Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [higgins-dev] Making progress on higgins.eclipse.org

Mike,

The objects on our wag server directory installation are mapped to the object class inetOrgPerson.  It has its own list of allowed attributes and is, of course, derived from other object classes each of which have their own required (MUST) and allowed (MAY) attributes but rather than try to list it all here, I'll just give you this link which also has some example LDIFs for creating inetOrgPerson objects and let you dive in as far as you'd care to: http://www.rfc-editor.org/rfc/rfc2798.txt.

Tom

>>> "Tom Doman" <TDoman@xxxxxxxxxx> 1/9/2007 9:29 AM >>>
Mike,

We hard coded some tables into the LDAP CP to handle mapping of claim URI's in and out of the CP.  However, those attribute definitions are not required by the CP to exist in the schema of the backing LDAP store.  If the IdAS consumer asks for "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; the map dictates that the LDAP CP ask for several possibilities ("mail", "e-mail", "emailaddress", "rfc822mail", etc.) any of which, if they do not exist, will not be a problem.  No results will be returned.  As I said earlier, this hard coded table will be removed from the LDAP CP when our mapping CP is implemented.  Then, this kind of mapping specification will be done in the mapping CP configuration file.  At any rate, the upshot is, the CP still doesn't require any schema, our reference application does.  I'll check on the exact LDAP classes and attributes being used by it and send you those under separate cover.

The values for java.naming.security.authentication and java.naming.ldap.attributes.binary are a couple of many environment variables which can be specified to control the behavior of some of the JNDI API calls.  Specifically, java.naming.security.authentication in this case specifies that we're doing simple user name\password authentication.  The java.naming.ldap.attributes.binary variable specifies that the "GUID" attribute is to be returned in binary format rather than base64Binary (I think that's the default format).

Tom

>>> Michael McIntosh <mikemci@xxxxxxxxxx> 1/8/2007 12:44 PM >>>
higgins-dev-bounces@xxxxxxxxxxx wrote on 01/08/2007 01:48:55 PM:

> Mike,
> 
> The LDAP CP does not require any particular set of schema to be 
> present.  Applications may, but the CP itself does not.  The 

I guess I am confused. If no specific schema is required, how does the CP 
decide which attributeValue from LDAP should be used when it is asked for 
one of the Claim URIs?

> required CP configuration isn't too bad, I'll include the config we 
> used on the WAG server for the IIW demo here:
> 
> <bci:realms 
> xmlns:bci="http://www.bandit-project.org/commonidentity"; 
> xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os" 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
>         <bci:realm 
>         connectorType="org.bandit.ia.connectors.
> LDAPConnectorInitialCtxFactory" 
>         desc="Corporate LDAP Directory"
>         id="Corporate-LDAP-Server">
>                 <bci:connection xsi:type="bci:LDAPConnector">
>                         <bci:address>ldap://localhost:389</bci:address>
>                         <bci:dsnameprefix>cn=</bci:dsnameprefix>
>                         <bci:dsnamepostfix>,ou=people,dc=wag,
> dc=bandit-project,dc=org</bci:dsnamepostfix>
>                 </bci:connection>
>                 <bci:env prop="java.naming.security.authentication" 
> value="simple" />
>                 <bci:env prop="java.naming.ldap.attributes.binary" 
> value="GUID" />
>         </bci:realm>
> </bci:realms>
> 
> Note that the name prefix configuration is what allowed us to pass 
> simple names thru IdAS to the LDAP CP like "tdoman".  This will go 
> away when we finish our mapping CP implementation.

Can you say more about allowed values for 
java.naming.security.authentication and 
java.naming.ldap.attributes.binary?
 
> As for the LDAP store itself and what data is there, what would you 
> like to do?  Here are a few choices:
> 1. Point your LDAP CP configuration at the LDAP directory running on
> ldap://wag.bandit-project.org or ldaps://wag.bandit-project.org.
> 2. Use the Novell created LDAP utility we've used to unit test our 
> LDAP CP while it was developed in the bandit project.  It's backed 
> by an XML file with it's own format.
> 3. Install, configure, and populate an LDAP server\store of your own.

I am leaning towards #3 since I'd like the install to be as self contained 
as possible (and the Eclipse Firewall rules are brutal).
I tried #2, but it seems to require X Windows on Linux and that machine 
does not have it installed.
 
> Thanks,
> Tom
> 
> >>> Michael McIntosh <mikemci@xxxxxxxxxx> 1/7/2007 9:22 AM >>>
> Tom,
> 
> I am not very directory server savvy - can you send me whatever schema 
> files and other configuration details I'd need to have a directory work 
> with your LDAP CP?
> 
> Thanks,
> Mike
> 
> higgins-dev-bounces@xxxxxxxxxxx wrote on 01/02/2007 01:19:08 PM:
> 
> > Mike,
> > 
> > You shouldn't need anything more than what we've already setup on 
> > the demo machines with the exception of an LDAP server of your 
> > choice.  The LDAP CP configuration file would only need to be 
> > modified to point at that source.  Of course, it'd be up to you to 
> > make sure that the data you want is loaded there as well.  Anyway, 
> > what else do you need help with?
> > 
> > Tom
> > 
> > >>> Michael McIntosh <mikemci@xxxxxxxxxx> 12/21/06 1:32 PM >>>
> > Thanks to Valery, I've made some progress on configuring 
> > higgins.eclipse.org.
> > I need to get the LDAP CP configured on this machine.
> > Can someone from Novell help me to understand what needs to be 
installed 
> 
> > and configured on this machine?
> > 
> > thanks,
> > Mike
> > _______________________________________________
> > higgins-dev mailing list
> > higgins-dev@xxxxxxxxxxx 
> > https://dev.eclipse.org/mailman/listinfo/higgins-dev 
> > _______________________________________________
> > higgins-dev mailing list
> > higgins-dev@xxxxxxxxxxx 
> > https://dev.eclipse.org/mailman/listinfo/higgins-dev 
> 
> _______________________________________________
> higgins-dev mailing list
> higgins-dev@xxxxxxxxxxx 
> https://dev.eclipse.org/mailman/listinfo/higgins-dev 
> _______________________________________________
> higgins-dev mailing list
> higgins-dev@xxxxxxxxxxx 
> https://dev.eclipse.org/mailman/listinfo/higgins-dev 

_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx 
https://dev.eclipse.org/mailman/listinfo/higgins-dev 
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx 
https://dev.eclipse.org/mailman/listinfo/higgins-dev


Back to the top