Re: [Dspace-tech] [Dspace-devel] Help with Xmlui - Manakin : remote_user

2012-09-10 Thread Lohit Valleru 
Hello Helix,

Thank you for your insight into this problem.

As you have exactly guessed, my use case is to : Get the Kerberos
authenticated user from Apache : use the Remote_user variable, with the
help of dspace and just get the respective details of that user from LDAP.
The user would then be automatically registered as an e-person with the
help of his retrieved details. Later, the administrator could modify the
authorization policies of each e-person.

Regarding receiving the users details from Apache headers, i haven't
checked that yet. But since, the Apache server that we are using is used
for many other apps too. we did not want to integrate this feature into
Apache just because of dspace.

Since dspace, has a pretty good workflow, to get details from LDAP and
auto-register that person (I had already customized that part). I just
wanted to go forward and make use of this comfortable feature instead.

Also, in near future, i would want to customize the xmlui web design,
change the workflow and the remove login and registration options with few
other features.

Since I would anyway, have to learn more about xmlui. I thought of,
starting with this auto login/register feature inside dspace.

I would try and make use of your idea, of integrating IP authentication
class for accessing LDAP and registering him as an e-person.

I hope, it authenticates the user before showing the homepage or profile
page. I would not want the user to click on login just to trigger a
registration response.

Thank you for the help helix. I would get back to you, once i try your
approach.

Regards,

Lohit

On Mon, Sep 10, 2012 at 5:59 PM, Lohit Valleru  wrote:

> Hello Helix,
>
> Thank you for your insight into this problem.
>
> As you have exactly guessed, my use case is to : Get the Kerberos
> authenticated user from Apache : use the Remote_user variable, with the
> help of dspace and just get the respective details of that user from LDAP.
> The user would then be automatically registered as an e-person with the
> help of his retrieved details. Later, the administrator could modify the
> authorization policies of each e-person.
>
> Regarding receiving the users details from Apache headers, i haven't
> checked that yet. But since, the Apache server that we are using is used
> for many other apps too. we did not want to integrate this feature into
> Apache just because of dspace.
>
> Since dspace, has a pretty good workflow, to get details from LDAP and
> auto-register that person (I had already customized that part). I just
> wanted to go forward and make use of this comfortable feature instead.
>
> Also, in near future, i would want to customize the xmlui web design,
> change the workflow and the remove login and registration options with few
> other features.
>
> Since I would anyway, have to learn more about xmlui. I thought of,
> starting with this auto login/register feature inside dspace.
>
> I would try and make use of your idea, of integrating IP authentication
> class for accessing LDAP and registering him as an e-person.
>
> I hope, it authenticates the user before showing the homepage or profile
> page. I would not want the user to click on login just to trigger a
> registration response.
>
> Thank you for the help helix. I would get back to you, once i try your
> approach.
>
> Regards,
>
> Lohit
>
> On Mon, Sep 10, 2012 at 5:22 PM, helix84  wrote:
>
>> On Mon, Sep 10, 2012 at 10:13 PM, Lohit Valleru 
>> wrote:
>> > Hi Helix,
>> >
>> > Thanks for the quick reply.
>> >
>> > I understand the below approach and its a good one. However , may i
>> know, if
>> > IP Authentication class is called, as soon as the Home page loads? or
>> is it
>> > called once i click the login link on the home page?
>> >
>> > I assume, IP authentication should not necessitate the need for
>> username,
>> > but i just wanted to confirm.
>> >
>> > If IP authentication is done before the Home page is loaded. I would be
>> > grateful to use the below approach.
>> >
>> > ( forgot to mention: I want to authenticate the remote_user with LDAP
>> server
>> > and was therefore looking for a way to call LDAP hierarchal
>> authentication
>> > before the home page loads)
>> >
>> > Also, though the authentication done in java class files is not xmlui or
>> > jspui specific, I realize , that the method used to call these methods
>> from
>> > client is different when it comes to XMLUI and JSPUI.  JSPUI used
>> servlets
>> > and its easy to understand, what is called when, however it was not the
>> same
>> > case with XMLUI.
>> >
>> > The main use case is, i want the user to be automatically authenticated
>> > before the Dspace homepage loads.
>> >
>> > Thank you helix. I hope i understood your approach in the right manner.
>> >
>> > I would be happy to take your help.
>> >
>> > Regards,
>> >
>> > Lohit
>>
>> Please, always CC dspace-tech when replying.
>>
>>
>> Honestly, it's been a long time since I tried IPAuthentication, so I
>> don't remember.
>> I just

Re: [Dspace-tech] [Dspace-devel] Help with Xmlui - Manakin : remote_user

2012-09-10 Thread helix84 
I'd almost forget - this is mandatory reading if you're going to dig into this:

https://wiki.duraspace.org/display/DSDOC18/Authentication+Plugins

If you'll want to assign a DSpace group based on LDAP DN part, you
want to look at this:
https://jira.duraspace.org/browse/DS-1078

It should be a part of DSpace 3.0, although I prepared a different
getSpecialGroups() method (that I still have to push) to make the
group selection more generic:
https://github.com/DSpace/DSpace/pull/76

Regards,
~~helix84

--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech

Re: [Dspace-tech] [Dspace-devel] Help with Xmlui - Manakin : remote_user

2012-09-10 Thread helix84 
On Mon, Sep 10, 2012 at 10:13 PM, Lohit Valleru  wrote:
> Hi Helix,
>
> Thanks for the quick reply.
>
> I understand the below approach and its a good one. However , may i know, if
> IP Authentication class is called, as soon as the Home page loads? or is it
> called once i click the login link on the home page?
>
> I assume, IP authentication should not necessitate the need for username,
> but i just wanted to confirm.
>
> If IP authentication is done before the Home page is loaded. I would be
> grateful to use the below approach.
>
> ( forgot to mention: I want to authenticate the remote_user with LDAP server
> and was therefore looking for a way to call LDAP hierarchal authentication
> before the home page loads)
>
> Also, though the authentication done in java class files is not xmlui or
> jspui specific, I realize , that the method used to call these methods from
> client is different when it comes to XMLUI and JSPUI.  JSPUI used servlets
> and its easy to understand, what is called when, however it was not the same
> case with XMLUI.
>
> The main use case is, i want the user to be automatically authenticated
> before the Dspace homepage loads.
>
> Thank you helix. I hope i understood your approach in the right manner.
>
> I would be happy to take your help.
>
> Regards,
>
> Lohit

Please, always CC dspace-tech when replying.


Honestly, it's been a long time since I tried IPAuthentication, so I
don't remember.
I just did a very quick test and from watching the log (tail -f
dspace.log) it seems this is suitable for your use case. I didn't
check whether you have the group set at the home page (but I checked
you have it in /profile after logging in using a different login
method), but going directly from the the home page without logging in,
I was able to access a resource restricted to my IP group.


Your configuration sounds intriguing. However, there's something wrong
with trying to authenticate based on username you receive from
REMOTE_USER. You get that header from Apache, which gets it from an
authn module, so you should implicitly trust it already, no need to
re-authenticate.

Of course, what makes sense to do is to a) look up the user's
attributes b) look up his full DN so you may put him into DSpace
groups. But this could also be done by the Apache authn module and
passed to DSpace in headers, it's just a matter of preference.

Can you please elaborate on your use-case? How exactly is the
REMOTE_USER header filled? Why do you think you need to do
LDAPHierarchical in DSpace again?


Concerning the details of calling AuthenticationManager from JSPUI and
XMLUI, I don't have such deep knowledge of this yet.

Regards,
~~helix84

--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech