Yet another authentication/authorization question.

[Esmond Pitt <es...@bigpond.com>]

I've read the FAQ items and a few posting on this and I remain
unilluminated.
 
My objectives:
 
1. Authenticate users via an LDAP directory. Users must reside in the LDAP
directory and nowhere else; specifically, not in the Jackrabbit repository.
 
2. Authorize users via the LDAP directory. It is not sufficient for me to
identity them in the existing Jackrabbit terms as anonymous, user, or admin.
I want to grant each user specific access rights, including none. Ultimately
this might descend to the Node level; however initially it certainly
includes the following access levesl: none; read-only; read-write; admin
(i.e. with control over versioning, locking, etc). I want to put roles such
as jcr:read, jcr:write etc into my LDAP directory and grant them to my own
users; no other solution is really acceptable.
 
I've read that I have to implement a custom LoginModule to implement (1) and
perhaps a custom AccessManager to accomplish (2). However I have as yet
failed to locate the necessary information to be able to do so. Any
assistance gratefully received. Specifically I don't understand how to
unhook a LoginModule from the existing built-in users, and having done so
how to advise via the LoginModule, AccessManager, etc, which roles one of my
users actually has, in terms that Jackrabbit will understand and act on
without requiring it all to be inside its own repository.
 
I'm thinking of implementing something for Jackrabbit along the lines of
Tomcat's JNDIRealm to accomplish all this, and I would be quite prepared to
contribute it to the project, which at present doesn't really appear to me
to address this kind of problem adequately.
 
If I'm wrong about any of the above I would be delighted to hear about it.
 
Thanks in advance
 
EJP