[jira] [Updated] (QPID-7116) Ability to utilise group information from a LDAP compatible directory
[ https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lorenz Quack updated QPID-7116: --- Assignee: Keith Wall (was: Lorenz Quack) > Ability to utilise group information from a LDAP compatible directory > - > > Key: QPID-7116 > URL: https://issues.apache.org/jira/browse/QPID-7116 > Project: Qpid > Issue Type: Improvement > Components: Java Broker >Reporter: Keith Wall >Assignee: Keith Wall > Fix For: qpid-java-6.1 > > Attachments: 0001-WIP-unification.patch, 0002-WIP-LDAP-groups.patch > > > The Java Broker can already authenticate users against an LDAP compatible > directory. It should also be able to use the same information source as a > source of group information too. > The authentication provide needs to accept optional attributes governing > where the group information will be found: > {{groupSearchContext}} - the base entry for the role search. If not > specified, the search base is the top-level directory context. > {{groupSearchFilter}} - the LDAP search filter for selecting group entries. > A {0} token within the filter will be replaced by the distinguish name of the > authenticated user. > {{groupAttributeName}} - the name of the attribute that contains the name of > the role. > After the authentication provider has successfully bound (authenticated) the > user, it should perform a second query for the groups. It should build a > {{GroupPrincipal}} for each group to which the user belongs and return this > as part of the AuthenticationResult. If the group search attributes are not > found, the group search should be skipped. > A future version if the LDAP Authentication Provider may offer the ability to > cache the group results for a DN period of time. This would serve to avoid > hitting the Directory several times authentication (it already hits the > Directory twice if {{bindWithoutSearch}} is false, this will add a third). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Updated] (QPID-7116) Ability to utilise group information from a LDAP compatible directory
[ https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lorenz Quack updated QPID-7116: --- Status: Reviewable (was: In Progress) > Ability to utilise group information from a LDAP compatible directory > - > > Key: QPID-7116 > URL: https://issues.apache.org/jira/browse/QPID-7116 > Project: Qpid > Issue Type: Improvement > Components: Java Broker >Reporter: Keith Wall >Assignee: Lorenz Quack > Fix For: qpid-java-6.1 > > Attachments: 0001-WIP-unification.patch, 0002-WIP-LDAP-groups.patch > > > The Java Broker can already authenticate users against an LDAP compatible > directory. It should also be able to use the same information source as a > source of group information too. > The authentication provide needs to accept optional attributes governing > where the group information will be found: > {{groupSearchContext}} - the base entry for the role search. If not > specified, the search base is the top-level directory context. > {{groupSearchFilter}} - the LDAP search filter for selecting group entries. > A {0} token within the filter will be replaced by the distinguish name of the > authenticated user. > {{groupAttributeName}} - the name of the attribute that contains the name of > the role. > After the authentication provider has successfully bound (authenticated) the > user, it should perform a second query for the groups. It should build a > {{GroupPrincipal}} for each group to which the user belongs and return this > as part of the AuthenticationResult. If the group search attributes are not > found, the group search should be skipped. > A future version if the LDAP Authentication Provider may offer the ability to > cache the group results for a DN period of time. This would serve to avoid > hitting the Directory several times authentication (it already hits the > Directory twice if {{bindWithoutSearch}} is false, this will add a third). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Updated] (QPID-7116) Ability to utilise group information from a LDAP compatible directory
[ https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Rudyy updated QPID-7116: - Attachment: 0001-WIP-unification.patch > Ability to utilise group information from a LDAP compatible directory > - > > Key: QPID-7116 > URL: https://issues.apache.org/jira/browse/QPID-7116 > Project: Qpid > Issue Type: Improvement > Components: Java Broker >Reporter: Keith Wall >Assignee: Alex Rudyy > Fix For: qpid-java-6.1 > > Attachments: 0001-WIP-unification.patch, 0002-WIP-LDAP-groups.patch > > > The Java Broker can already authenticate users against an LDAP compatible > directory. It should also be able to use the same information source as a > source of group information too. > The authentication provide needs to accept optional attributes governing > where the group information will be found: > {{groupSearchContext}} - the base entry for the role search. If not > specified, the search base is the top-level directory context. > {{groupSearchFilter}} - the LDAP search filter for selecting group entries. > A {0} token within the filter will be replaced by the distinguish name of the > authenticated user. > {{groupAttributeName}} - the name of the attribute that contains the name of > the role. > After the authentication provider has successfully bound (authenticated) the > user, it should perform a second query for the groups. It should build a > {{GroupPrincipal}} for each group to which the user belongs and return this > as part of the AuthenticationResult. If the group search attributes are not > found, the group search should be skipped. > A future version if the LDAP Authentication Provider may offer the ability to > cache the group results for a DN period of time. This would serve to avoid > hitting the Directory several times authentication (it already hits the > Directory twice if {{bindWithoutSearch}} is false, this will add a third). