gets the password field needs to do proper unicode
conversion. Perhaps that won't matter once authentication does an LDAP bind
instead of a simple lookup.
g) My implementation uses OpenLDAP.
h) My code that does LDAP queries is pretty mature.
i) I have not had time to fully understand the relationship of the
authorization data model and interfaces to the preferences data model. I have
made no attempt to implement that functionality in this work. My hope was that
the current RDBMS Preferences implementation will work with LDAP
authorization/authentication.
j) I have not had time to fully understand the relationship of the
authorization data model and interfaces for single sign on. I have made no
attempt to implement that functionality in this work. My hope was that the
current RDBMS SSO implementation will work with LDAP
authorization/authentication.
In general this experience has been really fun for me. I hope you will forgive
my mistakes. I was new to LDAP, Jetspeed-2, JAAS, and Spring until 6 weeks ago.
I will be happy to participate in this work as it matures.
Gratefully,
Mike
> Implement the LDAP
> ------------------
>
> Key: JS2-188
> URL: http://issues.apache.org/jira/browse/JS2-188
> Project: Jetspeed 2
> Type: Improvement
> Components: Security
> Reporter: J, Edgar Zavala
> Attachments: jetspeed-2-ldap-authentication.tar.gz
>
> Implement the LDAP integration using the SPI, provide the LDAP authenitcation
> option.
> TODO:
> 1.- Complete the current implementation and complete the David work in:
> a) org.apache.jetspeed.security.spi.impl.LdapCredentialHandler
> b) org.apache.jetspeed.security.spi.impl.LdapUserSecurityHandler
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
