+1 !!!

Saludos ,
Ignacio J. Ortega


> -----Mensaje original-----
> De: GOMEZ Henri [mailto:[EMAIL PROTECTED]]
> Enviado el: martes 15 de mayo de 2001 9:46
> Para: [EMAIL PROTECTED]
> Asunto: RE: JNDI/LDAP realm
> 
> 
> Why not having all realm code (JDBC/JNDI/LDAP/JAAS) shared
> in a common tomcat subproject ?
> 
> ie: jakarta-tomcat-realms 
> 
> -
> Henri Gomez                 ___[_]____
> EMAIL : [EMAIL PROTECTED]        (. .)                     
> PGP KEY : 697ECEDD    ...oOOo..(_)..oOOo...
> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 
> 
> 
> 
> >-----Original Message-----
> >From: Steve Downey [mailto:[EMAIL PROTECTED]]
> >Sent: Monday, May 14, 2001 6:40 PM
> >To: [EMAIL PROTECTED]
> >Subject: RE: JNDI/LDAP realm 
> >
> >
> >The downside to binding with the supplied credentials is that 
> >it chews up a
> >file descriptor. For light loads, it's not an issue. For heavy 
> >loads, it can
> >be a big issue. If the app server binds administratively, you 
> >can get by
> >with two connections, one for reading and one for writing. Or 
> >even one, if
> >you're not replicating LDAP.
> >
> >All in all, making it configurable is probably a good idea.
> >
> >> -----Original Message-----
> >> From: Ellen Lockhart [mailto:[EMAIL PROTECTED]]
> >> Sent: Sunday, May 13, 2001 12:58 PM
> >> To: [EMAIL PROTECTED]
> >> Subject: Re: JNDI/LDAP realm 
> >> 
> >> 
> >> I preferred binding to the directory with supplied 
> >> credentials because it
> >> allows the realm implementation to use an anonymous password 
> >> for the rest of
> >> what it needs.
> >> 
> >> To allow for DN's in the directory that may not be composed 
> >> of the same
> >> attributes as other DN's, one thing I was thinking about 
> >> doing to the one I
> >> submitted was to configure what the login attribute is (cn, 
> >> uid, etc.) and
> >> search for it (with anonymous login) to get the dn, then 
> bind to the
> >> directory with the resultant DN and the user-entered password to
> >> authenticate.  This might be a little less efficient than 
> >> just searching and
> >> getting the password as well, but is more secure than 
> having the root
> >> password to the ldap server where it might be accessible 
> by someone.
> >> 
> >> 
> >> ----- Original Message -----
> >> From: "John Holman" <[EMAIL PROTECTED]>
> >> To: <[EMAIL PROTECTED]>
> >> Cc: <[EMAIL PROTECTED]>
> >> Sent: Sunday, May 13, 2001 5:02 AM
> >> Subject: JNDI/LDAP realm
> >> 
> >> 
> >> > The current JNDI realm implementation in Tomcat 4 is based 
> >on code I
> >> > submitted, which was subsequently modified and committed 
> by Craig.
> >> >
> >> > Two significant changes he made are:
> >> >
> >> > - the original code found the DN of the user by searching 
> >> the directory.
> >> The
> >> > current implementation, like Ellen Lockhart's recent submission,
> >> determines
> >> > the DN by substituting the username into a string.
> >> >
> >> > - the original code supported a mode in which the user is 
> >> authenticated by
> >> > binding to the directory with the supplied credentials (as 
> >> does Ellen's).
> >> > The code for this was removed, with a comment in the commit 
> >> log that this
> >> > mode should be supported probably in a separate 
> >> implementation class.
> >> >
> >> > I did comment on this in an earlier message, but got no 
> >> response - so I'm
> >> > trying again now there is another little wave of interest :)
> >> >
> >> > Determining the DN. The pattern substitution method in 
> the current
> >> > implementation is obviously more efficient when applicable 
> >> but the search
> >> > method is more general. For example, unlike the current 
> >> implementation,
> >> > search can handle the following common use cases:
> >> >
> >> > - users are stored within multiple nodes in the directory 
> >> (e.g. they may
> >> be
> >> > held under different
> >> > organisational units)
> >> >
> >> > - the attribute used in distinguished names is not the same 
> >> as that the
> >> user
> >> > enters into the basic authentication dialog box (e.g. the 
> >> user might enter
> >> > mail address as the username rather than uid; the directory 
> >> might use
> >> > commonName as a component of distinguished names rather 
> than uid).
> >> >
> >> > So there are really two orthogonal issues for user 
> >> authentication each
> >> with
> >> > two options:
> >> >
> >> > - how the dn for the user is determined (configuration 
> template vs
> >> directory
> >> > search)
> >> > - how authentication is done (system login vs binding as 
> the user)
> >> >
> >> > I think it's important that Tomcat supports the missing 
> >> combinations of
> >> > options. In fact, the most common strategy when using a 
> >> directory for
> >> > authentication is probably "search then bind", neither 
> >> component of which
> >> is
> >> > supported by the current implementation.  For example, 
> this is the
> >> strategy
> >> > taken by pam_ldap and by the auth_ldap Apache module.
> >> >
> >> > I'd be happy to have a go at adding the missing 
> >> functionality, but would
> >> > like some feedback first as to whether people think this is 
> >> a good idea.
> >> > Also opinions as to whether we should have one, two or even 
> >> four classes
> >> to
> >> > implement the different combinations (with multiple classes 
> >> maybe derived
> >> > from a base JNDIRealm class). We should take into account 
> >> which variation
> >> is
> >> > likely to lead to the simplest and clearest configuration 
> >> documentation
> >> ...
> >> >
> >> > John.
> >> >
> >> >
> >> 
> ><><><><><><><><><><><><><><><><><><><><><>This electronic mail 
> >transmission
> >may contain confidential information and is intended only for 
> >the person(s)
> >named.  Any use, copying or disclosure by any other person 
> is strictly
> >prohibited.  If you have received this transmission in error, 
> >please notify
> >the sender via e-mail. <><><><><><><><><><><><><><><><><><><><><>
> >
> 

Reply via email to