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Updated] (QPID-7116) Ability to utilise group information from a LDAP compatible directory
[ https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Rudyy updated QPID-7116: - Attachment: (was: ldap-auth-provider-changes.tar.gz) > Ability to utilise group information from a LDAP compatible directory > - > > Key: QPID-7116 > URL: https://issues.apache.org/jira/browse/QPID-7116 > Project: Qpid > Issue Type: Improvement > Components: Java Broker >Reporter: Keith Wall >Assignee: Alex Rudyy > Fix For: qpid-java-6.1 > > Attachments: 0001-WIP-unification.patch, 0002-WIP-LDAP-groups.patch > > > The Java Broker can already authenticate users against an LDAP compatible > directory. It should also be able to use the same information source as a > source of group information too. > The authentication provide needs to accept optional attributes governing > where the group information will be found: > {{groupSearchContext}} - the base entry for the role search. If not > specified, the search base is the top-level directory context. > {{groupSearchFilter}} - the LDAP search filter for selecting group entries. > A {0} token within the filter will be replaced by the distinguish name of the > authenticated user. > {{groupAttributeName}} - the name of the attribute that contains the name of > the role. > After the authentication provider has successfully bound (authenticated) the > user, it should perform a second query for the groups. It should build a > {{GroupPrincipal}} for each group to which the user belongs and return this > as part of the AuthenticationResult. If the group search attributes are not > found, the group search should be skipped. > A future version if the LDAP Authentication Provider may offer the ability to > cache the group results for a DN period of time. This would serve to avoid > hitting the Directory several times authentication (it already hits the > Directory twice if {{bindWithoutSearch}} is false, this will add a third). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Updated] (QPID-7116) Ability to utilise group information from a LDAP compatible directory
[ https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Rudyy updated QPID-7116: - Attachment: (was: 0001-QPID-7116-Add-ability-to-utilise-group-information-f.patch) > Ability to utilise group information from a LDAP compatible directory > - > > Key: QPID-7116 > URL: https://issues.apache.org/jira/browse/QPID-7116 > Project: Qpid > Issue Type: Improvement > Components: Java Broker >Reporter: Keith Wall >Assignee: Alex Rudyy > Fix For: qpid-java-6.1 > > Attachments: 0001-WIP-unification.patch, 0002-WIP-LDAP-groups.patch > > > The Java Broker can already authenticate users against an LDAP compatible > directory. It should also be able to use the same information source as a > source of group information too. > The authentication provide needs to accept optional attributes governing > where the group information will be found: > {{groupSearchContext}} - the base entry for the role search. If not > specified, the search base is the top-level directory context. > {{groupSearchFilter}} - the LDAP search filter for selecting group entries. > A {0} token within the filter will be replaced by the distinguish name of the > authenticated user. > {{groupAttributeName}} - the name of the attribute that contains the name of > the role. > After the authentication provider has successfully bound (authenticated) the > user, it should perform a second query for the groups. It should build a > {{GroupPrincipal}} for each group to which the user belongs and return this > as part of the AuthenticationResult. If the group search attributes are not > found, the group search should be skipped. > A future version if the LDAP Authentication Provider may offer the ability to > cache the group results for a DN period of time. This would serve to avoid > hitting the Directory several times authentication (it already hits the > Directory twice if {{bindWithoutSearch}} is false, this will add a third). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Updated] (QPID-7116) Ability to utilise group information from a LDAP compatible directory
