That's correct ... I used WebSphere's container-managed authentication,
which keeps track of it's own cookies (and shares them with other systems,
such as Lotus Domino), so as long as the user has not signed off, the
session object will always be populated with the correct "user principal",
which is what Roller uses to determine if you are logged on or not. I am
sure other containers all work in a similar way ...
It's still a hack, but it does work ...
Matthew Holt
<[EMAIL PROTECTED]
> To:
Jeffery Chilton
06/13/2006 09:43 <[EMAIL PROTECTED]>
AM cc:
Subject:
Re: Roller LDAP Support
Oh ok I see.. So once the initial register takes place.. then users are
authenticated using the LDAP session object?
So in my case, trying to incorporate an SSO, once the initial sign on to
LDAP takes place, and a cookie is retained. Users can go to roller and
bypass having to login (if they have already registered once)?
Thanks,
Matt
Jeffery Chilton wrote:
Actually, when I deployed Roller, I secured it with the LDAP directory,
not
the Roller database. When users fill in the Roller sign-on screen,
WebSphere authenticates these users using the LDAP directory (via
j_security_check, which was linked to LDAP, not Roller). The reason for
the
hack was so that users authenticated via LDAP would also happen to be
Roller users in the Roller database ... the Roller database and the
passwords in the Roller database were never used for authentication, but
once a person was authenticated, the Roller database data was used for
every other user function, so I needed to force alignment between the two.
That's why I made folks "register" -- to get a record in the Roller user
database with the same ID as the ID that was used to authenticate them in
the first place (and was being carried around in the session object).
Matthew Holt
<[EMAIL PROTECTED]
> To:
Jeffery Chilton
06/13/2006 08:42 <[EMAIL PROTECTED]>
AM cc:
Subject:
Re: Roller LDAP Support
Jeff,
Thanks for the reply. What I'm attempting to accomplish is have roller
recognize if they are signed into the LDAP server (based on a cookie)
and if they are signed in, then they are automatically logged into
Roller without having to pass by a login page. Basically a Single
Sign-on for our Intranet.
This hack sounds more like only allowing users that are logged in to
register, thus enforcing consistent usernames between LDAP and Roller.
However, it sounds like, Roller will still need to be logged into
regardless of if the user is already authenticatd in LDAP. Am I correct
in saying this?
Thanks for your help.
Matt
Jeffery Chilton wrote:
Matthew,
What I did was probably just a hack, but it worked out quite well for me
and it actually turned out pretty simple. My intent was to allow any
authenticated user to register using their existing LDAP account. I
deployed Roller to a server that was already authenticating using our
LDAP
directory, so I secured the registration page (requiring them to be
authenticated to bring up the registration screen) and then replaced the
input field for user id with a hidden field populated from their existing
id, which I was able to pull from their authenticated session. Using this
method, whenever someone registered as a new user, they automatically
provided the registration process with their LDAP user id, so their
Roller
registration used the same id as their LDAP entry. As I say, this is just
a
hack, and not what the original authors had envisioned, but it worked for
me. You can get some additional details here:
http://www.webspherepower.com/issues/issue200410/00001358001.html
http://www.webspherepower.com/issues/issue200411/00001359001.html
http://www.webspherepower.com/issues/issue200411/00001360001.html
Hope that helps ....
Matthew Holt
<[EMAIL PROTECTED]
> To:
[email protected]
06/13/2006 07:42 cc:
AM
Subject:
Roller LDAP Support
Please respond to
[EMAIL PROTECTED]
ator.apache.org
Hi,
I'm evaluating the use of roller for my company's Intranet. However, I
was needing some help determining how Roller meets one of our needs. I
was wondering, how hard is it to configure Roller for LDAP support?
Also, is there any documentation available (I've came across a few
things, but nothing too significant). If anyone could reply, it would
be much appreciated. Thanks for your help...
Matthew Holt
