You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@roller.apache.org by Elias Torres <el...@gmail.com> on 2005/08/03 16:06:02 UTC
LDAP support/integration for User Registry in Roller
Hi Roller-Dev Team,
My name is Elias Torres, I work for IBM and I deployed Roller almost two
years ago inside IBM for internal blogging. I noticed a recent thread [1] on
LDAP and was wondering what will your reply be. I was reading an old thread
[2] from your previous mailing list on all the questions that came up when
asked before. I'm not sure if this is of importance/interest to you, but I'd
be interested in helping out in making this a feature in roller if not
already there. We have gotten a lot from Roller in the past, it'd be nice if
we gave some back. Maybe we can discuss what sort of LDAP support could be
offered, besides the LDAP authentication configuration in the J2EE container
such as read-only/read-write user information backed by LDAP.
Regards,
Elias
[1]
http://mail-archives.apache.org/mod_mbox/incubator-roller-dev/200508.mbox/%3cBAY18-F3028B8404878F270734A7A4C20@phx.gbl%3e
[2] http://sourceforge.net/mailarchive/message.php?msg_id=4459892
Re: LDAP support/integration for User Registry in Roller
Posted by paksegu <pa...@yahoo.com>.
okay thanks, how did you get pass the "Null 500 error"?
Elias Torres <el...@gmail.com> wrote:On 8/8/05, paksegu
wrote:
> I understand that Sun is open sourcing their identification software which will be good thing...I haven't been able to get Roller running due to the "Null 500 error" can someone help? Also can I get documentation on the custom Tomcat Realm implementation.
The custom Tomcat Realm I mentioned in my previous email is simply an
extension to the JNDIRealm [1] provided by Tomcat. I don't have any
documentation on it. A good place to start would be this realm doc [2]
[1] http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JNDIRealm
[2] http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html
Regards,
Elias
> Thanks Ransford
>
> Elias Torres wrote:
> On 8/3/05, Allen Gilliland wrote:
> > On Wed, 2005-08-03 at 12:56, Elias Torres wrote:
> > > I'm almost with you that that it's more trouble that it's worth. Just
> > > wondering why people keep bringing it up. There's now Sun and IBM that
> > > use custom registration methods. I'm wondering how many more will
> > > come. I don't know just thinking aloud.
> > >
> >
> > I'd say that the simple fact that it's commonly requested is enough to suggest it's fairly important. A lot of ppl are trying to integrate their systems together and Roller should be able to do that.
> >
> > >
> > > Well, usually systems simply create an interface and it's up to the
> > > plugin implementors to choose their implementation (LDAP, JAAS, etc).
> > > Of course a set of default plugins could be provided.
> > >
> >
> > I agree, but the difference is what interface gets implemented. We can either have people implement their own version of the UserManager interface which (if it were even possible) deals with all the complexities of persisting user data. *Or* there is the easier route which is to just provide an SSO interface which operates during authentication. The SSO interface would easily allow for the data sync/auto-registration features which seem common in everyones custom registration implementations.
> >
> > Personally, I think I'm still a fan of removing container managed security and instead using a custom authentication method. This removes extra installation tasks for the 90% of users out there who just want to authenticate against the roller db anyways, plus provides us a greater ability to control how the SSO support would work. The only real drawback I see is that users would no longer get to use their containers pre-built security realms to talk to LDAP, etc. This could be fairly easily remedied by having roller provide a set of common SSO authenticators designed to talk to standard registries like LDAP.
> >
> > -- Allen
>
> I just installed the latest Roller and it's getting easier by the day.
> I tested my requirements by performing a test deployment of Roller on
> Tomcat against an LDAP directory. I was able to do everything I needed
> with a custom Tomcat Realm implementation, but my only real painpoint
> is the *auto* registration.
>
> Maybe a good compromise would be a new plugin/interface called
> IAutoRegistration that gets called if a user is not registered and it
> either turns true to be autoregistered by Roller or it does the
> registration itself. Then, all you have to do is check your approved
> list of users in either a text file, db or simply "true" for all
> authenticated users by the container.
>
> Just thinking aloud.
>
> Elias
>
> >
> >
> >
>
>
> ---------------------------------
> Start your day with Yahoo! - make it your home page
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: LDAP support/integration for User Registry in Roller
Posted by Elias Torres <el...@gmail.com>.
On 8/8/05, paksegu <pa...@yahoo.com> wrote:
> I understand that Sun is open sourcing their identification software which will be good thing...I haven't been able to get Roller running due to the "Null 500 error" can someone help? Also can I get documentation on the custom Tomcat Realm implementation.
