[ https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Keith Wall reopened QPID-7116: ------------------------------ > Ability to utilise group information from a LDAP compatible directory > --------------------------------------------------------------------- > > Key: QPID-7116 > URL: https://issues.apache.org/jira/browse/QPID-7116 > Project: Qpid > Issue Type: Improvement > Components: Java Broker > Reporter: Keith Wall > Assignee: Alex Rudyy > Fix For: qpid-java-6.1 > > Attachments: 0001-WIP-unification.patch, 0002-WIP-LDAP-groups.patch > > > The Java Broker can already authenticate users against an LDAP compatible > directory. It should also be able to use the same information source as a > source of group information too. > The authentication provide needs to accept optional attributes governing > where the group information will be found: > {{groupSearchContext}} - the base entry for the role search. If not > specified, the search base is the top-level directory context. > {{groupSearchFilter}} - the LDAP search filter for selecting group entries. > A {0} token within the filter will be replaced by the distinguish name of the > authenticated user. > {{groupAttributeName}} - the name of the attribute that contains the name of > the role. > After the authentication provider has successfully bound (authenticated) the > user, it should perform a second query for the groups. It should build a > {{GroupPrincipal}} for each group to which the user belongs and return this > as part of the AuthenticationResult. If the group search attributes are not > found, the group search should be skipped. > A future version if the LDAP Authentication Provider may offer the ability to > cache the group results for a DN period of time. This would serve to avoid > hitting the Directory several times authentication (it already hits the > Directory twice if {{bindWithoutSearch}} is false, this will add a third). -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org