[ https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Rudyy updated QPID-7116: - Attachment: 0002-WIP-LDAP-groups.patch > Ability to utilise group information from a LDAP compatible directory > - > > Key: QPID-7116 > URL: https://issues.apache.org/jira/browse/QPID-7116 > Project: Qpid > Issue Type: Improvement > Components: Java Broker >Reporter: Keith Wall >Assignee: Alex Rudyy > Fix For: qpid-java-6.1 > > Attachments: > 0001-QPID-7116-Add-ability-to-utilise-group-information-f.patch, > 0002-WIP-LDAP-groups.patch, ldap-auth-provider-changes.tar.gz > > > The Java Broker can already authenticate users against an LDAP compatible > directory. It should also be able to use the same information source as a > source of group information too. > The authentication provide needs to accept optional attributes governing > where the group information will be found: > {{groupSearchContext}} - the base entry for the role search. If not > specified, the search base is the top-level directory context. > {{groupSearchFilter}} - the LDAP search filter for selecting group entries. > A {0} token within the filter will be replaced by the distinguish name of the > authenticated user. > {{groupAttributeName}} - the name of the attribute that contains the name of > the role. > After the authentication provider has successfully bound (authenticated) the > user, it should perform a second query for the groups. It should build a > {{GroupPrincipal}} for each group to which the user belongs and return this > as part of the AuthenticationResult. If the group search attributes are not > found, the group search should be skipped. > A future version if the LDAP Authentication Provider may offer the ability to > cache the group results for a DN period of time. This would serve to avoid > hitting the Directory several times authentication (it already hits the > Directory twice if {{bindWithoutSearch}} is false, this will add a third). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Updated] (QPID-7116) Ability to utilise group information from a LDAP compatible directory
[ https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Rudyy updated QPID-7116: - Attachment: 0001-QPID-7116-Add-ability-to-utilise-group-information-f.patch > Ability to utilise group information from a LDAP compatible directory > - > > Key: QPID-7116 > URL: https://issues.apache.org/jira/browse/QPID-7116 > Project: Qpid > Issue Type: Improvement > Components: Java Broker >Reporter: Keith Wall >Assignee: Alex Rudyy > Fix For: qpid-java-6.1 > > Attachments: > 0001-QPID-7116-Add-ability-to-utilise-group-information-f.patch, > ldap-auth-provider-changes.tar.gz > > > The Java Broker can already authenticate users against an LDAP compatible > directory. It should also be able to use the same information source as a > source of group information too. > The authentication provide needs to accept optional attributes governing > where the group information will be found: > {{groupSearchContext}} - the base entry for the role search. If not > specified, the search base is the top-level directory context. > {{groupSearchFilter}} - the LDAP search filter for selecting group entries. > A {0} token within the filter will be replaced by the distinguish name of the > authenticated user. > {{groupAttributeName}} - the name of the attribute that contains the name of > the role. > After the authentication provider has successfully bound (authenticated) the > user, it should perform a second query for the groups. It should build a > {{GroupPrincipal}} for each group to which the user belongs and return this > as part of the AuthenticationResult. If the group search attributes are not > found, the group search should be skipped. > A future version if the LDAP Authentication Provider may offer the ability to > cache the group results for a DN period of time. This would serve to avoid > hitting the Directory several times authentication (it already hits the > Directory twice if {{bindWithoutSearch}} is false, this will add a third). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Updated] (QPID-7116) Ability to utilise group information from a LDAP compatible directory
[ https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Rudyy updated QPID-7116: - Attachment: (was: 0001-QPID-7116-Add-ability-to-utilise-group-information-f.patch) > Ability to utilise group information from a LDAP compatible directory > - > > Key: QPID-7116 > URL: https://issues.apache.org/jira/browse/QPID-7116 > Project: Qpid > Issue Type: Improvement > Components: Java Broker >Reporter: Keith Wall >Assignee: Alex Rudyy > Fix For: qpid-java-6.1 > > Attachments: > 0001-QPID-7116-Add-ability-to-utilise-group-information-f.patch, > ldap-auth-provider-changes.tar.gz > > > The Java Broker can already authenticate users against an LDAP compatible > directory. It should also be able to use the same information source as a > source of group information too. > The authentication provide needs to accept optional attributes governing > where the group information will be found: > {{groupSearchContext}} - the base entry for the role search. If not > specified, the search base is the top-level directory context. > {{groupSearchFilter}} - the LDAP search filter for selecting group entries. > A {0} token within the filter will be replaced by the distinguish name of the > authenticated user. > {{groupAttributeName}} - the name of the attribute that contains the name of > the role. > After the authentication provider has successfully bound (authenticated) the > user, it should perform a second query for the groups. It should build a > {{GroupPrincipal}} for each group to which the user belongs and return this > as part of the AuthenticationResult. If the group search attributes are not > found, the group search should be skipped. > A future version if the LDAP Authentication Provider may offer the ability to > cache the group results for a DN period of time. This would serve to avoid > hitting the Directory several times authentication (it already hits the > Directory twice if {{bindWithoutSearch}} is false, this will add a third). