On Fri, Apr 18, 2008 at 7:09 AM, Steve McCain <[EMAIL PROTECTED]> wrote: > By using the Sample LDAP/RollerDB hybrid config in the security.xml file > supplied with Roller 4.0 > I have users being authenticated by ldap while their authorisation remains > under the control of the > database (users and roles). So far so good. > > I work in a university and would like to restrict access to roller to staff > only. We have a 'staff' group > in our ldap so I'm looking how I could use group membership to do this. To > test this out I've created > a 'register' group with myself as a uniqueMember. I've changed the > LdapAuthenticationProvider bean > to use a DefaultLdapAuthoritiesPopulator instead of the > AuthoritiesPopulator (id=jdbcAuthoritiesPopulator) > as in the supplied security.xml. I now get 403 errors when I try to log in. > How do I trace what roller is > sending to ldap? > > Am I barking up the wrong tree entirely with this approach? Have I crippled > roller's ability to get user/role > info from the database by not using the AuthoritiesPopulator bean? Can > anyone suggest a way of > configuring roller to use ldap group membership for a broad-brush access > control while control of > which users can contribute to which blog is controlled by the database?
I believe what you want to do is theoretically possible, that is, getting role information from LDAP. Roles are used to control "global" access to Roller, i.e. in relation to the system as a whole and not one individual blog. I think you'd have to write your own authorities populator object and then plug it in via security.xml to do this. - Dave
