2010/8/23 Agustín Gañán <[email protected]>: > Hi all, > I need to implement a custom authenticator against LDAP for one sling > application. > In order to avoid mantain the same users in LDAP and in JCR I would > like to implement some "impersonation" mechanism. > > In a first approach, I found de OpenID example [1] and try to adapt it > to a LDAP scenario. That is, create an AuthenticationHandler to > authenticate the user and use the "trusted_credentials_attribute" > mechanism to avoid JCR authentication. > > But I recently found that there are some progress in the user > impersonation in Sling[2] and I'm wondering what is the best way to do > this? > > Any hint or experience is welcome,
You probably could implement this using impersonation as you say, but I would rather go for implementing a LoginModulePlugin [1]. Either way you will have to map LDAP accounts to Jackrabbit users, or have some other list of valid LDAP credentials. What I would suggest is to create groups in Jackrabbit, and have your LoginModulePlugin issue Principals for your LDAP users that maps them to the Jackrabbit groups. [1] http://sling.apache.org/apidocs/sling5/org/apache/sling/jcr/jackrabbit/server/security/LoginModulePlugin.html -- Vidar S. Ramdal <[email protected]> - http://www.idium.no Sommerrogata 13-15, N-0255 Oslo, Norway + 47 22 00 84 00 / +47 22 00 84 76 Quando omni flunkus moritatus!
