incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <andrew.r.jaqu...@gmail.com>
Subject Re: Visual LDAP user name
Date Sun, 25 Oct 2009 11:04:51 GMT
I should not have used the magic word "provision" in my last post. The  
important concept is that when the LdapUserDatabase is used, LDAP *is*  
the user database

On Oct 25, 2009, at 6:38, Jim Willeke <jim@willeke.com> wrote:

> But what about de-provisioning users?
>
> The issue with putting users in yet another database in the  
> enterprise world
> central provisioning, de-provisioning and RBAC are the strategic  
> directions
> with no desire to mange users in remote stores.
>
> And why would someone want to put in information into the WIKI when  
> it is
> already been add to the user in LDAP via the enterprise portal?
>
> I will agree the local "groups" concept is necessary, but it should  
> be an
> agumnetation to container managed security that most enterprises would
> utilize.
>
> So users in the role (perhaps by department) "Sales" would always be  
> able to
> view any pages with "Sales":
>
> Then the local "groups" would be done to perform "teaming"  
> arrangements as
> would be done in a project that would cross departmental lines.
>
> -jim
> Jim Willeke
>
>
> On Sat, Oct 24, 2009 at 11:12 AM, Andrew Jaquith <andrew.r.jaquith@gmail.com
>> wrote:
>
>> JSPWiki 3.0 trunk already has an LdapUserDatabase and LdapAuthorizer,
>> which means that it can obtain user profiles on a read-only basis  
>> from
>> LDAP, and obtain roles from LDAP groups. So if you use LDAP, your
>> users will be "provisioned" in JSPWiki automatically. This should
>> solve the user-experience problem you described.
>>
>> The upcoming 3.0 LDAP features have been developed and tested with
>> Active Directory and OpenLDAP. It is configured via the GUI at
>> install-time.
>>
>> With respect to permissions and group memberships: these are good
>> suggestions. We still have some work to do for the GUI for ACLs for
>> 3.0. I agree that we should be validating user names when users  
>> create
>> the ACLs. Same for adding users to groups. These suggestions will be
>> incorporated into how the ACL GUIs work -- likely via AJAX in
>> real-time.
>>
>> Andrew
>>
>> On Sat, Oct 24, 2009 at 7:25 AM, Thomas Engelschmidt <te@zama.org>  
>> wrote:
>>> The group and permission system in the jspwiki is rather dynamic,  
>>> and
>> ldaps
>>> tends to be readonly except for a groups of administrators. There  
>>> for
>> there
>>> is still need for the user.xml and group.xml. But in my opinion the
>> user.xml
>>> needs to be automatically updated when a new ldap user is logged in.
>>>
>>> Otherwise granting and managing jspwiki permissions i a nightmare,  
>>> this
>> also
>>> enhanced since there is no check on if a user exist - when adding  
>>> users
>> to
>>> wiki group or setting a page permission.
>>>
>>> I think the following should be changed.
>>>
>>> - First time a new user is logged in - the user should be added to  
>>> the
>> the
>>> user.xml and redirect to the profile page for setting additional
>> information
>>> (email, full name and section edition etc)
>>>
>>> - Adding page permission should lookup if the group or the user  
>>> exist.
>>>
>>> - Adding users to a wiki group should only be possible for existing
>> users.
>>>
>>> /Thomas
>>>
>>>
>>> On Oct 24, 2009, at 10:57 , Jim Willeke wrote:
>>>
>>>> Why allow people to eliminate the user.xml?
>>>>
>>>> Why not allow the use of LDAP for the user profile?
>>>>
>>>> Allow mapping the LDAP attributes to the profile values?
>>>>
>>>> Enterprises have no desire to maintain another separate user  
>>>> store of
>>>> information. Many already have a central LDAP store.
>>>>
>>>> -jim
>>>> Jim Willeke
>>>>
>>>>
>>>> On Fri, Oct 23, 2009 at 2:09 PM, Thomas Engelschmidt <te@zama.org>
>> wrote:
>>>>
>>>>> I would suggest a change, if a ldap user is logging the first  
>>>>> time.
>> the
>>>>> Wiki should create the user in the user.xml - it gives a lot of  
>>>>> problem
>>>>> when
>>>>> adding a ldap user to a wiki group, since it possible that the  
>>>>> user
>> isn't
>>>>> created.
>>>>>
>>>>>
>>>>> On Oct 23, 2009, at 00:38 , Andrew Jaquith wrote:
>>>>>
>>>>> If a user creates a user profile after logging into the  
>>>>> container, he
>> or
>>>>>>
>>>>>> she will have an opportunity to specify a "full name." If a  
>>>>>> full name
>> is
>>>>>> supplied, it will be used in page histories etc from that point
>> forward.
>>>>>>
>>>>>> Andrew
>>>>>>
>>>>>> On Oct 22, 2009, at 16:34, Harald Krammer <Harald.Krammer@hkr.at>
>> wrote:
>>>>>>
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>
>>>>>>> Hash: SHA256
>>>>>>>
>>>>>>> Hello,
>>>>>>> I run JSPWiki with Web Container Authentication via LDAP and
 
>>>>>>> it runs
>>>>>>> fine (JSPWIki 2.8.2, OpenLDAP 2.4.11, Apache 6.0.20, OpenJDK
6).
>>>>>>>
>>>>>>> Only the visualization of real user name is still missing. I
 
>>>>>>> get only
>>>>>>> the login name (short name) instead of the full name in the 

>>>>>>> change
>>>>>>> history and so on.  Is it a default behaviour or  
>>>>>>> misconfiguration?
>>>>>>>
>>>>>>> Nice greetings,
>>>>>>> Harald
>>>>>>>
>>>>>>> - --
>>>>>>>
>>>>>>> Harald Krammer
>>>>>>> Brucknerstrasse 33
>>>>>>> A - 4020  Linz
>>>>>>> AUSTRIA
>>>>>>>
>>>>>>> Mobil +43.(0) 664. 130 59 58
>>>>>>> Mail: Harald.Krammer (at) hkr.at
>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>>>>>>
>>>>>>> iEYEAREIAAYFAkrgwegACgkQ9QlAsubHO9vd7QCfT5rEQYRsPUAVvbs/HrqMiWfZ
>>>>>>> w6cAnjEp4FKX+3T3szBwW1n+DbCMd0z0
>>>>>>> =Kd7Y
>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>
>>>>>>
>>>>>
>>>
>>>
>>

Mime
View raw message