Just a followup...I saw in your previous message that you mentioned
using ApacheDS. Is this your production directory service, or do you
have other options?
I poked around a bit and found that several directory servers support
a computed "memberOf" attribute[1], but it looks like it hasn't been
implemented for ApacheDS yet[2].
- Chris
[1] As a non-standard, usually computed attribute, it's available either as
"memberOf" or "isMemberOf" in the following directory servers I've seen
reference to: 389 (was "Fedora DS"), ActiveDirectory, DSEE (Sun/Oracle,
java-based), IBM DS, OpenLDAP, OpenDS (also java-based), Novell eDirectory
[2] Recent discussion on ApacheDS list Re: memberOf attribute
http://osdir.com/ml/users-directory-apache/2010-03/msg00022.html
On Wed, Aug 4, 2010 at 12:33 PM, Chris Wilper <[email protected]> wrote:
> Hi Ben,
>
> Sorry this has turned out to be such a pain. Note that people have
> historically had problems with the pre-3.4 LDAP integration for
> Fedora. The JAAS-based implementation in 3.4rc1 is actually a big
> improvement, which is why we're trying to make that the default option
> from now on.
>
> It sounds like you were able to successfully get the subject
> attributes populated. I didn't realize how to do that when I first
> looked at it, but I assume you put them in attrs.fetch value in
> jaas.conf (Nishen pointed this out to me in this thread:
> http://www.mail-archive.com/[email protected]/msg00779.html
> )
>
> I assume your LDAP has groups modeled in the more common way, where
> the list of members is maintained within the group entry. In order to
> discover the groups someone is a member of, a separate query on the
> directory (find groups with a member: this-person) would need to be
> done, which I don't believe the implementation in
> org.fcrepo.server.security supports.
>
> Outside of writing your own code, or tweaking the existing code to
> support this, one option might be to update your LDAP directory to
> make the group membership information available as user attributes as
> well. For example, OpenLDAP has the "memberof" overlay which, when
> configured, allows you to define group membership in the traditional
> way, but makes an additional "memberOf" attribute available for each
> user, which expresses the relationship in the opposite direction:
>
> http://www.linuxtopia.org/online_books//network_administration_guides/ldap_administration/overlays_Reverse_Group_Membership_Maintenance.html
>
> I haven't used it myself, but I think it'd be worth a shot if your
> ldap server supports it and you have administrative control over it.
> Here's a report I found from someone who has used it successfully to
> solve the same sort of problem:
> http://jordaneunson.com/?p=74
>
> - Chris
>
> On Wed, Aug 4, 2010 at 8:38 AM, Benjamin Ryan <[email protected]> wrote:
>> Hi,
>> I have given up on getting LDAp to retrieve roles and groups using filters
>> and have had a look at using JAAS in 3.4rc1.
>> I have sucessfully retrieved subject attributes from LDAP, including
>> fedoraRole, and these have been correctly populated (I used the user servlet
>> to check this).
>> My next task is to get group information back from the LDAP server.
>> I tried adding a login module to the JAAS conf to retrieve the groups but
>> this does not seem to work (I cannot see from the logs that there is an
>> error but no attributes are fetched)
>> Does anybody have any ideas how to achieve this?
>>
>> Regards,
>> Ben
>> ---------------------------------------------------------------------
>> Dr Ben Ryan
>> Timescapes Archive Technical Officer
>> School of Sociology and Social Policy
>> Faculty of Education, Social Sciences and Law
>> Social Science Building
>> The University of Leeds
>> Leeds LS2 9JT
>> Email: [email protected]<mailto:[email protected]>
>> Tel: 0113 343 7319
>> Website:
>> http://www.timescapes.leeds.ac.uk<http://www.timescapes.leeds.ac.uk/>
>
------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
_______________________________________________
Fedora-commons-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
