incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <andrew.r.jaqu...@gmail.com>
Subject Re: Visual LDAP user name
Date Sun, 25 Oct 2009 11:15:00 GMT
...you check out the trunk and look at the javadocs, which are  
extremely well-documented.

Sorry my reply came as a serialization... I did it one-handed on the  
iPhone and fat-fingered TWICE.

Andrew

On Oct 25, 2009, at 7:10, Andrew Jaquith <andrew.r.jaquith@gmail.com>  
wrote:

> Sorry-- I fat-fingered the send button!
>
> Anyhow, with the LdapUserDatabase you won't need to provision or  
> deprovision because everything will be in LDAP. We will keep some  
> data locally (user prefs) but that's it.
>
> At this point, if you still have concerns I'd recommend yo
>
> On Oct 25, 2009, at 7:04, Andrew Jaquith   
> <andrew.r.jaquith@gmail.com> wrote:
>
>> I should not have used the magic word "provision" in my last post.  
>> The important concept is that when the LdapUserDatabase is used,  
>> LDAP *is* the user database
>>
>> On Oct 25, 2009, at 6:38, Jim Willeke <jim@willeke.com> wrote:
>>
>>> But what about de-provisioning users?
>>>
>>> The issue with putting users in yet another database in the  
>>> enterprise world
>>> central provisioning, de-provisioning and RBAC are the strategic  
>>> directions
>>> with no desire to mange users in remote stores.
>>>
>>> And why would someone want to put in information into the WIKI  
>>> when it is
>>> already been add to the user in LDAP via the enterprise portal?
>>>
>>> I will agree the local "groups" concept is necessary, but it  
>>> should be an
>>> agumnetation to container managed security that most enterprises  
>>> would
>>> utilize.
>>>
>>> So users in the role (perhaps by department) "Sales" would always  
>>> be able to
>>> view any pages with "Sales":
>>>
>>> Then the local "groups" would be done to perform "teaming"  
>>> arrangements as
>>> would be done in a project that would cross departmental lines.
>>>
>>> -jim
>>> Jim Willeke
>>>
>>>
>>> On Sat, Oct 24, 2009 at 11:12 AM, Andrew Jaquith <andrew.r.jaquith@gmail.com
>>>> wrote:
>>>
>>>> JSPWiki 3.0 trunk already has an LdapUserDatabase and  
>>>> LdapAuthorizer,
>>>> which means that it can obtain user profiles on a read-only basis  
>>>> from
>>>> LDAP, and obtain roles from LDAP groups. So if you use LDAP, your
>>>> users will be "provisioned" in JSPWiki automatically. This should
>>>> solve the user-experience problem you described.
>>>>
>>>> The upcoming 3.0 LDAP features have been developed and tested with
>>>> Active Directory and OpenLDAP. It is configured via the GUI at
>>>> install-time.
>>>>
>>>> With respect to permissions and group memberships: these are good
>>>> suggestions. We still have some work to do for the GUI for ACLs for
>>>> 3.0. I agree that we should be validating user names when users  
>>>> create
>>>> the ACLs. Same for adding users to groups. These suggestions will  
>>>> be
>>>> incorporated into how the ACL GUIs work -- likely via AJAX in
>>>> real-time.
>>>>
>>>> Andrew
>>>>
>>>> On Sat, Oct 24, 2009 at 7:25 AM, Thomas Engelschmidt  
>>>> <te@zama.org> wrote:
>>>>> The group and permission system in the jspwiki is rather  
>>>>> dynamic, and
>>>> ldaps
>>>>> tends to be readonly except for a groups of administrators.  
>>>>> There for
>>>> there
>>>>> is still need for the user.xml and group.xml. But in my opinion  
>>>>> the
>>>> user.xml
>>>>> needs to be automatically updated when a new ldap user is logged  
>>>>> in.
>>>>>
>>>>> Otherwise granting and managing jspwiki permissions i a  
>>>>> nightmare, this
>>>> also
>>>>> enhanced since there is no check on if a user exist - when  
>>>>> adding users
>>>> to
>>>>> wiki group or setting a page permission.
>>>>>
>>>>> I think the following should be changed.
>>>>>
>>>>> - First time a new user is logged in - the user should be added  
>>>>> to the
>>>> the
>>>>> user.xml and redirect to the profile page for setting additional
>>>> information
>>>>> (email, full name and section edition etc)
>>>>>
>>>>> - Adding page permission should lookup if the group or the user  
>>>>> exist.
>>>>>
>>>>> - Adding users to a wiki group should only be possible for  
>>>>> existing
>>>> users.
>>>>>
>>>>> /Thomas
>>>>>
>>>>>
>>>>> On Oct 24, 2009, at 10:57 , Jim Willeke wrote:
>>>>>
>>>>>> Why allow people to eliminate the user.xml?
>>>>>>
>>>>>> Why not allow the use of LDAP for the user profile?
>>>>>>
>>>>>> Allow mapping the LDAP attributes to the profile values?
>>>>>>
>>>>>> Enterprises have no desire to maintain another separate user  
>>>>>> store of
>>>>>> information. Many already have a central LDAP store.
>>>>>>
>>>>>> -jim
>>>>>> Jim Willeke
>>>>>>
>>>>>>
>>>>>> On Fri, Oct 23, 2009 at 2:09 PM, Thomas Engelschmidt  
>>>>>> <te@zama.org>
>>>> wrote:
>>>>>>
>>>>>>> I would suggest a change, if a ldap user is logging the first
 
