Hi folks, I'm revisiting the need for LDAP support in Roller and after some investigation on Acegi Security it seems like I could work something in Roller that would benefit not just IBM but other Roller installations such as Yale and N.C. State. Dave pointed me to RollerAndSSO [1] in the wiki and it seems like covers the most common cases of authentication in Roller. I've started reading Acegi Security documentation and was able to succesfully configure Roller 3.0 against our Enterprise Directory, however, there are some remaining issues that I want to share with you for suggestions on how I should proceed.
I've configured security.xml to use LDAPAuthProvider. This provider fetches user information and authorities (roles) information. The issue is that our roles "editor" and "admin" are not stored in our secondary LDAP directory (for Groups only). The LDAPProvider does (thankfully) split the provider functions of checking user credentials and fetching role information. Therefore I can write my own AuthoritiesPopulator that access the rest of the information from the RollerDB. Now, writing the AuthoritiesPopulator is not exactly trivial mostly because of simple design of the provider code in Acegi Security. I would have to copy most of the code from the DAO provider to make use of the same declarative features in the security.xml file, but it's not a big deal. My suggestion then is for me to write some sort of [Roller]CompositeProvider that allows basically a pick-your-own combo of features for providing user information. Something like pick either or both LDAP and DAO for either or both credentials and roles. It would duplicate some code from two Acegi Security classes because the code is not properly abstracted, but it will not require changes to Acegi Security and it would always be an optional provider for Roller installations, the default could be what we have in security.xml today. Now, the bigger issue is the one mentioned in LDAP_SSP_FAQ [2]. In our IBM internal environment, we have enabled registration, but we don't store password information in Roller. In essence what I suggested to Dave is to password-protect the registration page and when loaded auto-populate the username, name and email address fields (actually make them read-only) and let any authenticated user register in Roller. However, there's a NullPointerException in RollerSession.getRollerSession() because there's an authenticated user but there's no user in the RollerDB. I was hoping I can inject some code there that would use the generic UserDetailsService in Acegi Security to (based on a configurable option) to either auto-insert a record and tweak the registration update to deal with an existing user and just update, or to populate the session with a transient user-object that could be used in the registration page. I hope you can make sense of the long winded message and let me know if I can proceed to add this code (together with whatever tweaks/suggestions you may have) to the 3.0 branch. -Elias [1] http://rollerweblogger.org/wiki/Wiki.jsp?page=RollerAndSSO [2] http://rollerweblogger.org/wiki/Wiki.jsp?page=LDAP_SSP_FAQ