The custom Tomcat Realm I mentioned in my previous email is simply an
extension to the JNDIRealm [1] provided by Tomcat. I don't have any
documentation on it. A good place to start would be this realm doc [2]
[1] http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JNDIRealm
[2] http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html
Regards,
Elias
> Thanks Ransford
>
> Elias Torres <el...@gmail.com> wrote:
> On 8/3/05, Allen Gilliland wrote:
> > On Wed, 2005-08-03 at 12:56, Elias Torres wrote:
> > > I'm almost with you that that it's more trouble that it's worth. Just
> > > wondering why people keep bringing it up. There's now Sun and IBM that
> > > use custom registration methods. I'm wondering how many more will
> > > come. I don't know just thinking aloud.
> > >
> >
> > I'd say that the simple fact that it's commonly requested is enough to suggest it's fairly important. A lot of ppl are trying to integrate their systems together and Roller should be able to do that.
> >
> > >
> > > Well, usually systems simply create an interface and it's up to the
> > > plugin implementors to choose their implementation (LDAP, JAAS, etc).
> > > Of course a set of default plugins could be provided.
> > >
> >
> > I agree, but the difference is what interface gets implemented. We can either have people implement their own version of the UserManager interface which (if it were even possible) deals with all the complexities of persisting user data. *Or* there is the easier route which is to just provide an SSO interface which operates during authentication. The SSO interface would easily allow for the data sync/auto-registration features which seem common in everyones custom registration implementations.
> >
> > Personally, I think I'm still a fan of removing container managed security and instead using a custom authentication method. This removes extra installation tasks for the 90% of users out there who just want to authenticate against the roller db anyways, plus provides us a greater ability to control how the SSO support would work. The only real drawback I see is that users would no longer get to use their containers pre-built security realms to talk to LDAP, etc. This could be fairly easily remedied by having roller provide a set of common SSO authenticators designed to talk to standard registries like LDAP.
> >
> > -- Allen
>
> I just installed the latest Roller and it's getting easier by the day.
> I tested my requirements by performing a test deployment of Roller on
> Tomcat against an LDAP directory. I was able to do everything I needed
> with a custom Tomcat Realm implementation, but my only real painpoint
> is the *auto* registration.
>
> Maybe a good compromise would be a new plugin/interface called
> IAutoRegistration that gets called if a user is not registered and it
> either turns true to be autoregistered by Roller or it does the
> registration itself. Then, all you have to do is check your approved
> list of users in either a text file, db or simply "true" for all
> authenticated users by the container.
>
> Just thinking aloud.
>
> Elias
>
> >
> >
> >
>
>
> ---------------------------------
> Start your day with Yahoo! - make it your home page
>
Re: LDAP support/integration for User Registry in Roller
Posted by paksegu <pa...@yahoo.com>.
I understand that Sun is open sourcing their identification software which will be good thing...I haven't been able to get Roller running due to the "Null 500 error" can someone help? Also can I get documentation on the custom Tomcat Realm implementation.
Thanks Ransford
Elias Torres <el...@gmail.com> wrote:
On 8/3/05, Allen Gilliland wrote:
> On Wed, 2005-08-03 at 12:56, Elias Torres wrote:
> > I'm almost with you that that it's more trouble that it's worth. Just
> > wondering why people keep bringing it up. There's now Sun and IBM that
> > use custom registration methods. I'm wondering how many more will
> > come. I don't know just thinking aloud.
> >
>
> I'd say that the simple fact that it's commonly requested is enough to suggest it's fairly important. A lot of ppl are trying to integrate their systems together and Roller should be able to do that.
>
> >
> > Well, usually systems simply create an interface and it's up to the
> > plugin implementors to choose their implementation (LDAP, JAAS, etc).
> > Of course a set of default plugins could be provided.
> >
>
> I agree, but the difference is what interface gets implemented. We can either have people implement their own version of the UserManager interface which (if it were even possible) deals with all the complexities of persisting user data. *Or* there is the easier route which is to just provide an SSO interface which operates during authentication. The SSO interface would easily allow for the data sync/auto-registration features which seem common in everyones custom registration implementations.
>
> Personally, I think I'm still a fan of removing container managed security and instead using a custom authentication method. This removes extra installation tasks for the 90% of users out there who just want to authenticate against the roller db anyways, plus provides us a greater ability to control how the SSO support would work. The only real drawback I see is that users would no longer get to use their containers pre-built security realms to talk to LDAP, etc. This could be fairly easily remedied by having roller provide a set of common SSO authenticators designed to talk to standard registries like LDAP.
>
> -- Allen
I just installed the latest Roller and it's getting easier by the day.
I tested my requirements by performing a test deployment of Roller on
Tomcat against an LDAP directory. I was able to do everything I needed
with a custom Tomcat Realm implementation, but my only real painpoint
is the *auto* registration.
Maybe a good compromise would be a new plugin/interface called
IAutoRegistration that gets called if a user is not registered and it
either turns true to be autoregistered by Roller or it does the
registration itself. Then, all you have to do is check your approved
list of users in either a text file, db or simply "true" for all
authenticated users by the container.
Just thinking aloud.
