LDAP plugin was: First Post!

25 views
Skip to first unread message

David Wolff

unread,
Nov 14, 2011, 6:12:31 PM11/14/11
to pgina...@googlegroups.com
Hi Lo5st,

Am practically rewriting your ldap plugin but using a bind with the
supplied username and password.

This is what the current 3.x LDAP plugin does.  It binds to the LDAP server with the supplied username (mapped to a DN) and password.  If the bind succeeds, the authentication is successful.
 
Although that
means i get 2 binds, it will allow for the username mapping to be an
optional plugin. I really like the feature of DidPluginAuth.


The LDAP plugin already does some username mapping.  Is there some other mapping that you'll need?  I'm not familiar with DidPluginAuth.

Additionally, we will soon be adding a SymbolMod plugin that will allow you to map a username to any configurable string.

David

Lo5t

unread,
Nov 15, 2011, 5:08:59 AM11/15/11
to pgina-devel
Hi David,

> This is what the current 3.x LDAP plugin does.  It binds to the LDAP server
> with the supplied username (mapped to a DN) and password.  If the bind
> succeeds, the authentication is successful.
> The LDAP plugin already does some username mapping. Is there some other
> mapping that you'll need? I'm not familiar with DidPluginAuth.

Since 3.x allows plugins to be chained i will split my plugins, the
ldap plugin is far simpler then the one being used. I really only want
to bind to the ldap servewr with the username/password of the to-be-
authenticated user, if this succeeds then I consider the user
authenticated.
Since I can now chain plugins, I use my LDAP -Plugin to authenticate,
the LDAPMAPPER will then check with DidPluginAuth (using the UID of my
LDAP Plugin) if the user is authenticated. Since the mapping is also
manedged over the ldap and my LDAP plugin has already been launched I
will require to bind to the ldap server yet again to fetch the mapping
values. Although this means I will need to bind twice, it also means i
can specify the LDAPMAPPER as an additional Plugin which would give me
more functionallity.

Lo5t

Nate Yocom

unread,
Nov 15, 2011, 10:55:49 AM11/15/11
to pgina...@googlegroups.com
Since 3.x allows plugins to be chained i will split my plugins, the
ldap plugin is far simpler then the one being used. I really only want
to bind to the ldap servewr with the username/password of the to-be-
authenticated user, if this succeeds then I consider the user
authenticated.

I think what David is saying is that this is what the 3.x LDAP plugin does.. you may not have to write this part at all.
 
Since I can now chain plugins, I use my LDAP -Plugin to authenticate,
the LDAPMAPPER will then check with DidPluginAuth (using the UID of my
LDAP Plugin) if the user is authenticated. Since the mapping is also
manedged over the ldap and my LDAP plugin has already been launched I
will require to bind to the ldap server yet again to fetch the mapping
values. Although this means I will need to bind twice, it also means i
can specify the LDAPMAPPER as an additional Plugin which would give me
more functionallity.

Given that the current LDAP plugin does the auth the way you want already, you may be able to just write your mapper plugin.  In fact, because plugins can share state now (the SessionProperties object passed to a plugin is the same for all plugins), you could even get fancier and share a single bind.  To keep it simple though, I bet you could write just your mapping plugin (as either an Authorization or a Gateway plugin, depending on its purpose), and put the existing ldap plugin as your authentication plugin... and it should just work.


Reply all
Reply to author
Forward
0 new messages