Hi, I'm Trying to apply JNDIRealm to the LDAP structure, where each user belong to some group (organizationalUnit):
dn: ou=Group1, o=myorg objectclass: organizationalUnit ou: Group1 dn: uid=user1, ou=Group1, o=myorg objectclass: person uid: user1 dn: ou=Group2, o=myorg objectclass: organizationalUnit ou: Group2 dn: uid=user2, ou=Group2, o=myorg objectclass: person uid: user2 Also there are roles, and each of them can be assigned to some groups: dn: cn=readIt, o=myorg objectclass: organizationalRole cn: readIt roleOccupant: ou=Group1, o=myorg roleOccupant: ou=Group2, o=myorg dn: cn=changeIt, o=myorg objectclass: organizationalRole cn: changeIt roleOccupant: ou=Group2, o=myorg So technically, to find roles for a user, we need three steps: - Search for (uid=username); - Get the group DN by stripping the last component groupDN = userDN.getPrefix(userDN.size() - 1); - search for roles (roleOccupant={groupDN}); Current implementation of JNDI assumes that roles should be assigned to users, not to groups. So I can't use it directly. Of course I could (and probably will) find a way to hack it (extend, put some adapter, etc.), but I suspect that it's pretty common case, and it could be resolved in more general and graceful way. For instance, the inner User class could have additional attribute, e.g. getGroup() and that value could be used as the third parameter in roleSearch attribute. What do you think? Is it worth trying to generalize usage of groups in JNDIRealm? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]