LDAPAccreditableManager

[qMax <qm...@mediasoft.ru>]

I wish to store all users and groups in LDAP,
there's no documentation on this, so please correct me
on how all this stuff works.

What i figured out is that:
AccreditableManager should initialize and configure all LDAP(User|Group)Managers
(along with File(IPRange,Role)Managers) using *Manager::instance()

LDAP(User|Group)Manager should access database to _retrieve_ objects
in methods getGroup()/getGroups() and getUser()/getUsers()
(if to do not load all user/group list while initializing)

LDAPUser and LDAPGroup should access database to _store_ objects
in method save() and probably LDAPGroup::getMembers()
(if to do not load members just when retrieved).

All high level membership management is handled in Abstract(User|Group)Manager
and Abstract(User|Group),
So i only need to derive my classes and write 6 mentioned methods.


Is it all correct ?
And what are all ItemManager and ItemManagerListeners for ?

-- 
 qMax


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org

Re: LDAPAccreditableManager

[qMax <qm...@mediasoft.ru>]

Friday, March 25, 2005, 8:48:35 PM, qmax@mediasoft.ru wrote:

q> I wish to store all users and groups in LDAP,
q> there's no documentation on this, so please correct me
q> on how all this stuff works.

The question is what is lifetime of objects User and especially Group ?

Using ldap i chould not rely that users/groups are constant during
lenya operations and even user session,
so i could not just load all groups membership on initialization.
(Althoug existant implementation of LDAPUser extends AbstractGroupable
which behaves this way.)

I could think that Users and Groups objects exist only when user logs in -
for calculation of all assigned roles, which are then stored in session.
After this all User/Group objects are destroyed and no more used.
In this case i could use org.apache.lenya.ac.impl.
In other case i should reimplement all required interfaces to perform
ldap requests each time.
Although I could not cleanly imagine how stuff works in latter case.

-- 
 qMax


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org

Re: LDAPAccreditableManager

[Andreas Hartmann <an...@apache.org>]

qMax wrote:
> Tuesday, March 29, 2005, 2:18:13 PM, andreas@apache.org wrote:
> AH> qMax wrote:
> 
>>>I wish to store all users and groups in LDAP,
>>>there's no documentation on this, so please correct me
>>>on how all this stuff works.
> 
> AH> Yes, that's the idea. But I don't know if anyone ever tried
> AH> to implement a custom accreditable manager, so be aware that
> AH> it might not be completely straightforward. If problems arise,
> AH> we have to consider changing the API.
> 
> There are methods
> org.apache.lebnya.ac.Item.configure(Configuration)
> org.apache.lebnya.ac.Item.setConfigurationDirectory(File)
> along with class ItemConfiguration
> what are they for and when they are called ?

FileItemManager.loadItem(File)

> I configure LDAPUser and LDAPGroup from Properties, loaded from file
> "ldap.properties" in LDAPAccreditableManager, so i probably do not need it.
> 
> There are methods
> User.save(), User.delete(), Group.save(), Group.delete()
> (but not for IPRange or Role, although added in AbstractIPRange)
> these methods allow to remove or save Users and Groups
> without UserManager and GroupManager (methods .add and .remove)
> I'm not implementing adding groups or users, so personally i dont care.
> But this looks confusing because dissotiate actual storage from (User|Group)Manager.

The "storage model" of the access control objects didn't undergo
big architectural planning, it was rather a "do whatever works" approach :)
If you see the need for improvements, feel free to send proposals and patches.

-- Andreas


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org

Re[2]: LDAPAccreditableManager

[qMax <qm...@mediasoft.ru>]

Tuesday, March 29, 2005, 2:18:13 PM, andreas@apache.org wrote:
AH> qMax wrote:
>> I wish to store all users and groups in LDAP,
>> there's no documentation on this, so please correct me
>> on how all this stuff works.
AH> Yes, that's the idea. But I don't know if anyone ever tried
AH> to implement a custom accreditable manager, so be aware that
AH> it might not be completely straightforward. If problems arise,
AH> we have to consider changing the API.

