> 2010/8/23 Vidar Ramdal <[email protected]>: >> 2010/8/23 Agustín Gañán <[email protected]>: >>> Hi all, >>> I need to implement a custom authenticator against LDAP for one sling >>> application. >>> In order to avoid mantain the same users in LDAP and in JCR I would >>> like to implement some "impersonation" mechanism. >>> >>> In a first approach, I found de OpenID example [1] and try to adapt it >>> to a LDAP scenario. That is, create an AuthenticationHandler to >>> authenticate the user and use the "trusted_credentials_attribute" >>> mechanism to avoid JCR authentication. >>> >>> But I recently found that there are some progress in the user >>> impersonation in Sling[2] and I'm wondering what is the best way to do >>> this? >>> >>> Any hint or experience is welcome, >> >> You probably could implement this using impersonation as you say, but >> I would rather go for implementing a LoginModulePlugin [1]. >> >> Either way you will have to map LDAP accounts to Jackrabbit users, or >> have some other list of valid LDAP credentials. >> >> What I would suggest is to create groups in Jackrabbit, and have your >> LoginModulePlugin issue Principals for your LDAP users that maps them >> to the Jackrabbit groups.
http://jira.idium.net/browse/DRI-696 2010/8/23 Agustín Gañán <[email protected]>: > First of all, thanks for the answer. > >>You probably could implement this using impersonation as you say, but >>I would rather go for implementing a LoginModulePlugin [1]. > > In fact, we have considered this model too but we prefer not to have > the same users in LDAP and in JCR. > We like to have a model in wich the users authenticate against LDAP > with his own credentials and authenticate all of them with one common > user against JCR, that is, impersonation. I can see that, but in any case you would still need a way to map an LDAP user with a Jackrabbit user (e.g. an attribute on the Jackrabbit user node which holds the LDAP IDs). In my mind, at least, I don't use the JCR 'impersonation' feature for such things, but rather, when a real user wants to act like another user (a manager wants to do things on behalf of one of her employees, for instance). With a custom login module one should be able to issue a Principal for the Jackrabbit user account when an LDAP user a user logs using LDAP (I think). -- Vidar S. Ramdal <[email protected]> - http://www.idium.no Sommerrogata 13-15, N-0255 Oslo, Norway + 47 22 00 84 00 / +47 22 00 84 76 Quando omni flunkus moritatus!
