Hi Ben, Sorry this has turned out to be such a pain. Note that people have historically had problems with the pre-3.4 LDAP integration for Fedora. The JAAS-based implementation in 3.4rc1 is actually a big improvement, which is why we're trying to make that the default option from now on.
It sounds like you were able to successfully get the subject attributes populated. I didn't realize how to do that when I first looked at it, but I assume you put them in attrs.fetch value in jaas.conf (Nishen pointed this out to me in this thread: http://www.mail-archive.com/[email protected]/msg00779.html ) I assume your LDAP has groups modeled in the more common way, where the list of members is maintained within the group entry. In order to discover the groups someone is a member of, a separate query on the directory (find groups with a member: this-person) would need to be done, which I don't believe the implementation in org.fcrepo.server.security supports. Outside of writing your own code, or tweaking the existing code to support this, one option might be to update your LDAP directory to make the group membership information available as user attributes as well. For example, OpenLDAP has the "memberof" overlay which, when configured, allows you to define group membership in the traditional way, but makes an additional "memberOf" attribute available for each user, which expresses the relationship in the opposite direction: http://www.linuxtopia.org/online_books//network_administration_guides/ldap_administration/overlays_Reverse_Group_Membership_Maintenance.html I haven't used it myself, but I think it'd be worth a shot if your ldap server supports it and you have administrative control over it. Here's a report I found from someone who has used it successfully to solve the same sort of problem: http://jordaneunson.com/?p=74 - Chris On Wed, Aug 4, 2010 at 8:38 AM, Benjamin Ryan <[email protected]> wrote: > Hi, > I have given up on getting LDAp to retrieve roles and groups using filters > and have had a look at using JAAS in 3.4rc1. > I have sucessfully retrieved subject attributes from LDAP, including > fedoraRole, and these have been correctly populated (I used the user servlet > to check this). > My next task is to get group information back from the LDAP server. > I tried adding a login module to the JAAS conf to retrieve the groups but > this does not seem to work (I cannot see from the logs that there is an error > but no attributes are fetched) > Does anybody have any ideas how to achieve this? > > Regards, > Ben > --------------------------------------------------------------------- > Dr Ben Ryan > Timescapes Archive Technical Officer > School of Sociology and Social Policy > Faculty of Education, Social Sciences and Law > Social Science Building > The University of Leeds > Leeds LS2 9JT > Email: [email protected]<mailto:[email protected]> > Tel: 0113 343 7319 > Website: http://www.timescapes.leeds.ac.uk<http://www.timescapes.leeds.ac.uk/> ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Fedora-commons-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