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Updated] (QPID-7116) Ability to utilise group information from a LDAP compatible directory
[ https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Rudyy updated QPID-7116: - Attachment: ldap-auth-provider-changes.tar.gz > Ability to utilise group information from a LDAP compatible directory > - > > Key: QPID-7116 > URL: https://issues.apache.org/jira/browse/QPID-7116 > Project: Qpid > Issue Type: Improvement > Components: Java Broker >Reporter: Keith Wall > Fix For: qpid-java-6.1 > > Attachments: > 0001-QPID-7116-Add-ability-to-utilise-group-information-f.patch, > ldap-auth-provider-changes.tar.gz > > > The Java Broker can already authenticate users against an LDAP compatible > directory. It should also be able to use the same information source as a > source of group information too. > The authentication provide needs to accept optional attributes governing > where the group information will be found: > {{groupSearchContext}} - the base entry for the role search. If not > specified, the search base is the top-level directory context. > {{groupSearchFilter}} - the LDAP search filter for selecting group entries. > A {0} token within the filter will be replaced by the distinguish name of the > authenticated user. > {{groupAttributeName}} - the name of the attribute that contains the name of > the role. > After the authentication provider has successfully bound (authenticated) the > user, it should perform a second query for the groups. It should build a > {{GroupPrincipal}} for each group to which the user belongs and return this > as part of the AuthenticationResult. If the group search attributes are not > found, the group search should be skipped. > A future version if the LDAP Authentication Provider may offer the ability to > cache the group results for a DN period of time. This would serve to avoid > hitting the Directory several times authentication (it already hits the > Directory twice if {{bindWithoutSearch}} is false, this will add a third). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Updated] (QPID-7116) Ability to utilise group information from a LDAP compatible directory
[ https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Rudyy updated QPID-7116: - Attachment: 0001-QPID-7116-Add-ability-to-utilise-group-information-f.patch > Ability to utilise group information from a LDAP compatible directory > - > > Key: QPID-7116 > URL: https://issues.apache.org/jira/browse/QPID-7116 > Project: Qpid > Issue Type: Improvement > Components: Java Broker >Reporter: Keith Wall > Fix For: qpid-java-6.1 > > Attachments: > 0001-QPID-7116-Add-ability-to-utilise-group-information-f.patch, > ldap-auth-provider-changes.tar.gz > > > The Java Broker can already authenticate users against an LDAP compatible > directory. It should also be able to use the same information source as a > source of group information too. > The authentication provide needs to accept optional attributes governing > where the group information will be found: > {{groupSearchContext}} - the base entry for the role search. If not > specified, the search base is the top-level directory context. > {{groupSearchFilter}} - the LDAP search filter for selecting group entries. > A {0} token within the filter will be replaced by the distinguish name of the > authenticated user. > {{groupAttributeName}} - the name of the attribute that contains the name of > the role. > After the authentication provider has successfully bound (authenticated) the > user, it should perform a second query for the groups. It should build a > {{GroupPrincipal}} for each group to which the user belongs and return this > as part of the AuthenticationResult. If the group search attributes are not > found, the group search should be skipped. > A future version if the LDAP Authentication Provider may offer the ability to > cache the group results for a DN period of time. This would serve to avoid > hitting the Directory several times authentication (it already hits the > Directory twice if {{bindWithoutSearch}} is false, this will add a third). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Updated] (QPID-7116) Ability to utilise group information from a LDAP compatible directory
