headers
Chris Wilper | 4 Aug 2010 19:54
Favicon
Gravatar

Re: [fcrepo-dev] Get LDAp groups for principal in 3.4rc1

Just a followup...I saw in your previous message that you mentioned
using ApacheDS.  Is this your production directory service, or do you
have other options?

I poked around a bit and found that several directory servers support
a computed "memberOf" attribute[1], but it looks like it hasn't been
implemented for ApacheDS yet[2].

 - Chris

[1] As a non-standard, usually computed attribute, it's available either as
    "memberOf" or "isMemberOf" in the following directory servers I've seen
    reference to: 389 (was "Fedora DS"), ActiveDirectory, DSEE (Sun/Oracle,
    java-based), IBM DS, OpenLDAP, OpenDS (also java-based), Novell eDirectory
[2] Recent discussion on ApacheDS list Re: memberOf attribute
    http://osdir.com/ml/users-directory-apache/2010-03/msg00022.html

On Wed, Aug 4, 2010 at 12:33 PM, Chris Wilper <cwilper <at> duraspace.org> wrote:
> Hi Ben,
>
> Sorry this has turned out to be such a pain.  Note that people have
> historically had problems with the pre-3.4 LDAP integration for
> Fedora.  The JAAS-based implementation in 3.4rc1 is actually a big
> improvement, which is why we're trying to make that the default option
> from now on.
>
> It sounds like you were able to successfully get the subject
> attributes populated.  I didn't realize how to do that when I first
> looked at it, but I assume you put them in attrs.fetch value in
> jaas.conf (Nishen pointed this out to me in this thread:
> http://www.mail-archive.com/fedora-commons-developers <at> lists.sourceforge.net/msg00779.html
> )
>
> I assume your LDAP has groups modeled in the more common way, where
> the list of members is maintained within the group entry.  In order to
> discover the groups someone is a member of, a separate query on the
> directory (find groups with a member: this-person) would need to be
> done, which I don't believe the implementation in
> org.fcrepo.server.security supports.
>
> Outside of writing your own code, or tweaking the existing code to
> support this, one option might be to update your LDAP directory to
> make the group membership information available as user attributes as
> well.  For example, OpenLDAP has the "memberof" overlay which, when
> configured, allows you to define group membership in the traditional
> way, but makes an additional "memberOf" attribute available for each
> user, which expresses the relationship in the opposite direction:
>
> http://www.linuxtopia.org/online_books//network_administration_guides/ldap_administration/overlays_Reverse_Group_Membership_Maintenance.html
>
> I haven't used it myself, but I think it'd be worth a shot if your
> ldap server supports it and you have administrative control over it.
> Here's a report I found from someone who has used it successfully to
> solve the same sort of problem:
> http://jordaneunson.com/?p=74
>
> - Chris
>
> On Wed, Aug 4, 2010 at 8:38 AM, Benjamin Ryan <B.Ryan <at> leeds.ac.uk> wrote:
>> Hi,
>>  I have given up on getting LDAp to retrieve roles and groups using filters and have had a look at using
JAAS in 3.4rc1.
>>  I have sucessfully retrieved subject attributes from LDAP, including fedoraRole, and these have
been correctly populated (I used the user servlet to check this).
>>  My next task is to get group information back from the LDAP server.
>>  I tried adding a login module to the JAAS conf to retrieve the groups but this does not seem to work (I
cannot see from the logs that there is an error but no attributes are fetched)
>>  Does anybody have any ideas how to achieve this?
>>
>> Regards,
>>  Ben
>> ---------------------------------------------------------------------
>> Dr Ben Ryan
>> Timescapes Archive Technical Officer
>> School of Sociology and Social Policy
>> Faculty of Education, Social Sciences and Law
>> Social Science Building
>> The University of Leeds
>> Leeds LS2 9JT
>> Email: b.ryan <at> leeds.ac.uk<mailto:b.ryan <at> leeds.ac.uk>
>> Tel: 0113 343 7319
>> Website: http://www.timescapes.leeds.ac.uk<http://www.timescapes.leeds.ac.uk/>
>

------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
_______________________________________________
Fedora-commons-developers mailing list
Fedora-commons-developers <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
Permalink | Reply |

Gmane