There are methods
org.apache.lebnya.ac.Item.configure(Configuration)
org.apache.lebnya.ac.Item.setConfigurationDirectory(File)
along with class ItemConfiguration
what are they for and when they are called ?

I configure LDAPUser and LDAPGroup from Properties, loaded from file
"ldap.properties" in LDAPAccreditableManager, so i probably do not need it.

There are methods
User.save(), User.delete(), Group.save(), Group.delete()
(but not for IPRange or Role, although added in AbstractIPRange)
these methods allow to remove or save Users and Groups
without UserManager and GroupManager (methods .add and .remove)
I'm not implementing adding groups or users, so personally i dont care.
But this looks confusing because dissotiate actual storage from (User|Group)Manager.

-- 
 qMax


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org

Re: LDAPAccreditableManager

[Andreas Hartmann <an...@apache.org>]

qMax wrote:
> Tuesday, March 29, 2005, 2:18:13 PM, andreas@apache.org wrote:
> 
> AH> Yes, that's the idea. But I don't know if anyone ever tried
> AH> to implement a custom accreditable manager, so be aware that
> AH> it might not be completely straightforward. If problems arise,
> AH> we have to consider changing the API.
> 
> 
>>>And what are all ItemManager and ItemManagerListeners for ?
> 
> 
> AH> I'm not sure, but IIRC they are just used to simplify the
> AH> implementation, not for conceptual purposes.
> 
> And what interfaces ARE for conceptual purposes here ?

- all services declared in cocoon.xconf
- all interfaces that are used in the signatures of these services

> Which of them are used from outside of org.apache.lenya.ac ?

The ones mentioned above and some others (but this should rather
be viewed as a design flaw).

> Is there some UML class diagram ?

No idea, I don't have one :)

-- Andreas


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org

Re[2]: LDAPAccreditableManager

[qMax <qm...@mediasoft.ru>]

Tuesday, March 29, 2005, 2:18:13 PM, andreas@apache.org wrote:

AH> Yes, that's the idea. But I don't know if anyone ever tried
AH> to implement a custom accreditable manager, so be aware that
AH> it might not be completely straightforward. If problems arise,
AH> we have to consider changing the API.

>> And what are all ItemManager and ItemManagerListeners for ?

AH> I'm not sure, but IIRC they are just used to simplify the
AH> implementation, not for conceptual purposes.

And what interfaces ARE for conceptual purposes here ?
Which of them are used from outside of org.apache.lenya.ac ?
Is there some UML class diagram ?

-- 
 qMax


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org

Re: LDAPAccreditableManager

[Andreas Hartmann <an...@apache.org>]

qMax wrote:
> I wish to store all users and groups in LDAP,
> there's no documentation on this, so please correct me
> on how all this stuff works.
> 
> What i figured out is that:
> AccreditableManager should initialize and configure all LDAP(User|Group)Managers
> (along with File(IPRange,Role)Managers) using *Manager::instance()
> 
> LDAP(User|Group)Manager should access database to _retrieve_ objects
> in methods getGroup()/getGroups() and getUser()/getUsers()
> (if to do not load all user/group list while initializing)
> 
> LDAPUser and LDAPGroup should access database to _store_ objects
> in method save() and probably LDAPGroup::getMembers()
> (if to do not load members just when retrieved).
> 
> All high level membership management is handled in Abstract(User|Group)Manager
> and Abstract(User|Group),
> So i only need to derive my classes and write 6 mentioned methods.

Yes, that's the idea. But I don't know if anyone ever tried
to implement a custom accreditable manager, so be aware that
it might not be completely straightforward. If problems arise,
we have to consider changing the API.


> Is it all correct ?
> And what are all ItemManager and ItemManagerListeners for ?

I'm not sure, but IIRC they are just used to simplify the
implementation, not for conceptual purposes.

-- Andreas


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org