Elias
>
>
>
---------------------------------
Start your day with Yahoo! - make it your home page
Re: LDAP support/integration for User Registry in Roller
Posted by Allen Gilliland <Al...@Sun.COM>.
On Mon, 2005-08-08 at 10:59, Elias Torres wrote:
> I just installed the latest Roller and it's getting easier by the day.
> I tested my requirements by performing a test deployment of Roller on
> Tomcat against an LDAP directory. I was able to do everything I needed
> with a custom Tomcat Realm implementation, but my only real painpoint
> is the *auto* registration.
cool. good to hear that installations are getting easier since that's what we are hopefully working towards with each release.
>
> Maybe a good compromise would be a new plugin/interface called
> IAutoRegistration that gets called if a user is not registered and it
> either turns true to be autoregistered by Roller or it does the
> registration itself. Then, all you have to do is check your approved
> list of users in either a text file, db or simply "true" for all
> authenticated users by the container.
i agree that an SSO interface should work well. the biggest question still on my mind is whether or not we continue to support container managed security. i am not completely opposed to container managed security, however i still believe that we can simplify the installation and still support an open ended SSO mechanism without the use of container managed security.
maybe what would be truly ideal is if we can support *both* custom security and container managed security. it seems to me that we could define the security layer such that it allows for pluggable Auth/Auth mechanisms and the default implemenation would be Rollers custom security which does not require the use of container managed security. however, for those users who really want to they can use container managed security along with a custom Auth/Auth implementation suited for their environment.
back a while ago Matt had suggested using Acegi to implement a custom security system. i'm not too familiar with Acegi, but i would assume it's very pluggable and should be able to handle this pretty easily.
i'll take a look and see if i can't work out a few more details of how this might be implemented.
-- Allen
>
> Just thinking aloud.
>
> Elias
>
> >
> >
> >
Re: LDAP support/integration for User Registry in Roller
Posted by Elias Torres <el...@gmail.com>.
On 8/3/05, Allen Gilliland <Al...@sun.com> wrote:
> On Wed, 2005-08-03 at 12:56, Elias Torres wrote:
> > I'm almost with you that that it's more trouble that it's worth. Just
> > wondering why people keep bringing it up. There's now Sun and IBM that
> > use custom registration methods. I'm wondering how many more will
> > come. I don't know just thinking aloud.
> >
>
> I'd say that the simple fact that it's commonly requested is enough to suggest it's fairly important. A lot of ppl are trying to integrate their systems together and Roller should be able to do that.
>
> >
> > Well, usually systems simply create an interface and it's up to the
> > plugin implementors to choose their implementation (LDAP, JAAS, etc).
> > Of course a set of default plugins could be provided.
> >
>
> I agree, but the difference is what interface gets implemented. We can either have people implement their own version of the UserManager interface which (if it were even possible) deals with all the complexities of persisting user data. *Or* there is the easier route which is to just provide an SSO interface which operates during authentication. The SSO interface would easily allow for the data sync/auto-registration features which seem common in everyones custom registration implementations.
>
> Personally, I think I'm still a fan of removing container managed security and instead using a custom authentication method. This removes extra installation tasks for the 90% of users out there who just want to authenticate against the roller db anyways, plus provides us a greater ability to control how the SSO support would work. The only real drawback I see is that users would no longer get to use their containers pre-built security realms to talk to LDAP, etc. This could be fairly easily remedied by having roller provide a set of common SSO authenticators designed to talk to standard registries like LDAP.
>
> -- Allen
I just installed the latest Roller and it's getting easier by the day.
I tested my requirements by performing a test deployment of Roller on
Tomcat against an LDAP directory. I was able to do everything I needed
with a custom Tomcat Realm implementation, but my only real painpoint
is the *auto* registration.
Maybe a good compromise would be a new plugin/interface called
IAutoRegistration that gets called if a user is not registered and it
either turns true to be autoregistered by Roller or it does the
registration itself. Then, all you have to do is check your approved
list of users in either a text file, db or simply "true" for all
authenticated users by the container.
Just thinking aloud.
Elias
>
>
>
Re: LDAP support/integration for User Registry in Roller
Posted by Allen Gilliland <Al...@Sun.COM>.
On Wed, 2005-08-03 at 12:56, Elias Torres wrote:
> I'm almost with you that that it's more trouble that it's worth. Just
> wondering why people keep bringing it up. There's now Sun and IBM that
> use custom registration methods. I'm wondering how many more will
> come. I don't know just thinking aloud.
>
I'd say that the simple fact that it's commonly requested is enough to suggest it's fairly important. A lot of ppl are trying to integrate their systems together and Roller should be able to do that.
>
> Well, usually systems simply create an interface and it's up to the
> plugin implementors to choose their implementation (LDAP, JAAS, etc).
> Of course a set of default plugins could be provided.
