On Tue, Dec 09, 2008 at 03:53:52PM -0500, Hobbs, Joseph wrote: > Andrew, > > I think adding LDAP Integration into JSPWiki is an excellent idea, > though I'd question the need to offer embedded LDAP with JSPWiki. If > you're goal is to provide this integration specifically for Enterprise > users, 99% of the time they will already have an existing LDAP > infrastructure they are tying into. In that scenario, you don't need to > provide the LDAP database. This makes your life much easier. To be > honest, I think simply providing an LdapUserDatabase and > LdapGroupDatabase would satisfy most cases you are looking for. > > I had thought about doing this for my installation, but was successful > in getting my container (WebSphere) to do most of the work for me. I > did have to make some modifications to the web.xml to get things to work > as expected, but it works like a charm. I still use the File-based > user/group databases, but WebSphere assigns the important roles (in my > case they are Authenticated, Author, and Admin) based on LDAP Group > memberships. > > The one hiccup for me that prevents me from using LDAP for group > memberships relates to rights. In a large organization, permissions > tend to be controlled by an external party (Information Security group, > etc). Due to this my JSPWiki application can READ LDAP, but has no > authority to modify. Modifications in LDAP require a form submission, > approvals, and all that jazz. So using File-based group databases > actually allows me to use JSPWiki Groups and ACLs in my Wiki without > having to have every little change provisioned separately. To me the > separation is a good thing. With that said, I doubt that will be the > case for everyone.
I think it would be nice to see the ability to merge the 2 sources, ldap first and then local db files, then you could have an option of priority of the security rights, ie ldap has preference over local db or a merge positive - take the least constrictive rule or merge negative - take the most restrictive rule > > I'd be willing to take a crack at putting together user/group databases > that interface with LDAP... I was already planning on putting together > an ldap-based user database for my installation to eliminate the > file-based user database I'm using today. > > Joseph Hobbs > Lead Technology Architect > Enabling Technologies : Technical Services > Fifth Third Bank > Phone : (513) 534-5908 > Fax : (513) 534-3408 [snip] > Email : [EMAIL PROTECTED]
signature.asc
Description: Digital signature
