Davy, Thanks for your feedback, this is a pretty accurate description of the state of the LDAP implementation. Authentication was the primary focus of the last release. Though authorization is partially implemented, it is not fully functional as you rightfully point out.
>From your comments, I see a few actions points: - We need to wrap up the RoleSecurityHandler implementation as well as the user/role/group mapping for LDAP. Your suggestion to leverage uniqueMember, or memberOf is definitely a possibility. - We need to support Sun LDAP for authentication. Regarding your general questions, around extended LDAP support in J2, I think it is reasonable to say that we would like to improve it based on the community needs and feedback. So your email helps out greatly there. Also, we are always looking for good patches ;) Regards, David Le Strat > Hi, > > After having a look at the LDAP Configuration > section on the apache > website, I decided to connect my Sun Directory > Server to my Jetspeed2 > installation. > > After fiddling around with the LDAP schema, Jetspeed > source code & > Spring configuration, I managed to get certain > things up & running. > > My general question, besides the one below, is if > there is some kind of > roadmap or planning when it comes to extending the > LDAP support in the > Jetspeed security module? > > > SecurityHandlers > ---------------- > When I downloaded the jetspeed distribution, the > authorization config > (security-spi-atz.xml) didn't use any LDAP specific > SecurityHandlers. > (The codebase does contain handlers for credentials, > groups and users, > but apparently lacks support for roles). > > Is it correct that there is a dependency between the > SecurityHandlers > and the SecurityMapper ? I had the impression that > during the creation > of the groups, everything was stored correctly in > LDAP, but when it came > to assigning those groups to users, Jetspeed > expected to find the groups > in the database, and didn't bother to check the > LDAP. > > > SecurityMappers > --------------- > So after replacing the default handlers with LDAP > specific handlers, I > tried using the LdapSecurityMapper instead of the > DefaultSecurityMapper > > A few hiccups aside, everything seemed to be working > pretty well. I was > able to store users/groups in LDAP, and even managed > to get the group > assignment working through the LdapSecurityMapper. > However, the fact that the role part was > unimplemented rendered this > solution unusable for now. > > > Encrypted passwords in LDAP > --------------------------- > The Sun Directory Server stores encrypted passwords. > Jetspeed doesn't > have any means to decrypt them, so the only way to > authenticate a user > is to use the encrypted password string from LDAP, > and use that to > perform a login. > What are the plans to handle this? > > > Using uniqueMember of memberOf attributes > ----------------------------------------- > Assigning users to groups/roles apparently depends > on the > j2-group/j2-role multi-value attributes that are > stored on the user > level. Are there any plans to support uniqueMember, > or memberOf > attributes? This would facilitate the integration of > existing corporate > LDAP trees with Jetspeed. > > > To conclude this, I would just like to say that the > first time I ever > encountered Jetspeed was about 4 years ago when we > evaluated it for a > portal based solution. Unfortunately, the project at > the time wasn't > nearly as mature as it is now, and it also suffered > tremendous > performance issues. It's great to see how the > project has evolved! Keep > up the good work! > > Greetings, > > Davy > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > ________________________ David Le Strat Blogging @ http://dlsthoughts.blogspot.com __________________________________________ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