>
I agree, but the difference is what interface gets implemented. We can either have people implement their own version of the UserManager interface which (if it were even possible) deals with all the complexities of persisting user data. *Or* there is the easier route which is to just provide an SSO interface which operates during authentication. The SSO interface would easily allow for the data sync/auto-registration features which seem common in everyones custom registration implementations.
Personally, I think I'm still a fan of removing container managed security and instead using a custom authentication method. This removes extra installation tasks for the 90% of users out there who just want to authenticate against the roller db anyways, plus provides us a greater ability to control how the SSO support would work. The only real drawback I see is that users would no longer get to use their containers pre-built security realms to talk to LDAP, etc. This could be fairly easily remedied by having roller provide a set of common SSO authenticators designed to talk to standard registries like LDAP.
-- Allen
Re: LDAP support/integration for User Registry in Roller
Posted by Elias Torres <el...@gmail.com>.
On 8/3/05, Allen Gilliland <Al...@sun.com> wrote:
> This is actually a bit different than what we do at Sun. At Sun we actually have users login to a 3rd party system which allows users to create their blogs and at that point our system does an automated registration into Roller for the user.
>
> What you describe is more along the lines of how I would expect typical SSO integration to work with Roller. i.e. a user is authenticated against any system, and if Roller doesn't know about them then their data is pulled down.
>
> When you talk about the "proxy" which updates user data based on LDAP, do you mean that all UserData objects are constructed directly from LDAP data? or do you mean that a UserData object is fetched as usual (from the db) and before it is returned for usage in the system it is updated from LDAP data and susequently stored back into the db with the updated data?
>
> Using a completely isolated persistent store for managing just user data sounds cool, but I wonder if it's more trouble than it's worth. I wonder if just simple synchronization between Roller and the external system is enough? Something like an automatic profile update after login is much easier to do.
>
I'm almost with you that that it's more trouble that it's worth. Just
wondering why people keep bringing it up. There's now Sun and IBM that
use custom registration methods. I'm wondering how many more will
come. I don't know just thinking aloud.
> Another consideration is that to truly make the user registry pluggable in Roller requires a great deal more code per registry type (LDAP, JAAS, etc) than doing a data copy at login style of solution.
>
Well, usually systems simply create an interface and it's up to the
plugin implementors to choose their implementation (LDAP, JAAS, etc).
Of course a set of default plugins could be provided.
> Elias, if you don't mind sharing I'd love to see some more details about how your LDAP proxy thingy actually works.
>
> -- Allen
The object is first read from the database but before I give it out I
override all properties with the ones coming from LDAP (not many). I
wrote my own LDAP code that connected to our Enteprise Directory but
doesn't do it every time a UserObject is requested. I cache X number
of objects for some configurable time and when it expires it fetches
it again. At least I don't have to synchronize.
Anyways, let me know if there's something useful I might be able to
help out with.
Elias
>
>
> On Wed, 2005-08-03 at 11:20, Elias Torres wrote:
> > Hi Dave,
> >
> > Thanks for the response. I'm perfectly fine with container managed
> > security the way it works in Roller today. For IBM, I did something
> > similar to Sun. Basically I configured Websphere to do LDAP-backed
> > authentication as usual, but I substituted manual registration with
> > automatic registration. In other words, if you are in our LDAP
> > directory, you also can have a blog internally. The very first time
> > you access Roller a new user will be registered and associated via
> > email address automagically. Now, I do a one time copy of properties
> > like display name from LDAP, but I also do a proxy where everytime
> > Roller needs a User object I fetched the LDAP properties and set those
> > on the object before it gets handed out so it's always up to date and
> > users don't have to maintain their name in both applications.
> >
> > I was just more interested in creating a pluggable user registry not
> > an authentication/security solution. Currently, Roller stores its
> > users in its database, but most places will want to leave all of that
> > to a centralized user management solution.
> >
> > Elias
> >
> > On 8/3/05, Dave Johnson <da...@rollerweblogger.org> wrote:
> > > Hi Elias,
> > >
> > > Since Roller uses container managed authentication, Roller can
> > > authenticate against whatever systems the container supports. The
> > > Roller installation guide explains how to setup Roller with Tomcat and
> > > Tomcat's built-in database authentication support, but it's also
> > > possible to setup an LDAP, JAAS and other types of authentication for
> > > Tomcat -- and I expect the same for other containers.
> > >
> > > There is a little history here. We've discussed this before. I believe
> > > the consensus is that single-sign-on (SSO) will be difficult with
> > > container managed persistence. SSO seems to be an important feature, so
> > > we have discussed the idea of moving away from container managed
> > > persistence, perhaps by using Spring's Acegi system (which support
> > > LDAP), but we haven't found the time for that.
> > >
> > > At Sun we use a separate user-registration system to create Roller
> > > accounts for users in our LDAP system, so we don't really (at this
> > > time) need LDAP support in Roller.
