Menu
▾
▴
Re: [Coefficient-users] looking for a level of difficultly...
|
From: Thomas F. <tfo...@cs...> - 2005-07-27 08:26:07
|
(CC'ed the devel list, and Leon - he has contributed to Coefficient in
the past, and he and I did some LDAP work together in a previous life :)
On Tue, 2005-07-26 at 17:58 -0400, Mike Spisak wrote:
> I got my coefficient up and running.. it's really a sweet platform.
:)
> Here's what I'd like to do:
> I have an existsing user ID and password system on an LDAP with a java
> API to authenticate. How hard would it be to use this mechanism to
> authenticate and integrate this back into coefficient? I see there's a
> "security" module.. is that the best place to start? How difficult
> would you rate something like this? I understand that there's
> "entitlement" issues as well, so I'm wondering how all this would
> work... any thoughts would be appriciated.
Ok, first some comments about doing this generically for coefficient (to
spark some discussion amongst the developers, hopefully), and then some
tips for you to get this working immediately...
I'd love to get LDAP authentication implemented in Coefficient. In fact,
it would be nice to abstract the
za.org.coefficient.authentication.CoefficientUser implementation so that
we can switch between backends (e.g. the current database impl, LDAP,
and possibly others). It would be especially nice if we could read/write
some of the user properties directly from the directory (givenName, sn,
email, etc.) - this way we don't need to maintain duplicate data.
Currently, the coefficient_user table looks like this:
Column | Type | Modifiers
------------------+-----------------------------+-----------
id | bigint | not null
version | bigint | not null
active | boolean | not null
confirmation_id | bigint |
create_date | timestamp without time zone |
email | character varying(255) | not null
fullname | character varying(255) | not null
hide_information | boolean | not null
language | character varying(255) | not null
password | character varying(255) | not null
system_role | bigint | not null
time_zone | character varying(255) | not null
username | character varying(255) | not null
alias_email | character varying(255) |
For the LDAP backend, we'd still want to maintain some data in the
coefficient database (partly to maintain referential integrity), so we
could have a table like this:
Column | Type | Modifiers
------------------+-----------------------------+-----------
id | bigint | not null
version | bigint | not null
active | boolean | not null
confirmation_id | bigint |
create_date | timestamp without time zone |
hide_information | boolean | not null
language | character varying(255) | not null
system_role | bigint | not null
time_zone | character varying(255) | not null
dn | character varying(255) | not null
alias_email | character varying(255) |
where we use dn to find the appropriate ldap entry.
Currently, authentication is done in the "user" module (see
za.org.coefficient.modules.users.Security), so this is where you could
start looking. For LDAP, we'd want to plug in in a different
authentication mechanism.
For now, to do authentication via LDAP, something like this could work
(za.org.coefficient.modules.users.Security:78-101)
String password = ctx.getParameter("password");
String username = ctx.getParameter("username");
try {
if (!ldap.authenticate(username, password)) {
ctx.setError("Incorrect username/password");
} else {
ArrayList users = new ArrayList(HibernateUtil.find("from "
+ CoefficientUser.class.getName()
+ " as pe_user where pe_user.userName = " + username);
user = (CoefficientUser) users.get(0);
}
} catch (Exception he) {
he.printStackTrace();
}
ctx.setSessionAttribute(Constants.USER_SESSION_STRING, user);
--
Thomas Fogwill <tfo...@cs...>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
|
