[Building Sakai] LDAP authentication
Carl Hall
carl at hallwaytech.com
Wed Dec 21 14:54:20 PST 2011
Thanks Dan and Sam!
It looks like I can't use basePath as what I need to check for is an
attribute. Sam, is there something automatic to assign users with this
attribute to the locked down role?
Dan, thanks for the example class. I may be using it very soon.
On Fri, Dec 16, 2011 at 12:57 PM, Dan McCallum <dmccallum at unicon.net> wrote:
> Carl,
>
> Done this before with a custom AuthenticationManager impl, which nicely
> separates the issue of "did the user present valid credentials?" from
> "is this authenticated user actually authorized to log in?". And it will
> apply to all users, regardless of whatever 'provided' the user.
>
> If you're using the jldap provider note that all the LDAP attributes you
> map in ldap-beans.xml will end up being set on the User one way or
> another, either as first-class properties or entries in the User's
> ResourceProperties map. So you can assert on pretty much anything.
>
> Basically:
>
> public class MyAuthnComponent implements AuthenticationManager {
> //...snip...
> public Authentication authenticate(Evidence e)
> throws AuthenticationException {
> Authentication authn = defaultAuthNMgr.authenticate(e);
> if (authn != null) {
> try {
> User user = userDirectoryService.getUserByEid(authn.getEid());
> if (isAuthNAllowedForUser(user)) {
> return authn;
> } else {
> throw new AuthenticationException("user '" + authn.getEid()
> + "' not authorized");
> }
> } catch (UserNotDefinedException ex){
> throw new AuthenticationException("user '" + authn.getEid()
> + "' not defined");
> }
> }
> throw new AuthenticationException("invalid login");
> }
>
> private boolean isAuthNAllowedForUser(User user) {
> // authorize the authN by validating user fields however you want
> }
> //...snip...
> }
>
> - Dan
>
> On 12/15/2011 04:38 PM, Sam Ottenhoff wrote:
> > Yes, if you can limit via the basePath then you're all set.
> >
> > There is no way I know, besides editing code, to block users that have a
> > certain attribute from logging in at all. What you can do is map users
> > that have a certain LDAP attribute to a Sakai role... and then you can
> > remove all permissions from this Sakai role, especially the ability to
> > create a My Workspace (site.add.usersite). This essentially removes the
> > ability for certain types of users to do anything useful after login.
> >
> > --Sam
> >
> > On Thu, Dec 15, 2011 at 5:10 PM, Carl Hall <carl at hallwaytech.com
> > <mailto:carl at hallwaytech.com>> wrote:
> >
> > I have LDAP authentication working thanks to Steve's great
> > documentation[1]. With this now setup, I would like only users that
> > have a certain property to be able to login rather than everyone in
> > LDAP. Is this something that should be added to the basePath or is
> > there another field this should be noted in?
> >
> > 1
> >
> https://confluence.sakaiproject.org/display/~steve.swinsburg/LDAP+in+Sakai+2.5
> >
> > _______________________________________________
> > sakai-dev mailing list
> > sakai-dev at collab.sakaiproject.org
> > <mailto:sakai-dev at collab.sakaiproject.org>
> > http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
> >
> > TO UNSUBSCRIBE: send email to
> > sakai-dev-unsubscribe at collab.sakaiproject.org
> > <mailto:sakai-dev-unsubscribe at collab.sakaiproject.org> with a
> > subject of "unsubscribe"
> >
> >
> >
> >
> > _______________________________________________
> > sakai-dev mailing list
> > sakai-dev at collab.sakaiproject.org
> > http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
> >
> > TO UNSUBSCRIBE: send email to
> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to
> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20111221/d1060128/attachment.html
More information about the sakai-dev
mailing list