> > >
> > > Do you have any insights you'd like to share? How would you like to see
> > > LDAP support working in Roller? Is container managed auth with LDAP
> > > good enough for you? Can you share how do IBM Roller users sign up for
> > > new accounts now?
> > >
> > > - Dave
> > >
> > >
> > >
> > > On Aug 3, 2005, at 10:06 AM, Elias Torres wrote:
> > >
> > > > Hi Roller-Dev Team,
> > > >
> > > > My name is Elias Torres, I work for IBM and I deployed Roller almost
> > > > two
> > > > years ago inside IBM for internal blogging. I noticed a recent thread
> > > > [1] on
> > > > LDAP and was wondering what will your reply be. I was reading an old
> > > > thread
> > > > [2] from your previous mailing list on all the questions that came up
> > > > when
> > > > asked before. I'm not sure if this is of importance/interest to you,
> > > > but I'd
> > > > be interested in helping out in making this a feature in roller if not
> > > > already there. We have gotten a lot from Roller in the past, it'd be
> > > > nice if
> > > > we gave some back. Maybe we can discuss what sort of LDAP support
> > > > could be
> > > > offered, besides the LDAP authentication configuration in the J2EE
> > > > container
> > > > such as read-only/read-write user information backed by LDAP.
> > > >
> > > > Regards,
> > > >
> > > > Elias
> > > >
> > > > [1]
> > > > http://mail-archives.apache.org/mod_mbox/incubator-roller-dev/
> > > > 200508.mbox/%3cBAY18-F3028B8404878F270734A7A4C20@phx.gbl%3e
> > > > [2] http://sourceforge.net/mailarchive/message.php?msg_id=4459892
> > >
> > >
>
>
Re: LDAP support/integration for User Registry in Roller
Posted by Jeffery Chilton <je...@ucdmc.ucdavis.edu>.
Allen,
I did something somewhat similar with Roller on WebSphere here at the UC
Davis Health System. In my case, I wanted to intentionally minimize any
changes to the Roller product wherever possible, but I was working in an
environment where the container-managed LDAP authentication was already in
place, so I had to come up with a way to work within the existing
infrastructure.
I still keep user information for Roller in the Roller database, but I made
a slight modification to the NewUser.jsp file to eliminate the password
fields and convert the username field from an input field to a display
field. Then, by requiring a user to authenticate before accessing the
registration function, I was able to pull the user's LDAP userid from the
request object and deliver it via hidden fields to the new user process,
which looked at that data as if it had been typed in by the user and went
about its normal business of setting up a new blog under that username.
It's just a one-shot deal that only happens when someone sets up their
blog, but it allows me to only create users that are already present in the
external LDAP directory, keeping the two user registries in sync. I could
have done a little more by pulling additional data from LDAP, but as I
said, my goal was to make the changes as minimal as possible (primarily so
that it would not be that difficult to move into future versions of the
product).
The changes that I needed to make to the .jsp actually turned out to be
pretty small (... and I didn't have to populate the password [I don't
think], but I wasn't sure about the field validation, so I went ahead and
did it anyway, just in case.):
<html:form action="/user" method="post" focus="emailAddress">
<html:hidden property="method" name="method" value="add"/></input>
<html:hidden property="id" /></input>
<html:hidden property="adminCreated" /></input>
<div class="formrow">
<label for="userName" class="formrow" /><fmt:message
key="userSettings.username" /></label>
<b><%= request.getRemoteUser() %></b>
<input type="hidden" name="userName" value='<%=
request.getRemoteUser() %>'>
<input type="hidden" name="fullName" value='<%=
request.getRemoteUser() %>'>
<input type="hidden" name="passwordText" value='<%=
request.getRemoteUser() %>'>
<input type="hidden" name="password" value='<%=
request.getRemoteUser() %>'>
<input type="hidden" name="passwordConfirm" value='<%=
request.getRemoteUser() %>'>
</div>
<br/>
<div class="formrow">
<label for="" class="formrow" /><fmt:message
key="userSettings.email" /></label>
<html:text property="emailAddress" size="40" maxlength="40" />
</div>
<div class="formrow">
<label for="locale" class="formrow" /><fmt:message
key="userSettings.locale" /></label>
<html:select property="locale" size="1" >
<html:options collection="roller.locales" property="value"
labelProperty="label"/>
</html:select>
</div>
Allen Gilliland
<Allen.T.Gillilan
d@Sun.COM> To:
roller-dev
08/03/2005 12:28 <ro...@incubator.apache.org>
PM cc:
Subject:
Please respond to Re: LDAP support/integration for
roller-dev@incuba User Registry in Roller
tor.apache.org
This is actually a bit different than what we do at Sun. At Sun we
actually have users login to a 3rd party system which allows users to
create their blogs and at that point our system does an automated
registration into Roller for the user.
What you describe is more along the lines of how I would expect typical SSO
integration to work with Roller. i.e. a user is authenticated against any
system, and if Roller doesn't know about them then their data is pulled
down.
