You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@turbine.apache.org by Daniel Patterson <da...@adaptiveinternational.com> on 2002/12/17 14:04:57 UTC

Tiered authentication

Hi all,

  I'm quite new to Turbine, so forgive me if I miss something obvious,
  but I'm getting a bit lost trying to decouple some of the user
  authentication features of Turbine.

  I would like to use a Turbine application in an environment where I
  have two kinds of users:

    1) Users listed in a corporate directory (LDAP)
    2) Users to sign-up on the website independently.

  I don't really want to provide two entry points, and I'd like to
  integrate the application with the cookie-based single-sign-on system
  already in place for users in the LDAP directory.

  Basically, I'm trying achieve the following:

    1) User hits the application URL
    2) If user has appropriate cookie, discover username and move on to
       default application page.  The information may not necessarily
       be a cookie, but may be an X509 certificate, a header added by
       a frontend proxy, etc.       
    3) If user does not have "special" authentication information,
       display application login screen.

    4) On user login attempt, first attempt to validate against LDAP.
       If that works, issue single-sign-on cookie (in addition to
       session cookie), and contine.
    5) If LDAP validation fails, check against internal user database.
       If that works, login as normal and don't set any extra cookies.
    6) Otherwise, login fails.

  Now, there are a few questions that I don't know where to find the
  answers to that I'm hoping someone else may have already seen:

    1) Can I enumerate over both sets of users from within Turbine
       (assuming I had an API for each) so that authorisation features
       (role assignments, etc) could be managed from withing the
       application?  I.e.  A search for user by name finds users in
       both LDAP *and* the TURBINE_USER table?

    2) Does turbine behave nicely if roles are assigned to non-existant
       users (i.e. ones that are in LDAP and have no entry in
TURBINE_USER)?

  I suspect I may need to "automagically" populate rows in the
TURBINE_USER
  table, but this could be a pain during name changes, email changes,
etc,
  etc.  I would like to source data directly, but I can't tell if it's
  possible or not.

  Does anyone have any ideas?

daniel
-- 
Daniel Patterson <da...@adaptiveinternational.com>
Adaptive International


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Tiered authentication

Posted by Eric Emminger <er...@ericemminger.com>.

Daniel

>     1) Users listed in a corporate directory (LDAP)
>     2) Users to sign-up on the website independently.

Could you put the public users in LDAP so that you have only one data
source?

Eric

-- 
Eric Emminger
eric@ericemminger.com


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>