Hi again, Finally I will take another approach in this issue. Implementing an LoginModulePlugin (as Vidar suggested) to manage authentication and an AccessManagerPlugin to manage authorization. Related to this last point, does anyone knows any doc or sample on how to do this?
I only found this doc [1] (TODO, :-( ) and a few post but no samples or any hint. Thanks in advance, Agus [1] http://wiki.apache.org/jackrabbit/JackrabbitOsgi 2010/8/23 Vidar Ramdal <[email protected]>: >> 2010/8/23 Vidar Ramdal <[email protected]>: >>> 2010/8/23 Agustín Gañán <[email protected]>: >>>> Hi all, >>>> I need to implement a custom authenticator against LDAP for one sling >>>> application. >>>> In order to avoid mantain the same users in LDAP and in JCR I would >>>> like to implement some "impersonation" mechanism. >>>> >>>> In a first approach, I found de OpenID example [1] and try to adapt it >>>> to a LDAP scenario. That is, create an AuthenticationHandler to >>>> authenticate the user and use the "trusted_credentials_attribute" >>>> mechanism to avoid JCR authentication. >>>> >>>> But I recently found that there are some progress in the user >>>> impersonation in Sling[2] and I'm wondering what is the best way to do >>>> this? >>>> >>>> Any hint or experience is welcome, >>> >>> You probably could implement this using impersonation as you say, but >>> I would rather go for implementing a LoginModulePlugin [1]. >>> >>> Either way you will have to map LDAP accounts to Jackrabbit users, or >>> have some other list of valid LDAP credentials. >>> >>> What I would suggest is to create groups in Jackrabbit, and have your >>> LoginModulePlugin issue Principals for your LDAP users that maps them >>> to the Jackrabbit groups. > > http://jira.idium.net/browse/DRI-696 > 2010/8/23 Agustín Gañán <[email protected]>: >> First of all, thanks for the answer. >> >>>You probably could implement this using impersonation as you say, but >>>I would rather go for implementing a LoginModulePlugin [1]. >> >> In fact, we have considered this model too but we prefer not to have >> the same users in LDAP and in JCR. >> We like to have a model in wich the users authenticate against LDAP >> with his own credentials and authenticate all of them with one common >> user against JCR, that is, impersonation. > > I can see that, but in any case you would still need a way to map an > LDAP user with a Jackrabbit user (e.g. an attribute on the Jackrabbit > user node which holds the LDAP IDs). > > In my mind, at least, I don't use the JCR 'impersonation' feature for > such things, but rather, when a real user wants to act like another > user (a manager wants to do things on behalf of one of her employees, > for instance). > > With a custom login module one should be able to issue a Principal for > the Jackrabbit user account when an LDAP user a user logs using LDAP > (I think). > > -- > Vidar S. Ramdal <[email protected]> - http://www.idium.no > Sommerrogata 13-15, N-0255 Oslo, Norway > + 47 22 00 84 00 / +47 22 00 84 76 > Quando omni flunkus moritatus! >