When you talk about the "proxy" which updates user data based on LDAP, do
you mean that all UserData objects are constructed directly from LDAP data?
or do you mean that a UserData object is fetched as usual (from the db) and
before it is returned for usage in the system it is updated from LDAP data
and susequently stored back into the db with the updated data?
Using a completely isolated persistent store for managing just user data
sounds cool, but I wonder if it's more trouble than it's worth. I wonder
if just simple synchronization between Roller and the external system is
enough? Something like an automatic profile update after login is much
easier to do.
Another consideration is that to truly make the user registry pluggable in
Roller requires a great deal more code per registry type (LDAP, JAAS, etc)
than doing a data copy at login style of solution.
Elias, if you don't mind sharing I'd love to see some more details about
how your LDAP proxy thingy actually works.
-- Allen
On Wed, 2005-08-03 at 11:20, Elias Torres wrote:
> Hi Dave,
>
> Thanks for the response. I'm perfectly fine with container managed
> security the way it works in Roller today. For IBM, I did something
> similar to Sun. Basically I configured Websphere to do LDAP-backed
> authentication as usual, but I substituted manual registration with
> automatic registration. In other words, if you are in our LDAP
> directory, you also can have a blog internally. The very first time
> you access Roller a new user will be registered and associated via
> email address automagically. Now, I do a one time copy of properties
> like display name from LDAP, but I also do a proxy where everytime
> Roller needs a User object I fetched the LDAP properties and set those
> on the object before it gets handed out so it's always up to date and
> users don't have to maintain their name in both applications.
>
> I was just more interested in creating a pluggable user registry not
> an authentication/security solution. Currently, Roller stores its
> users in its database, but most places will want to leave all of that
> to a centralized user management solution.
>
> Elias
>
> On 8/3/05, Dave Johnson <da...@rollerweblogger.org> wrote:
> > Hi Elias,
> >
> > Since Roller uses container managed authentication, Roller can
> > authenticate against whatever systems the container supports. The
> > Roller installation guide explains how to setup Roller with Tomcat and
> > Tomcat's built-in database authentication support, but it's also
> > possible to setup an LDAP, JAAS and other types of authentication for
> > Tomcat -- and I expect the same for other containers.
> >
> > There is a little history here. We've discussed this before. I believe
> > the consensus is that single-sign-on (SSO) will be difficult with
> > container managed persistence. SSO seems to be an important feature, so
> > we have discussed the idea of moving away from container managed
> > persistence, perhaps by using Spring's Acegi system (which support
> > LDAP), but we haven't found the time for that.
> >
> > At Sun we use a separate user-registration system to create Roller
> > accounts for users in our LDAP system, so we don't really (at this
> > time) need LDAP support in Roller.
> >
> > Do you have any insights you'd like to share? How would you like to see
> > LDAP support working in Roller? Is container managed auth with LDAP
> > good enough for you? Can you share how do IBM Roller users sign up for
> > new accounts now?
> >
> > - Dave
> >
> >
> >
> > On Aug 3, 2005, at 10:06 AM, Elias Torres wrote:
> >
> > > Hi Roller-Dev Team,
> > >
> > > My name is Elias Torres, I work for IBM and I deployed Roller almost
> > > two
> > > years ago inside IBM for internal blogging. I noticed a recent thread
> > > [1] on
> > > LDAP and was wondering what will your reply be. I was reading an old
> > > thread
> > > [2] from your previous mailing list on all the questions that came up
> > > when
> > > asked before. I'm not sure if this is of importance/interest to you,
> > > but I'd
> > > be interested in helping out in making this a feature in roller if
not
> > > already there. We have gotten a lot from Roller in the past, it'd be
> > > nice if
> > > we gave some back. Maybe we can discuss what sort of LDAP support
> > > could be
> > > offered, besides the LDAP authentication configuration in the J2EE
> > > container
> > > such as read-only/read-write user information backed by LDAP.
> > >
> > > Regards,
> > >
> > > Elias
> > >
> > > [1]
> > > http://mail-archives.apache.org/mod_mbox/incubator-roller-dev/
> > > 200508.mbox/%3cBAY18-F3028B8404878F270734A7A4C20@phx.gbl%3e
> > > [2] http://sourceforge.net/mailarchive/message.php?msg_id=4459892
> >
> >
Re: LDAP support/integration for User Registry in Roller
Posted by Allen Gilliland <Al...@Sun.COM>.
This is actually a bit different than what we do at Sun. At Sun we actually have users login to a 3rd party system which allows users to create their blogs and at that point our system does an automated registration into Roller for the user.
What you describe is more along the lines of how I would expect typical SSO integration to work with Roller. i.e. a user is authenticated against any system, and if Roller doesn't know about them then their data is pulled down.
