From: Thomas F. <tfo...@cs...> - 2005-07-27 08:26:07
|
(CC'ed the devel list, and Leon - he has contributed to Coefficient in the past, and he and I did some LDAP work together in a previous life :) On Tue, 2005-07-26 at 17:58 -0400, Mike Spisak wrote: > I got my coefficient up and running.. it's really a sweet platform. :) > Here's what I'd like to do: > I have an existsing user ID and password system on an LDAP with a java > API to authenticate. How hard would it be to use this mechanism to > authenticate and integrate this back into coefficient? I see there's a > "security" module.. is that the best place to start? How difficult > would you rate something like this? I understand that there's > "entitlement" issues as well, so I'm wondering how all this would > work... any thoughts would be appriciated. Ok, first some comments about doing this generically for coefficient (to spark some discussion amongst the developers, hopefully), and then some tips for you to get this working immediately... I'd love to get LDAP authentication implemented in Coefficient. In fact, it would be nice to abstract the za.org.coefficient.authentication.CoefficientUser implementation so that we can switch between backends (e.g. the current database impl, LDAP, and possibly others). It would be especially nice if we could read/write some of the user properties directly from the directory (givenName, sn, email, etc.) - this way we don't need to maintain duplicate data. Currently, the coefficient_user table looks like this: Column | Type | Modifiers ------------------+-----------------------------+----------- id | bigint | not null version | bigint | not null active | boolean | not null confirmation_id | bigint | create_date | timestamp without time zone | email | character varying(255) | not null fullname | character varying(255) | not null hide_information | boolean | not null language | character varying(255) | not null password | character varying(255) | not null system_role | bigint | not null time_zone | character varying(255) | not null username | character varying(255) | not null alias_email | character varying(255) | For the LDAP backend, we'd still want to maintain some data in the coefficient database (partly to maintain referential integrity), so we could have a table like this: Column | Type | Modifiers ------------------+-----------------------------+----------- id | bigint | not null version | bigint | not null active | boolean | not null confirmation_id | bigint | create_date | timestamp without time zone | hide_information | boolean | not null language | character varying(255) | not null system_role | bigint | not null time_zone | character varying(255) | not null dn | character varying(255) | not null alias_email | character varying(255) | where we use dn to find the appropriate ldap entry. Currently, authentication is done in the "user" module (see za.org.coefficient.modules.users.Security), so this is where you could start looking. For LDAP, we'd want to plug in in a different authentication mechanism. For now, to do authentication via LDAP, something like this could work (za.org.coefficient.modules.users.Security:78-101) String password = ctx.getParameter("password"); String username = ctx.getParameter("username"); try { if (!ldap.authenticate(username, password)) { ctx.setError("Incorrect username/password"); } else { ArrayList users = new ArrayList(HibernateUtil.find("from " + CoefficientUser.class.getName() + " as pe_user where pe_user.userName = " + username); user = (CoefficientUser) users.get(0); } } catch (Exception he) { he.printStackTrace(); } ctx.setSessionAttribute(Constants.USER_SESSION_STRING, user); -- Thomas Fogwill <tfo...@cs...> -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. |