I've read the FAQ items and a few posting on this and I remain unilluminated. My objectives: 1. Authenticate users via an LDAP directory. Users must reside in the LDAP directory and nowhere else; specifically, not in the Jackrabbit repository. 2. Authorize users via the LDAP directory. It is not sufficient for me to identity them in the existing Jackrabbit terms as anonymous, user, or admin. I want to grant each user specific access rights, including none. Ultimately this might descend to the Node level; however initially it certainly includes the following access levesl: none; read-only; read-write; admin (i.e. with control over versioning, locking, etc). I want to put roles such as jcr:read, jcr:write etc into my LDAP directory and grant them to my own users; no other solution is really acceptable. I've read that I have to implement a custom LoginModule to implement (1) and perhaps a custom AccessManager to accomplish (2). However I have as yet failed to locate the necessary information to be able to do so. Any assistance gratefully received. Specifically I don't understand how to unhook a LoginModule from the existing built-in users, and having done so how to advise via the LoginModule, AccessManager, etc, which roles one of my users actually has, in terms that Jackrabbit will understand and act on without requiring it all to be inside its own repository. I'm thinking of implementing something for Jackrabbit along the lines of Tomcat's JNDIRealm to accomplish all this, and I would be quite prepared to contribute it to the project, which at present doesn't really appear to me to address this kind of problem adequately. If I'm wrong about any of the above I would be delighted to hear about it. Thanks in advance EJP
