28 Mar
2007
28 Mar
'07
4:52 p.m.
What do you mean by discriminating on values in the
LDAP
supplier information ?
Do you mean you want to create "groups" based on LDAP info ?
That's indeed interesting.
Gunter's stated requirement (as I understand it) was primarily the ability to refuse
entry to users whose LDAP-supplied (not "supplier", in case you misread my note
rather than mistyping your question) information didn't meet certain criteria -
specifically, in his case, that the DN did not contain an O (Organization) attribute
matching one of a list of authorized entities. His need, it turns out, could be satisfied
by a simple regular expression, but some may need specific lists of authorized values too
irregular to be distinguished by a regex and too numerous or dynamic to allow enumeration
in a static list.
A requirement that I had in a (somewhat) similar situation (that used a servlet filter
instead of re-implementing any of XWiki's access-control services) was that
information provided (via encrypted and signed cookies) by the external authentication
service should determine membership in pre-established XWiki groups - three organizations
had three separate spaces, and XWiki groups were created to be given access to those
spaces. Eligibility for embership in the groups was determined by a wiki page containing
objects of a class naming the group, a property name identifying a field in the cookie
data (in this case the organization code) and a regular expression which, if matched by
the named field, would indicate eligibility. Group memberships would then be updated in
accordance with the indicated eligibility.
While you are at it, there are a few enhancements that
would
be interesting in LDAP:
- support a cache of the LDAP authentication
- handle more regulare updates of the wiki profile based on
the LDAP info
As to these things, I think that the offer you often give to list members applies to you
as well, no...? :>
It's what I love about wikis, particularly XWiki: I get to tell my users: "Do
it yourself!" or with less technical users, I borrow the Home Depot slogan:
"You can do it; we can help!"
In all seriousness, of course: Thanks for your input, feedback and guidance.
brain[sic]
-----Original Message-----
From: Ludovic Dubost [mailto:ludovic@xwiki.com]
Sent: Tuesday, March 27, 2007 3:26 PM
To: xwiki-users(a)objectweb.org
Subject: Re: [xwiki-users] Scratchpad for howto on xwiki.org
Hi,
Ludovic
THOMAS, BRIAN M (ATTSI) a écrit :
Vincent, Sergiu, and the whole community:
My conversation begun by Gunther Leeb has continued offline
and I've
agreed to help him implement a solution similar
to one I've
created,
which will probably be generally useful.
Ironically enough, we seem to have validated the old adage of the
cobbler's children going barefoot - we're working on a feature of a
Wiki, and though we have a community of interested users and
developers and access to a Wiki, we began by still using a
one-to-one
email exchange.
In repentance thereof, I wish to nail down a page or three on
xwiki.org to simultaneously develop, publish, and offer for comment
the work we are doing.
Where would be the best place to put this? The topic is
enhancing the
LDAP authentication service implementation in the
ways that Gunter
needs, which would add a feature to discriminate on values in the
LDAP-supplied user information.
brain[sic]
----------------------------------------------------------------------
--
--
You receive this message as a subscriber of the
xwiki-users(a)objectweb.org mailing
list.
To unsubscribe:
mailto:xwiki-users-unsubscribe@objectweb.org
For general help: mailto:sympa@objectweb.org?subject=help
ObjectWeb mailing lists service home page:
http://www.objectweb.org/wws
--
Ludovic Dubost
Blog: http://www.ludovic.org/blog/
XWiki: http://www.xwiki.com
Skype: ldubost GTalk: ldubost
AIM: nvludo Yahoo: ludovic