[Building Sakai] LDAP authentication

Dan McCallum dmccallum at unicon.net
Fri Dec 16 09:57:14 PST 2011 

Carl,

Done this before with a custom AuthenticationManager impl, which nicely 
separates the issue of "did the user present valid credentials?" from 
"is this authenticated user actually authorized to log in?". And it will 
apply to all users, regardless of whatever 'provided' the user.

If you're using the jldap provider note that all the LDAP attributes you 
map in ldap-beans.xml will end up being set on the User one way or 
another, either as first-class properties or entries in the User's 
ResourceProperties map. So you can assert on pretty much anything.

Basically:

public class MyAuthnComponent implements AuthenticationManager {
   //...snip...
   public Authentication authenticate(Evidence e)
     throws AuthenticationException {
     Authentication authn = defaultAuthNMgr.authenticate(e);
     if (authn != null) {
       try {
         User user = userDirectoryService.getUserByEid(authn.getEid());
         if (isAuthNAllowedForUser(user)) {
           return authn;
         } else {
           throw new AuthenticationException("user '" + authn.getEid()
             + "' not authorized");
         }
       } catch (UserNotDefinedException ex){
   	throw new AuthenticationException("user '" + authn.getEid()
           + "' not defined");
       }
     }
     throw new AuthenticationException("invalid login");
   }

   private boolean isAuthNAllowedForUser(User user) {
     // authorize the authN by validating user fields however you want
   }
   //...snip...
}

- Dan

On 12/15/2011 04:38 PM, Sam Ottenhoff wrote:
> Yes, if you can limit via the basePath then you're all set.
>
> There is no way I know, besides editing code, to block users that have a
> certain attribute from logging in at all.  What you can do is map users
> that have a certain LDAP attribute to a Sakai role... and then you can
> remove all permissions from this Sakai role, especially the ability to
> create a My Workspace (site.add.usersite).  This essentially removes the
> ability for certain types of users to do anything useful after login.
>
> --Sam
>
> On Thu, Dec 15, 2011 at 5:10 PM, Carl Hall <carl at hallwaytech.com
> <mailto:carl at hallwaytech.com>> wrote:
>
>     I have LDAP authentication working thanks to Steve's great
>     documentation[1]. With this now setup, I would like only users that
>     have a certain property to be able to login rather than everyone in
>     LDAP. Is this something that should be added to the basePath or is
>     there another field this should be noted in?
>
>     1
>     https://confluence.sakaiproject.org/display/~steve.swinsburg/LDAP+in+Sakai+2.5
>
>     _______________________________________________
>     sakai-dev mailing list
>     sakai-dev at collab.sakaiproject.org
>     <mailto:sakai-dev at collab.sakaiproject.org>
>     http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
>     TO UNSUBSCRIBE: send email to
>     sakai-dev-unsubscribe at collab.sakaiproject.org
>     <mailto:sakai-dev-unsubscribe at collab.sakaiproject.org> with a
>     subject of "unsubscribe"
>
>
>
>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"

More information about the sakai-dev mailing list