cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Hochsteger <>
Subject Re: Cocoon 2.1 Authentication Bug? *Please* Help
Date Wed, 03 Sep 2003 05:12:09 GMT

I'm no LDAP expert, but I can tell you how we are going to do 
authentication and authorization:

We have 4 groups of users (Simple, Extended, Member, Employee) which are 
hierarchically organized this way:


They are organized this way, because the everyone can be treated as a 
simple user (has just username, password and email address), whereas 
extended users, members and employees can be treated as extended users 
(validated additional data is available) and so on ...
This can be achieved by a subtree search.

We use the InetOrgPerson class and store the role information in the 
attribute 'groupOfUniqueNames'.
We store default roles (which are application dependent) for every group 
but can attach additional roles to certain users.

I don't know if it will really work this way, but that's how we planned 
it to do ;-)

Perhaps it's will be of help for you.

BTW we use LDAP *only* for authorization and authentication. All 
additional user data (postal address, profiles, ...) is stored in a 
mysql database.


Carsten Ziegeler wrote:
> Hi,
> if you have different users with different roles, then I would
> store the information with your users in the LDAP.
> However, I don't know LDAP, so perhaps someone else can help here?
> Carsten
> wrote:
>>Yes, I don't have roles since I'm using the LDAP authentication,
>>all users are "Admin" at this moment.
>>Do you think to create a static list in a file or database and
>>check which role has the user?
>>I have thought about creating a static list but my problem is
>>that I have to enter ~1000 users in this list (I have about
>>20'000 users but only ~1000 have special roles). The solution is
>>maybe to use the groups defined in the LDAP repository, you would
>>have ~10 groups instead of ~1000 users in the static list. But in
>>you have groups, you have to use a LDAP query to know if the
>>authenticated user is in a group. It seems a bit complicated, no?
>>What do you think about the best practise?
>>-----Message d'origine-----
>>De: Carsten Ziegeler []
>>Date: lundi, 1. septembre 2003 16:28
>>Objet: RE: Cocoon 2.1 Authentication Bug? *Please* Help
>> [] wrote:
>>>OK, I understand the mechanism.
>>>About the roles, since I used LDAP for the authentication I have
>>>a problem how to define the roles.
>>>By default the authentication uses the file sunrise-user.xml and
>>>the role is defined for each user inside this file.
>>>With LDAP authentication I retrieve the users from a LDAP
>>>repository and the role isn't defined in this repository.
>>>Have you an idea how I could define the role for each users?
>>I guess from the above that you don't have roles. So, I would give
>>each user a default role and create a static list of roles with
>>this one role.

View raw message