Sorry-- I fat-fingered the send button!
Anyhow, with the LdapUserDatabase you won't need to provision or
deprovision because everything will be in LDAP. We will keep some data
locally (user prefs) but that's it.
At this point, if you still have concerns I'd recommend yo
On Oct 25, 2009, at 7:04, Andrew Jaquith <[email protected]>
wrote:
I should not have used the magic word "provision" in my last post.
The important concept is that when the LdapUserDatabase is used,
LDAP *is* the user database
On Oct 25, 2009, at 6:38, Jim Willeke <[email protected]> wrote:
But what about de-provisioning users?
The issue with putting users in yet another database in the
enterprise world
central provisioning, de-provisioning and RBAC are the strategic
directions
with no desire to mange users in remote stores.
And why would someone want to put in information into the WIKI when
it is
already been add to the user in LDAP via the enterprise portal?
I will agree the local "groups" concept is necessary, but it should
be an
agumnetation to container managed security that most enterprises
would
utilize.
So users in the role (perhaps by department) "Sales" would always
be able to
view any pages with "Sales":
Then the local "groups" would be done to perform "teaming"
arrangements as
would be done in a project that would cross departmental lines.
-jim
Jim Willeke
On Sat, Oct 24, 2009 at 11:12 AM, Andrew Jaquith <[email protected]
wrote:
JSPWiki 3.0 trunk already has an LdapUserDatabase and
LdapAuthorizer,
which means that it can obtain user profiles on a read-only basis
from
LDAP, and obtain roles from LDAP groups. So if you use LDAP, your
users will be "provisioned" in JSPWiki automatically. This should
solve the user-experience problem you described.
The upcoming 3.0 LDAP features have been developed and tested with
Active Directory and OpenLDAP. It is configured via the GUI at
install-time.
With respect to permissions and group memberships: these are good
suggestions. We still have some work to do for the GUI for ACLs for
3.0. I agree that we should be validating user names when users
create
the ACLs. Same for adding users to groups. These suggestions will be
incorporated into how the ACL GUIs work -- likely via AJAX in
real-time.
Andrew
On Sat, Oct 24, 2009 at 7:25 AM, Thomas Engelschmidt <[email protected]>
wrote:
The group and permission system in the jspwiki is rather dynamic,
and
ldaps
tends to be readonly except for a groups of administrators. There
for
there
is still need for the user.xml and group.xml. But in my opinion the
user.xml
needs to be automatically updated when a new ldap user is logged
in.
Otherwise granting and managing jspwiki permissions i a
nightmare, this
also
enhanced since there is no check on if a user exist - when adding
users
to
wiki group or setting a page permission.
I think the following should be changed.
- First time a new user is logged in - the user should be added
to the
the
user.xml and redirect to the profile page for setting additional
information
(email, full name and section edition etc)
- Adding page permission should lookup if the group or the user
exist.
- Adding users to a wiki group should only be possible for existing
users.
/Thomas
On Oct 24, 2009, at 10:57 , Jim Willeke wrote:
Why allow people to eliminate the user.xml?
Why not allow the use of LDAP for the user profile?
Allow mapping the LDAP attributes to the profile values?
Enterprises have no desire to maintain another separate user
store of
information. Many already have a central LDAP store.
-jim
Jim Willeke
On Fri, Oct 23, 2009 at 2:09 PM, Thomas Engelschmidt <[email protected]>
wrote:
I would suggest a change, if a ldap user is logging the first
time.
the
Wiki should create the user in the user.xml - it gives a lot of
problem
when
adding a ldap user to a wiki group, since it possible that the
user
isn't
created.
On Oct 23, 2009, at 00:38 , Andrew Jaquith wrote:
If a user creates a user profile after logging into the
container, he
or
she will have an opportunity to specify a "full name." If a
full name
is
supplied, it will be used in page histories etc from that point
forward.
Andrew
On Oct 22, 2009, at 16:34, Harald Krammer
<[email protected]>
wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello,
I run JSPWiki with Web Container Authentication via LDAP and
it runs
fine (JSPWIki 2.8.2, OpenLDAP 2.4.11, Apache 6.0.20, OpenJDK
6).
Only the visualization of real user name is still missing. I
get only
the login name (short name) instead of the full name in the
change
history and so on. Is it a default behaviour or
misconfiguration?
Nice greetings,
Harald
- --
Harald Krammer
Brucknerstrasse 33
A - 4020 Linz
AUSTRIA
Mobil +43.(0) 664. 130 59 58
Mail: Harald.Krammer (at) hkr.at
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEAREIAAYFAkrgwegACgkQ9QlAsubHO9vd7QCfT5rEQYRsPUAVvbs/
HrqMiWfZ
w6cAnjEp4FKX+3T3szBwW1n+DbCMd0z0
=Kd7Y
-----END PGP SIGNATURE-----
