You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Keith Wall (JIRA)" <ji...@apache.org> on 2016/04/14 15:17:25 UTC

[jira] [Commented] (QPID-7116) Ability to utilise group information from a LDAP compatible directory

    [ https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15241125#comment-15241125 ] 

Keith Wall commented on QPID-7116:
----------------------------------

Planning workshop notes: ensure that the object returned by the AuthenticationProvider is sufficient to encapsulate both the User's principals and principals representing each group to which the user belongs.  Also noted that support for the other way of representing groups (my comment 2016/03/29) is not currently required.

> Ability to utilise group information from a LDAP compatible directory
> ---------------------------------------------------------------------
>
>                 Key: QPID-7116
>                 URL: https://issues.apache.org/jira/browse/QPID-7116
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Broker
>            Reporter: Keith Wall
>             Fix For: qpid-java-6.1
>
>
> The Java Broker can already authenticate users against an LDAP compatible directory.  It should also be able to use the same information source as a source of group information too.
> The authentication provide needs to accept optional attributes governing where the group information will be found:
> {{groupSearchContext}} - the base entry for the role search. If not specified, the search base is the top-level directory context.
> {{groupSearchFilter}} - the LDAP search filter for selecting group entries.  A {0} token within the filter will be replaced by the distinguish name of the authenticated user.
> {{groupAttributeName}} - the name of the attribute that contains the name of the role.
> After the authentication provider has successfully bound (authenticated) the user, it should perform a second query for the groups.  It should build a {{GroupPrincipal}} for each group to which the user belongs and return this as part of the AuthenticationResult.   If the group search attributes are not found, the group search should be skipped.
> A future version if the LDAP Authentication Provider may offer the ability to cache the group results for a DN period of time.  This would serve to avoid hitting the Directory several times authentication (it already hits the Directory twice if {{bindWithoutSearch}} is false, this will add a third).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org