[ https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Rudyy updated QPID-7116: - Attachment: (was: WIP-get-ldap-groups.diff) > Ability to utilise group information from a LDAP compatible directory > - > > Key: QPID-7116 > URL: https://issues.apache.org/jira/browse/QPID-7116 > Project: Qpid > Issue Type: Improvement > Components: Java Broker >Reporter: Keith Wall > Fix For: qpid-java-6.1 > > Attachments: > 0001-QPID-7116-Add-ability-to-utilise-group-information-f.patch, > ldap-auth-provider-changes.tar.gz > > > The Java Broker can already authenticate users against an LDAP compatible > directory. It should also be able to use the same information source as a > source of group information too. > The authentication provide needs to accept optional attributes governing > where the group information will be found: > {{groupSearchContext}} - the base entry for the role search. If not > specified, the search base is the top-level directory context. > {{groupSearchFilter}} - the LDAP search filter for selecting group entries. > A {0} token within the filter will be replaced by the distinguish name of the > authenticated user. > {{groupAttributeName}} - the name of the attribute that contains the name of > the role. > After the authentication provider has successfully bound (authenticated) the > user, it should perform a second query for the groups. It should build a > {{GroupPrincipal}} for each group to which the user belongs and return this > as part of the AuthenticationResult. If the group search attributes are not > found, the group search should be skipped. > A future version if the LDAP Authentication Provider may offer the ability to > cache the group results for a DN period of time. This would serve to avoid > hitting the Directory several times authentication (it already hits the > Directory twice if {{bindWithoutSearch}} is false, this will add a third). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Updated] (QPID-7116) Ability to utilise group information from a LDAP compatible directory
[ https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Rudyy updated QPID-7116: - Attachment: (was: ldap-auth-provider-changes.tar.gz) > Ability to utilise group information from a LDAP compatible directory > - > > Key: QPID-7116 > URL: https://issues.apache.org/jira/browse/QPID-7116 > Project: Qpid > Issue Type: Improvement > Components: Java Broker >Reporter: Keith Wall > Fix For: qpid-java-6.1 > > Attachments: > 0001-QPID-7116-Add-ability-to-utilise-group-information-f.patch, > ldap-auth-provider-changes.tar.gz > > > The Java Broker can already authenticate users against an LDAP compatible > directory. It should also be able to use the same information source as a > source of group information too. > The authentication provide needs to accept optional attributes governing > where the group information will be found: > {{groupSearchContext}} - the base entry for the role search. If not > specified, the search base is the top-level directory context. > {{groupSearchFilter}} - the LDAP search filter for selecting group entries. > A {0} token within the filter will be replaced by the distinguish name of the > authenticated user. > {{groupAttributeName}} - the name of the attribute that contains the name of > the role. > After the authentication provider has successfully bound (authenticated) the > user, it should perform a second query for the groups. It should build a > {{GroupPrincipal}} for each group to which the user belongs and return this > as part of the AuthenticationResult. If the group search attributes are not > found, the group search should be skipped. > A future version if the LDAP Authentication Provider may offer the ability to > cache the group results for a DN period of time. This would serve to avoid > hitting the Directory several times authentication (it already hits the > Directory twice if {{bindWithoutSearch}} is false, this will add a third). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Updated] (QPID-7116) Ability to utilise group information from a LDAP compatible directory
[ https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Rudyy updated QPID-7116: - Attachment: ldap-auth-provider-changes.tar.gz > Ability to utilise group information from a LDAP compatible directory > - > > Key: QPID-7116 > URL: https://issues.apache.org/jira/browse/QPID-7116 > Project: Qpid > Issue Type: Improvement > Components: Java Broker >Reporter: Keith Wall > Fix For: qpid-java-6.1 > > Attachments: WIP-get-ldap-groups.diff, > ldap-auth-provider-changes.tar.gz > > > The Java Broker can already authenticate users against an LDAP compatible > directory. It should also be able to use the same information source as a > source of group information too. > The authentication provide needs to accept optional attributes governing > where the group information will be found: > {{groupSearchContext}} - the base entry for the role search. If not > specified, the search base is the top-level directory context. > {{groupSearchFilter}} - the LDAP search filter for selecting group entries. > A {0} token within the filter will be replaced by the distinguish name of the > authenticated user. > {{groupAttributeName}} - the name of the attribute that contains the name of > the role. > After the authentication provider has successfully bound (authenticated) the > user, it should perform a second query for the groups. It should build a > {{GroupPrincipal}} for each group to which the user belongs and return this > as part of the AuthenticationResult. If the group search attributes are not > found, the group search should be skipped. > A future version if the LDAP Authentication Provider may offer the ability to > cache the group results for a DN period of time. This would serve to avoid > hitting the Directory several times authentication (it already hits the > Directory twice if {{bindWithoutSearch}} is false, this will add a third). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Updated] (QPID-7116) Ability to utilise group information from a LDAP compatible directory
