First of all, thanks for the answer. >You probably could implement this using impersonation as you say, but >I would rather go for implementing a LoginModulePlugin [1].
In fact, we have considered this model too but we prefer not to have the same users in LDAP and in JCR. We like to have a model in wich the users authenticate against LDAP with his own credentials and authenticate all of them with one common user against JCR, that is, impersonation. thanks anyway 2010/8/23 Vidar Ramdal <[email protected]>: > 2010/8/23 Agustín Gañán <[email protected]>: >> Hi all, >> I need to implement a custom authenticator against LDAP for one sling >> application. >> In order to avoid mantain the same users in LDAP and in JCR I would >> like to implement some "impersonation" mechanism. >> >> In a first approach, I found de OpenID example [1] and try to adapt it >> to a LDAP scenario. That is, create an AuthenticationHandler to >> authenticate the user and use the "trusted_credentials_attribute" >> mechanism to avoid JCR authentication. >> >> But I recently found that there are some progress in the user >> impersonation in Sling[2] and I'm wondering what is the best way to do >> this? >> >> Any hint or experience is welcome, > > You probably could implement this using impersonation as you say, but > I would rather go for implementing a LoginModulePlugin [1]. > > Either way you will have to map LDAP accounts to Jackrabbit users, or > have some other list of valid LDAP credentials. > > What I would suggest is to create groups in Jackrabbit, and have your > LoginModulePlugin issue Principals for your LDAP users that maps them > to the Jackrabbit groups. > > [1] > http://sling.apache.org/apidocs/sling5/org/apache/sling/jcr/jackrabbit/server/security/LoginModulePlugin.html > > -- > Vidar S. Ramdal <[email protected]> - http://www.idium.no > Sommerrogata 13-15, N-0255 Oslo, Norway > + 47 22 00 84 00 / +47 22 00 84 76 > Quando omni flunkus moritatus! >
