Menu
▾
▴
Re: [GeoNetwork-devel] Use of LDAP with geonetwork
|
From: Kevin G. <k....@ai...> - 2007-05-30 23:12:55
|
Hi Andrea, Ok, I'm one of the Australian guys now here at AIMS and we have come up with a modified version of org.fao.geonet.services.login.Login which uses the javax.naming.ldap.InitialLdapContext class to interact with LDAP. This class will also allow you to perform all the standard LDAP operations over a secure connection, currently we're just using it for a trivial non-secure user password authentication. When Greg (the other Australian guy you've been dealing with) gets back into the office I'll have a chat to him about us providing this code, we were not aware you wanted us to provide this code. I also need to check with AIMS (org I work for) on whether or not we're allowed to hand out this code. So I will get back to you on that (but the extension is trivial). To move towards using LDAP will require probably going via the Jeeves resource path, that is some how get LDAP as a supported resource by Jeeves resource manager, not sure that's so trivial. And the code changes might be across much of the code, for example all DB queries would need to be changed to LDAP queries. Interesting work though, might be something AIMS is keen to do but it's currently not a priority. Our current priority is to get geonetwork working with a modified 19115 schema and set of style sheets for managing marine metadata. The focus is such that we're still using V2.0.2 with some custom modifications. I'm hoping we can upgrade but that's not in my control. Our LDAP configuration is done via config.xml, a few mandatory param's have been added which enable the LDAP authentication, and also provide the required details such as the context factory, LDAP URL etc. But while doing this I did try to add encryption to the password in the database. Just using password key encryption with a salt and iterator, but JDOM doesn't like it, crashes on character errors.=20 What modifications to the style sheets do you think are required to get the password field into a CDATA section (or something like that to ignore these chars)? I'm still coming up to speed on the XSLT work flow and how the schema's tie in. Is there a general schema that defines the XML for managing user account details and other geonetwork non-metadata related objects? Or is this just add-hock XML produced by the Service classes? Any thoughts on getting the password encryption working would be great, because then I can look at getting the LDAP password synchronised with the RDBMS password. Perhaps you can shed some light on what was done, or is planned for V2.2 because I need to get this working in V2.0.2. Forgive me if these questions seem trivial or I described something incorrectly, only been working with the product for 3 weeks now. Thanks Kevin -----Original Message----- From: Andrea Carboni [mailto:aca...@cr...]=20 Sent: Wednesday, 23 May 2007 01:36 AM To: geo...@li... Subject: Re: [GeoNetwork-devel] Use of LDAP with geonetwork Hi Kevin, our LDAP authentication implementation will be a first step on using LDAP. The implementation will be "simple" for now, just to accomodate some FAO's needs. The configuration will probably go in the config.xml file due to the usual lack of money. Anyway, any suggestion is welcome because we would like to provide an implementation that can be used by other users. The Australian guys made one but I'm still waiting for some code. Cheers, Andrea > Hi, >=20 > The planning shows an extension of functionality in V2.2 allowing > authentication against corporate LDAP. I have a few general questions on > this. >=20 > 1. What will be the official LDAP support matrix? (Need support for Sun1 > LDAP and Win AD?) >=20 > 2. Is this planned as a pre or post install configuration? >=20 > 3. Are there any plans to also use corporate LDAP as the authorisation > mechanism? Or possibly completely revert to using an LDAP as the data > store instead of an RDBMS? >=20 > Regards, > Kevin=20 ------------------------------------------------------------------------ The information contained in this communication is for the use of the=20 individual or entity to whom it is addressed, and may contain=20 information which is the subject of legal privilege and/or copyright.=20 If you have received this communication in error, please notify the=20 sender by return E-Mail and delete the transmission, together with any=20 attachments, from your system. Thank you. ------------------------------------------------------------------------- |