When you talk about the "proxy" which updates user data based on LDAP, do you mean that all UserData objects are constructed directly from LDAP data? or do you mean that a UserData object is fetched as usual (from the db) and before it is returned for usage in the system it is updated from LDAP data and susequently stored back into the db with the updated data?
Using a completely isolated persistent store for managing just user data sounds cool, but I wonder if it's more trouble than it's worth. I wonder if just simple synchronization between Roller and the external system is enough? Something like an automatic profile update after login is much easier to do.
Another consideration is that to truly make the user registry pluggable in Roller requires a great deal more code per registry type (LDAP, JAAS, etc) than doing a data copy at login style of solution.
Elias, if you don't mind sharing I'd love to see some more details about how your LDAP proxy thingy actually works.
-- Allen
On Wed, 2005-08-03 at 11:20, Elias Torres wrote:
> Hi Dave,
>
> Thanks for the response. I'm perfectly fine with container managed
> security the way it works in Roller today. For IBM, I did something
> similar to Sun. Basically I configured Websphere to do LDAP-backed
> authentication as usual, but I substituted manual registration with
> automatic registration. In other words, if you are in our LDAP
> directory, you also can have a blog internally. The very first time
> you access Roller a new user will be registered and associated via
> email address automagically. Now, I do a one time copy of properties
> like display name from LDAP, but I also do a proxy where everytime
> Roller needs a User object I fetched the LDAP properties and set those
> on the object before it gets handed out so it's always up to date and
> users don't have to maintain their name in both applications.
>
> I was just more interested in creating a pluggable user registry not
> an authentication/security solution. Currently, Roller stores its
> users in its database, but most places will want to leave all of that
> to a centralized user management solution.
>
> Elias
>
> On 8/3/05, Dave Johnson <da...@rollerweblogger.org> wrote:
> > Hi Elias,
> >
> > Since Roller uses container managed authentication, Roller can
> > authenticate against whatever systems the container supports. The
> > Roller installation guide explains how to setup Roller with Tomcat and
> > Tomcat's built-in database authentication support, but it's also
> > possible to setup an LDAP, JAAS and other types of authentication for
> > Tomcat -- and I expect the same for other containers.
> >
> > There is a little history here. We've discussed this before. I believe
> > the consensus is that single-sign-on (SSO) will be difficult with
> > container managed persistence. SSO seems to be an important feature, so
> > we have discussed the idea of moving away from container managed
> > persistence, perhaps by using Spring's Acegi system (which support
> > LDAP), but we haven't found the time for that.
> >
> > At Sun we use a separate user-registration system to create Roller
> > accounts for users in our LDAP system, so we don't really (at this
> > time) need LDAP support in Roller.
> >
> > Do you have any insights you'd like to share? How would you like to see
> > LDAP support working in Roller? Is container managed auth with LDAP
> > good enough for you? Can you share how do IBM Roller users sign up for
> > new accounts now?
> >
> > - Dave
> >
> >
> >
> > On Aug 3, 2005, at 10:06 AM, Elias Torres wrote:
> >
> > > Hi Roller-Dev Team,
> > >
> > > My name is Elias Torres, I work for IBM and I deployed Roller almost
> > > two
> > > years ago inside IBM for internal blogging. I noticed a recent thread
> > > [1] on
> > > LDAP and was wondering what will your reply be. I was reading an old
> > > thread
> > > [2] from your previous mailing list on all the questions that came up
> > > when
> > > asked before. I'm not sure if this is of importance/interest to you,
> > > but I'd
> > > be interested in helping out in making this a feature in roller if not
> > > already there. We have gotten a lot from Roller in the past, it'd be
> > > nice if
> > > we gave some back. Maybe we can discuss what sort of LDAP support
> > > could be
> > > offered, besides the LDAP authentication configuration in the J2EE
> > > container
> > > such as read-only/read-write user information backed by LDAP.
> > >
> > > Regards,
> > >
> > > Elias
> > >
> > > [1]
> > > http://mail-archives.apache.org/mod_mbox/incubator-roller-dev/
> > > 200508.mbox/%3cBAY18-F3028B8404878F270734A7A4C20@phx.gbl%3e
> > > [2] http://sourceforge.net/mailarchive/message.php?msg_id=4459892
> >
> >
Re: LDAP support/integration for User Registry in Roller
Posted by Elias Torres <el...@gmail.com>.
Hi Dave,
Thanks for the response. I'm perfectly fine with container managed
security the way it works in Roller today. For IBM, I did something
similar to Sun. Basically I configured Websphere to do LDAP-backed
authentication as usual, but I substituted manual registration with
automatic registration. In other words, if you are in our LDAP
directory, you also can have a blog internally. The very first time
you access Roller a new user will be registered and associated via
email address automagically. Now, I do a one time copy of properties
like display name from LDAP, but I also do a proxy where everytime
Roller needs a User object I fetched the LDAP properties and set those
on the object before it gets handed out so it's always up to date and
users don't have to maintain their name in both applications.