[ https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Rudyy updated QPID-7116: - Attachment: WIP-get-ldap-groups.diff > Ability to utilise group information from a LDAP compatible directory > - > > Key: QPID-7116 > URL: https://issues.apache.org/jira/browse/QPID-7116 > Project: Qpid > Issue Type: Improvement > Components: Java Broker >Reporter: Keith Wall > Fix For: qpid-java-6.1 > > Attachments: WIP-get-ldap-groups.diff > > > The Java Broker can already authenticate users against an LDAP compatible > directory. It should also be able to use the same information source as a > source of group information too. > The authentication provide needs to accept optional attributes governing > where the group information will be found: > {{groupSearchContext}} - the base entry for the role search. If not > specified, the search base is the top-level directory context. > {{groupSearchFilter}} - the LDAP search filter for selecting group entries. > A {0} token within the filter will be replaced by the distinguish name of the > authenticated user. > {{groupAttributeName}} - the name of the attribute that contains the name of > the role. > After the authentication provider has successfully bound (authenticated) the > user, it should perform a second query for the groups. It should build a > {{GroupPrincipal}} for each group to which the user belongs and return this > as part of the AuthenticationResult. If the group search attributes are not > found, the group search should be skipped. > A future version if the LDAP Authentication Provider may offer the ability to > cache the group results for a DN period of time. This would serve to avoid > hitting the Directory several times authentication (it already hits the > Directory twice if {{bindWithoutSearch}} is false, this will add a third). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Updated] (QPID-7116) Ability to utilise group information from a LDAP compatible directory
[ https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Keith Wall updated QPID-7116: - Description: The Java Broker can already authenticate users against an LDAP compatible directory. It should also be able to use the same information source as a source of group information too. The authentication provide needs to accept optional attributes governing where the group information will be found: {{groupSearchContext}} - the base entry for the role search. If not specified, the search base is the top-level directory context. {{groupSearchFilter}} - the LDAP search filter for selecting group entries. A {0} token within the filter will be replaced by the distinguish name of the authenticated user. {{groupAttributeName}} - the name of the attribute that contains the name of the role. After the authentication provider has successfully bound (authenticated) the user, it should perform a second query for the groups. It should build a {{GroupPrincipal}} for each group to which the user belongs and return this as part of the AuthenticationResult. If the group search attributes are not found, the group search should be skipped. A future version if the LDAP Authentication Provider may offer the ability to cache the group results for a DN period of time. This would serve to avoid hitting the Directory several times authentication (it already hits the Directory twice if {{bindWithoutSearch}} is false, this will add a third). was: The Java Broker can already authenticate users against an LDAP compatible directory. It should also be able to use the same information source as a source of group information too. The authentication provide needs to accept optional attributes governing where the group information will be found: {{groupSearchContext}} - the base entry for the role search. If not specified, the search base is the top-level directory context. {{groupSearchFilter}} - the LDAP search filter for selecting group entries. A {0} token within the filter will be replaced by the distinguish name of the authenticated user. {{groupAttributeName}} - the name of the attribute that contains the name of the role. After the authentication provider has successfully bound (authenticated) the user, it should perform a second query for the groups. It should build a {{GroupPrincipal}} for each group to which the user belongs and return this as part of the AuthenticationResult. If the group search attributes are not found, the group search should be skipped. A future version if the LDAP Authentication Provider may offer the ability to cache the group results for a DN period of time. This would serve to avoid hitting the Directory several times authentication (it already hits the Directory twice if {{bindWithoutSearch}} is false, this will add a third). > Ability to utilise group information from a LDAP compatible directory > - > > Key: QPID-7116 > URL: https://issues.apache.org/jira/browse/QPID-7116 > Project: Qpid > Issue Type: Improvement > Components: Java Broker >Reporter: Keith Wall > Fix For: qpid-java-6.1 > > > The Java Broker can already authenticate users against an LDAP compatible > directory. It should also be able to use the same information source as a > source of group information too. > The authentication provide needs to accept optional attributes governing > where the group information will be found: > {{groupSearchContext}} - the base entry for the role search. If not > specified, the search base is the top-level directory context. > {{groupSearchFilter}} - the LDAP search filter for selecting group entries. > A {0} token within the filter will be replaced by the distinguish name of the > authenticated user. > {{groupAttributeName}} - the name of the attribute that contains the name of > the role. > After the authentication provider has successfully bound (authenticated) the > user, it should perform a second query for the groups. It should build a > {{GroupPrincipal}} for each group to which the user belongs and return this > as part of the AuthenticationResult. If the group search attributes are not > found, the group search should be skipped. > A future version if the LDAP Authentication Provider may offer the ability to > cache the group results for a DN period of time. This would serve to avoid > hitting the Directory several times authentication (it already hits the > Directory twice if {{bindWithoutSearch}} is false, this will add a third). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail:
[jira] [Updated] (QPID-7116) Ability to utilise group information from a LDAP compatible directory
[ https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Keith Wall updated QPID-7116: - Description: The Java Broker can already authenticate users against an LDAP compatible directory. It should also be able to use the same information source as a source of group information too. The authentication provide needs to accept optional attributes governing where the group information will be found: {{groupSearchContext}} - the base entry for the role search. If not specified, the search base is the top-level directory context. {{groupSearchFilter}} - the LDAP search filter for selecting group entries. A {0} token within the filter will be replaced by the distinguish name of the authenticated user. {{groupAttributeName}} - the name of the attribute that contains the name of the role. After the authentication provider has successfully bound (authenticated) the user, it should perform a second query for the groups. It should build a {{GroupPrincipal}} for each group to which the user belongs and return this as part of the AuthenticationResult. If the group search attributes are not found, the group search should be skipped. A future version if the LDAP Authentication Provider may offer the ability to cache the group results for a DN period of time. This would serve to avoid hitting the Directory several times authentication (it already hits the Directory twice if {{bindWithoutSearch}} is false, this will add a third). was: The Java Broker can already authenticate against an LDAP compatible directory. It should also be able to use the same information source as a source of group information too. > Ability to utilise group information from a LDAP compatible directory > - > > Key: QPID-7116 > URL: https://issues.apache.org/jira/browse/QPID-7116 > Project: Qpid > Issue Type: Improvement > Components: Java Broker >Reporter: Keith Wall > Fix For: qpid-java-6.1 > > > The Java Broker can already authenticate users against an LDAP compatible > directory. It should also be able to use the same information source as a > source of group information too. > The authentication provide needs to accept optional attributes governing > where the group information will be found: > {{groupSearchContext}} - the base entry for the role search. If not > specified, the search base is the top-level directory context. > {{groupSearchFilter}} - the LDAP search filter for selecting group entries. > A {0} token within the filter will be replaced by the distinguish name of the > authenticated user. > {{groupAttributeName}} - the name of the attribute that contains the name of > the role. > After the authentication provider has successfully bound (authenticated) the > user, it should perform a second query for the groups. It should build a > {{GroupPrincipal}} for each group to which the user belongs and return this > as part of the AuthenticationResult. If the group search attributes are not > found, the group search should be skipped. > A future version if the LDAP Authentication Provider may offer the ability to > cache the group results for a DN period of time. This would serve to avoid > hitting the Directory several times authentication (it already hits the > Directory twice if {{bindWithoutSearch}} is false, this will add a third). > -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org