>>>>>>> time.
>>>> the
>>>>>>> Wiki should create the user in the user.xml - it gives a lot
 
>>>>>>> of problem
>>>>>>> when
>>>>>>> adding a ldap user to a wiki group, since it possible that the
 
>>>>>>> user
>>>> isn't
>>>>>>> created.
>>>>>>>
>>>>>>>
>>>>>>> On Oct 23, 2009, at 00:38 , Andrew Jaquith wrote:
>>>>>>>
>>>>>>> If a user creates a user profile after logging into the  
>>>>>>> container, he
>>>> or
>>>>>>>>
>>>>>>>> she will have an opportunity to specify a "full name." If
a  
>>>>>>>> full name
>>>> is
>>>>>>>> supplied, it will be used in page histories etc from that
point
>>>> forward.
>>>>>>>>
>>>>>>>> Andrew
>>>>>>>>
>>>>>>>> On Oct 22, 2009, at 16:34, Harald Krammer <Harald.Krammer@hkr.at

>>>>>>>> >
>>>> wrote:
>>>>>>>>
>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>
>>>>>>>>> Hash: SHA256
>>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>> I run JSPWiki with Web Container Authentication via LDAP
and  
>>>>>>>>> it runs
>>>>>>>>> fine (JSPWIki 2.8.2, OpenLDAP 2.4.11, Apache 6.0.20,
OpenJDK  
>>>>>>>>> 6).
>>>>>>>>>
>>>>>>>>> Only the visualization of real user name is still missing.
I  
>>>>>>>>> get only
>>>>>>>>> the login name (short name) instead of the full name
in the  
>>>>>>>>> change
>>>>>>>>> history and so on.  Is it a default behaviour or  
>>>>>>>>> misconfiguration?
>>>>>>>>>
>>>>>>>>> Nice greetings,
>>>>>>>>> Harald
>>>>>>>>>
>>>>>>>>> - --
>>>>>>>>>
>>>>>>>>> Harald Krammer
>>>>>>>>> Brucknerstrasse 33
>>>>>>>>> A - 4020  Linz
>>>>>>>>> AUSTRIA
>>>>>>>>>
>>>>>>>>> Mobil +43.(0) 664. 130 59 58
>>>>>>>>> Mail: Harald.Krammer (at) hkr.at
>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>>>>>>>>
>>>>>>>>> iEYEAREIAAYFAkrgwegACgkQ9QlAsubHO9vd7QCfT5rEQYRsPUAVvbs/

>>>>>>>>> HrqMiWfZ
>>>>>>>>> w6cAnjEp4FKX+3T3szBwW1n+DbCMd0z0
>>>>>>>>> =Kd7Y
>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>

Mime
View raw message