Hi all,
I'm quite new to Turbine, so forgive me if I miss something obvious,
but I'm getting a bit lost trying to decouple some of the user
authentication features of Turbine.
I would like to use a Turbine application in an environment where I
have two kinds of users:
1) Users listed in a corporate directory (LDAP)
2) Users to sign-up on the website independently.
I don't really want to provide two entry points, and I'd like to
integrate the application with the cookie-based single-sign-on system
already in place for users in the LDAP directory.
Basically, I'm trying achieve the following:
1) User hits the application URL
2) If user has appropriate cookie, discover username and move on to
default application page. The information may not necessarily
be a cookie, but may be an X509 certificate, a header added by
a frontend proxy, etc.
3) If user does not have "special" authentication information,
display application login screen.
4) On user login attempt, first attempt to validate against LDAP.
If that works, issue single-sign-on cookie (in addition to
session cookie), and contine.
5) If LDAP validation fails, check against internal user database.
If that works, login as normal and don't set any extra cookies.
6) Otherwise, login fails.
Now, there are a few questions that I don't know where to find the
answers to that I'm hoping someone else may have already seen:
1) Can I enumerate over both sets of users from within Turbine
(assuming I had an API for each) so that authorisation features
(role assignments, etc) could be managed from withing the
application? I.e. A search for user by name finds users in
both LDAP *and* the TURBINE_USER table?
2) Does turbine behave nicely if roles are assigned to non-existant
users (i.e. ones that are in LDAP and have no entry in
TURBINE_USER)?
I suspect I may need to "automagically" populate rows in the
TURBINE_USER
table, but this could be a pain during name changes, email changes,
etc,
etc. I would like to source data directly, but I can't tell if it's
possible or not.
Does anyone have any ideas?
daniel
--
Daniel Patterson <[EMAIL PROTECTED]>
Adaptive International
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
