Hi Martin,
some additional notices.
OK, understood. So when I use my external authentication I have to enforce authorization myself, e. g. configure my external authentication program to check if the successfully logged in user is allowed to perform the required action. Then I could deactivate the OpenCA ACL mechanism, right?
Correct.
Originally I was thinking the external program could return one (or more) role the logged in user belongs to. This information could then be used to determine the rights the user is granted during his session. But this is obviously not how it was intended.
This is wrong :) If you set {ident}->{name} and {ident}->{role} (or only name if map_role is off) then you can use OpenCA's ACL. No problem at all.
I thought it would be possible to have the external authentication program print out the user role on STDOUT after successful authentication and use this as the user role, but this is too late.
Why this is too late? This is exactyl the right moment. First the function login is called. The external program is invoked which returns the role if the login is ok. This role is set for $self->{ident}->{role}. After the authentication the ACL will be evaluated and there a function getRole will be called. This functions reads it's information from $self->{ident}->{role}.
Because I noticed that getRole was performed in the constructor, when this data was not yet known to the module. In my use case the role would only be known after the actual authentication.
getRole is called in checkACL but checkACL is called in checkAccess after checkIdent and checkIdent performs the login. So if there is a role set during authentication then it is definitely available if checkACL is called. BTW role and name are cached in the session. So if you set the role then it is always available.
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
