Re: ldap advanced configuration: changing ldap model

Mon, 26 Sep 2011 12:56:49 -0700 

On 09/26/2011 05:29 PM, jerome.dup...@bnf.fr wrote:



I'm still working on ldap, not far from the end :-)

I am currenlty mapping our ldap definition with jetspeed. Indeed, we have
our proper ldap schema that I have to use.
It works fine, but I have a question about ldap beans mechanisms.

For instance, we don't use uid.
Our id is BnfIdentifiant, we use also cn attribute (not mandatory)

First I've changed override.properties file to construct the appropriate
filter to retrieve ldap user (search on attribute BnFIdentifier).
That 's a classic stuff.
After that, Icouldn't login so I've changed security-ldap.xml file. In
particular, I've changed
_ relationships between role and users, groups and users... (We don't use
member, but bnfmember, don't ask me why :-)
_ UserDaoConfiguration: It contains a list of attributes mapping on ldap
(cn, sn uid...)
        I've changed to BnFIdentifiant, and login works !!! (Yes !!!!)
But Is that not dangerous, will jetspeed will still work? Is there an
unexpected side effect?


I think you changes are fine, at least I see no issues from the information you 
gave. Just note: I think you copy/pasted the attribute definition for 
"BnFIdentifiant" twice in your modified configuration.



Specifying a different ldapIdAttribute is fine (its why its configurable in the 
first place). It means that attribute (BnFIdentifier) will be used to uniquely 
"identify" your "entity" and thus used for user lookup (login) and searching etc.



It also means that if you allow creation of new LDAP users through Jetspeed, it 
will be this attribute name which will be added to the ldap.user.searchBase to 
create the new dn for a new LDAP user (see: SpringLDAPEntityDAO#internalAdd).
As value for the ldapIdAttribute value the new user its (Jetspeed) user name 
will be used. Furthermore, every other attribute marked as idAttribute (true) 
will also be filled with the same value.



And if you allow updating LDAP users through Jetspeed, all attributes marked as 
idAttribute (true) are considered unmodifiable so will not be taken into account 
for any update (see: SpringLDAPEntityDAO#update).


HTH, Ate


Original one definition of UserDaoConfiguration
     <property name="ldapIdAttribute" value="uid" />
     <property name="objectClasses"
value="inetOrgPerson,organizationalPerson,person,top"/>
     <property name="attributeDefinitions">
       <set>
         <bean
class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
           <constructor-arg index="0" value="uid" />
           <constructor-arg index="1" value="false" />
           <constructor-arg index="2" value="false" />
           <property name="required" value="true"/>
           <property name="idAttribute" value="true"/>
         </bean>
         <bean
class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
           <constructor-arg index="0" value="cn" />
           <constructor-arg index="1" value="false" />
           <constructor-arg index="2" value="false" />
           <property name="required" value="true"/>
           <property name="idAttribute" value="true"/>
         </bean>
...
Modified one:
     <property name="ldapIdAttribute" value="BnFIdentifiant" />
     <property name="objectClasses"
value="inetOrgPerson,organizationalPerson,person,top"/>
     <property name="attributeDefinitions">
       <set>
         <bean
class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
           <constructor-arg index="0" value="BnFIdentifiant" />
           <constructor-arg index="1" value="false" />
           <constructor-arg index="2" value="false" />
           <property name="required" value="true"/>
           <property name="idAttribute" value="true"/>
         </bean>
         <bean
class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
           <constructor-arg index="0" value="cn" />
           <constructor-arg index="1" value="false" />
           <constructor-arg index="2" value="false" />
           <property name="required" value="true"/>
           <property name="idAttribute" value="true"/>
         </bean>
         <bean
class="org.apache.jetspeed.security.mapping.model.impl.AttributeDefImpl">
           <constructor-arg index="0" value="BnFIdentifiant" />
           <constructor-arg index="1" value="false" />
           <constructor-arg index="2" value="false" />
           <property name="required" value="true"/>
           <property name="idAttribute" value="true"/>
         </bean>
...


Cordialement,
-----------------------------------------------
Jérôme Dupont
Bibliothèque Nationale de France
Département des Systèmes d'Information
Tour T3 - Quai François Mauriac
75706 Paris Cedex 13
téléphone: 33 (0)1 53 79 45 40
e-mail: jerome.dup...@bnf.fr
-----------------------------------------------


Exposition  Vogue : l'aventure d'une maison de disque  - jusqu'au13 novembre 
2011 - BnF - François-Mitterrand / Allée Julien Cain Avant d'imprimer, pensez à 
l'environnement.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscr...@portals.apache.org
For additional commands, e-mail: jetspeed-user-h...@portals.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscr...@portals.apache.org
For additional commands, e-mail: jetspeed-user-h...@portals.apache.org























					Reply via email to