I was just more interested in creating a pluggable user registry not
an authentication/security solution. Currently, Roller stores its
users in its database, but most places will want to leave all of that
to a centralized user management solution.
Elias
On 8/3/05, Dave Johnson <da...@rollerweblogger.org> wrote:
> Hi Elias,
>
> Since Roller uses container managed authentication, Roller can
> authenticate against whatever systems the container supports. The
> Roller installation guide explains how to setup Roller with Tomcat and
> Tomcat's built-in database authentication support, but it's also
> possible to setup an LDAP, JAAS and other types of authentication for
> Tomcat -- and I expect the same for other containers.
>
> There is a little history here. We've discussed this before. I believe
> the consensus is that single-sign-on (SSO) will be difficult with
> container managed persistence. SSO seems to be an important feature, so
> we have discussed the idea of moving away from container managed
> persistence, perhaps by using Spring's Acegi system (which support
> LDAP), but we haven't found the time for that.
>
> At Sun we use a separate user-registration system to create Roller
> accounts for users in our LDAP system, so we don't really (at this
> time) need LDAP support in Roller.
>
> Do you have any insights you'd like to share? How would you like to see
> LDAP support working in Roller? Is container managed auth with LDAP
> good enough for you? Can you share how do IBM Roller users sign up for
> new accounts now?
>
> - Dave
>
>
>
> On Aug 3, 2005, at 10:06 AM, Elias Torres wrote:
>
> > Hi Roller-Dev Team,
> >
> > My name is Elias Torres, I work for IBM and I deployed Roller almost
> > two
> > years ago inside IBM for internal blogging. I noticed a recent thread
> > [1] on
> > LDAP and was wondering what will your reply be. I was reading an old
> > thread
> > [2] from your previous mailing list on all the questions that came up
> > when
> > asked before. I'm not sure if this is of importance/interest to you,
> > but I'd
> > be interested in helping out in making this a feature in roller if not
> > already there. We have gotten a lot from Roller in the past, it'd be
> > nice if
> > we gave some back. Maybe we can discuss what sort of LDAP support
> > could be
> > offered, besides the LDAP authentication configuration in the J2EE
> > container
> > such as read-only/read-write user information backed by LDAP.
> >
> > Regards,
> >
> > Elias
> >
> > [1]
> > http://mail-archives.apache.org/mod_mbox/incubator-roller-dev/
> > 200508.mbox/%3cBAY18-F3028B8404878F270734A7A4C20@phx.gbl%3e
> > [2] http://sourceforge.net/mailarchive/message.php?msg_id=4459892
>
>
Re: LDAP support/integration for User Registry in Roller
Posted by Dave Johnson <da...@rollerweblogger.org>.
Hi Elias,
Since Roller uses container managed authentication, Roller can
authenticate against whatever systems the container supports. The
Roller installation guide explains how to setup Roller with Tomcat and
Tomcat's built-in database authentication support, but it's also
possible to setup an LDAP, JAAS and other types of authentication for
Tomcat -- and I expect the same for other containers.
There is a little history here. We've discussed this before. I believe
the consensus is that single-sign-on (SSO) will be difficult with
container managed persistence. SSO seems to be an important feature, so
we have discussed the idea of moving away from container managed
persistence, perhaps by using Spring's Acegi system (which support
LDAP), but we haven't found the time for that.
At Sun we use a separate user-registration system to create Roller
accounts for users in our LDAP system, so we don't really (at this
time) need LDAP support in Roller.
Do you have any insights you'd like to share? How would you like to see
LDAP support working in Roller? Is container managed auth with LDAP
good enough for you? Can you share how do IBM Roller users sign up for
new accounts now?
- Dave
On Aug 3, 2005, at 10:06 AM, Elias Torres wrote:
> Hi Roller-Dev Team,
>
> My name is Elias Torres, I work for IBM and I deployed Roller almost
> two
> years ago inside IBM for internal blogging. I noticed a recent thread
> [1] on
> LDAP and was wondering what will your reply be. I was reading an old
> thread
> [2] from your previous mailing list on all the questions that came up
> when
> asked before. I'm not sure if this is of importance/interest to you,
> but I'd
> be interested in helping out in making this a feature in roller if not
> already there. We have gotten a lot from Roller in the past, it'd be
> nice if
> we gave some back. Maybe we can discuss what sort of LDAP support
> could be
> offered, besides the LDAP authentication configuration in the J2EE
> container
> such as read-only/read-write user information backed by LDAP.
>
> Regards,
>
> Elias
>
> [1]
> http://mail-archives.apache.org/mod_mbox/incubator-roller-dev/
> 200508.mbox/%3cBAY18-F3028B8404878F270734A7A4C20@phx.gbl%3e
> [2] http://sourceforge.net/mailarchive/message.php?msg_id=4459892