+1 for getting this into 3.0 Elias sent me a patch containing the small amount of code necessary to optionally add support for SSO via LDAP -- a much request feature. I think it's safe to add this to the Roller 3.0 code base because
- It's optional and effects the new user creation process - It's a small change to UserFormEx and two new classes There is a small change in UserFormEx that is only invoked if SSO is enabled. If SSO is enabled and SSO data is present, then UserFormEx self-populates based on that SSO data. There are also two new classes that depend on Acegi. 1. CustomUserRegistry - Extends Ageci JdbcDaoImpl and implements LdapAuthoritiesPopulator - Populates UserData object with data from LDAP 2. RollerAuthoritiesPopulator The only piece that's missing is docs. With this new code, what needs to change in the existing LDAP FAQ? - Dave On 8/27/06, Matt Raible <[EMAIL PROTECTED]> wrote:
+1 for anything that makes integrating with LDAP easier for companies. Matt On 8/27/06, Elias Torres <[EMAIL PROTECTED]> wrote: > Hi folks, > > I'm revisiting the need for LDAP support in Roller and after some > investigation on Acegi Security it seems like I could work something in > Roller that would benefit not just IBM but other Roller installations > such as Yale and N.C. State. Dave pointed me to RollerAndSSO [1] in the > wiki and it seems like covers the most common cases of authentication in > Roller. I've started reading Acegi Security documentation and was able > to succesfully configure Roller 3.0 against our Enterprise Directory, > however, there are some remaining issues that I want to share with you > for suggestions on how I should proceed. > > I've configured security.xml to use LDAPAuthProvider. This provider > fetches user information and authorities (roles) information. The issue > is that our roles "editor" and "admin" are not stored in our secondary > LDAP directory (for Groups only). The LDAPProvider does (thankfully) > split the provider functions of checking user credentials and fetching > role information. Therefore I can write my own AuthoritiesPopulator that > access the rest of the information from the RollerDB. Now, writing the > AuthoritiesPopulator is not exactly trivial mostly because of simple > design of the provider code in Acegi Security. I would have to copy most > of the code from the DAO provider to make use of the same declarative > features in the security.xml file, but it's not a big deal. > > My suggestion then is for me to write some sort of > [Roller]CompositeProvider that allows basically a pick-your-own combo of > features for providing user information. Something like pick either or > both LDAP and DAO for either or both credentials and roles. It would > duplicate some code from two Acegi Security classes because the code is > not properly abstracted, but it will not require changes to Acegi > Security and it would always be an optional provider for Roller > installations, the default could be what we have in security.xml today. > > Now, the bigger issue is the one mentioned in LDAP_SSP_FAQ [2]. In our > IBM internal environment, we have enabled registration, but we don't > store password information in Roller. In essence what I suggested to > Dave is to password-protect the registration page and when loaded > auto-populate the username, name and email address fields (actually make > them read-only) and let any authenticated user register in Roller. > However, there's a NullPointerException in > RollerSession.getRollerSession() because there's an authenticated user > but there's no user in the RollerDB. I was hoping I can inject some code > there that would use the generic UserDetailsService in Acegi Security to > (based on a configurable option) to either auto-insert a record and > tweak the registration update to deal with an existing user and just > update, or to populate the session with a transient user-object that > could be used in the registration page. > > I hope you can make sense of the long winded message and let me know if > I can proceed to add this code (together with whatever > tweaks/suggestions you may have) to the 3.0 branch. > > -Elias > > [1] http://rollerweblogger.org/wiki/Wiki.jsp?page=RollerAndSSO > [2] http://rollerweblogger.org/wiki/Wiki.jsp?page=LDAP_SSP_FAQ >
