Hi,
I'm Trying to apply JNDIRealm to the LDAP structure, where each user
belong to some group (organizationalUnit):
dn: ou=Group1, o=myorg
objectclass: organizationalUnit
ou: Group1
dn: uid=user1, ou=Group1, o=myorg
objectclass: person
uid: user1
dn: ou=Group2, o=myorg
objectclass: organizationalUnit
ou: Group2
dn: uid=user2, ou=Group2, o=myorg
objectclass: person
uid: user2
Also there are roles, and each of them can be assigned to some groups:
dn: cn=readIt, o=myorg
objectclass: organizationalRole
cn: readIt
roleOccupant: ou=Group1, o=myorg
roleOccupant: ou=Group2, o=myorg
dn: cn=changeIt, o=myorg
objectclass: organizationalRole
cn: changeIt
roleOccupant: ou=Group2, o=myorg
So technically, to find roles for a user, we need three steps:
- Search for (uid=username);
- Get the group DN by stripping the last component
groupDN = userDN.getPrefix(userDN.size() - 1);
- search for roles (roleOccupant={groupDN});
Current implementation of JNDI assumes that roles should be assigned
to users, not to groups. So I can't use it directly.
Of course I could (and probably will) find a way to hack it (extend,
put some adapter, etc.), but I suspect that it's pretty common case,
and it could be resolved in more general and graceful way.
For instance, the inner User class could have additional attribute,
e.g. getGroup() and that value could be used as the third parameter in
roleSearch attribute.
What do you think? Is it worth trying to generalize usage of groups in
JNDIRealm?
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
