Matt +1 Dave +1 I was wondering if anybody else had any objections with this feature before I start working on the branch.
-Elias Dave Johnson wrote: > +1 for getting this into 3.0 > > Elias sent me a patch containing the small amount of code necessary to > optionally add support for SSO via LDAP -- a much request feature. I > think it's safe to add this to the Roller 3.0 code base because > > - It's optional and effects the new user creation process > - It's a small change to UserFormEx and two new classes > > There is a small change in UserFormEx that is only invoked if SSO is > enabled. If SSO is enabled and SSO data is present, then UserFormEx > self-populates based on that SSO data. > > There are also two new classes that depend on Acegi. > > 1. CustomUserRegistry > - Extends Ageci JdbcDaoImpl and implements LdapAuthoritiesPopulator > - Populates UserData object with data from LDAP > > 2. RollerAuthoritiesPopulator > > The only piece that's missing is docs. With this new code, what needs > to change in the existing LDAP FAQ? > > - Dave > > > > On 8/27/06, Matt Raible <[EMAIL PROTECTED]> wrote: >> +1 for anything that makes integrating with LDAP easier for companies. >> >> Matt >> >> On 8/27/06, Elias Torres <[EMAIL PROTECTED]> wrote: >> > Hi folks, >> > >> > I'm revisiting the need for LDAP support in Roller and after some >> > investigation on Acegi Security it seems like I could work something in >> > Roller that would benefit not just IBM but other Roller installations >> > such as Yale and N.C. State. Dave pointed me to RollerAndSSO [1] in the >> > wiki and it seems like covers the most common cases of >> authentication in >> > Roller. I've started reading Acegi Security documentation and was able >> > to succesfully configure Roller 3.0 against our Enterprise Directory, >> > however, there are some remaining issues that I want to share with you >> > for suggestions on how I should proceed. >> > >> > I've configured security.xml to use LDAPAuthProvider. This provider >> > fetches user information and authorities (roles) information. The issue >> > is that our roles "editor" and "admin" are not stored in our secondary >> > LDAP directory (for Groups only). The LDAPProvider does (thankfully) >> > split the provider functions of checking user credentials and fetching >> > role information. Therefore I can write my own AuthoritiesPopulator >> that >> > access the rest of the information from the RollerDB. Now, writing the >> > AuthoritiesPopulator is not exactly trivial mostly because of simple >> > design of the provider code in Acegi Security. I would have to copy >> most >> > of the code from the DAO provider to make use of the same declarative >> > features in the security.xml file, but it's not a big deal. >> > >> > My suggestion then is for me to write some sort of >> > [Roller]CompositeProvider that allows basically a pick-your-own >> combo of >> > features for providing user information. Something like pick either or >> > both LDAP and DAO for either or both credentials and roles. It would >> > duplicate some code from two Acegi Security classes because the code is >> > not properly abstracted, but it will not require changes to Acegi >> > Security and it would always be an optional provider for Roller >> > installations, the default could be what we have in security.xml today. >> > >> > Now, the bigger issue is the one mentioned in LDAP_SSP_FAQ [2]. In our >> > IBM internal environment, we have enabled registration, but we don't >> > store password information in Roller. In essence what I suggested to >> > Dave is to password-protect the registration page and when loaded >> > auto-populate the username, name and email address fields (actually >> make >> > them read-only) and let any authenticated user register in Roller. >> > However, there's a NullPointerException in >> > RollerSession.getRollerSession() because there's an authenticated user >> > but there's no user in the RollerDB. I was hoping I can inject some >> code >> > there that would use the generic UserDetailsService in Acegi >> Security to >> > (based on a configurable option) to either auto-insert a record and >> > tweak the registration update to deal with an existing user and just >> > update, or to populate the session with a transient user-object that >> > could be used in the registration page. >> > >> > I hope you can make sense of the long winded message and let me know if >> > I can proceed to add this code (together with whatever >> > tweaks/suggestions you may have) to the 3.0 branch. >> > >> > -Elias >> > >> > [1] http://rollerweblogger.org/wiki/Wiki.jsp?page=RollerAndSSO >> > [2] http://rollerweblogger.org/wiki/Wiki.jsp?page=LDAP_SSP_FAQ >> > >> >
