Re: [higgins-dev] Making progress on higgins.eclipse.org

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [higgins-dev] Making progress on higgins.eclipse.org

From: Michael McIntosh <mikemci@xxxxxxxxxx>
Date: Tue, 9 Jan 2007 12:47:22 -0500
Delivered-to: higgins-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>
List-help: <mailto:higgins-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=unsubscribe>

higgins-dev-bounces@xxxxxxxxxxx wrote on 01/09/2007 11:29:41 AM:

> Mike,
> 
> We hard coded some tables into the LDAP CP to handle mapping of 
> claim URI's in and out of the CP.  However, those attribute 
> definitions are not required by the CP to exist in the schema of the
> backing LDAP store.  If the IdAS consumer asks for "http://schemas.
> xmlsoap.org/ws/2005/05/identity/claims/emailaddress" the map 
> dictates that the LDAP CP ask for several possibilities ("mail", "e-
> mail", "emailaddress", "rfc822mail", etc.) any of which, if they do 
> not exist, will not be a problem.  No results will be returned.  As 
> I said earlier, this hard coded table will be removed from the LDAP 
> CP when our mapping CP is implemented.  Then, this kind of mapping 
> specification will be done in the mapping CP configuration file.  At
> any rate, the upshot is, the CP still doesn't require any schema, 
> our reference application does.  I'll check on the exact LDAP 
> classes and attributes being used by it and send you those under 
> separate cover.
> 
> The values for java.naming.security.authentication and java.naming.
> ldap.attributes.binary are a couple of many environment variables 
> which can be specified to control the behavior of some of the JNDI 
> API calls.  Specifically, java.naming.security.authentication in 
> this case specifies that we're doing simple user name\password 
> authentication.  The java.naming.ldap.attributes.binary variable 

What other values/authentication methods are possible/supported?

> specifies that the "GUID" attribute is to be returned in binary 
> format rather than base64Binary (I think that's the default format).
> 
> Tom
> 
> >>> Michael McIntosh <mikemci@xxxxxxxxxx> 1/8/2007 12:44 PM >>>
> higgins-dev-bounces@xxxxxxxxxxx wrote on 01/08/2007 01:48:55 PM:
> 
> > Mike,
> > 
> > The LDAP CP does not require any particular set of schema to be 
> > present.  Applications may, but the CP itself does not.  The 
> 
> I guess I am confused. If no specific schema is required, how does the 
CP 
> decide which attributeValue from LDAP should be used when it is asked 
for 
> one of the Claim URIs?
> 
> > required CP configuration isn't too bad, I'll include the config we 
> > used on the WAG server for the IIW demo here:
> > 
> > <bci:realms 
> > xmlns:bci="http://www.bandit-project.org/commonidentity"; 
> > xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os" 
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
> >         <bci:realm 
> >         connectorType="org.bandit.ia.connectors.
> > LDAPConnectorInitialCtxFactory" 
> >         desc="Corporate LDAP Directory"
> >         id="Corporate-LDAP-Server">
> >                 <bci:connection xsi:type="bci:LDAPConnector">
> > <bci:address>ldap://localhost:389</bci:address>
> >                         <bci:dsnameprefix>cn=</bci:dsnameprefix>
> >                         <bci:dsnamepostfix>,ou=people,dc=wag,
> > dc=bandit-project,dc=org</bci:dsnamepostfix>
> >                 </bci:connection>
> >                 <bci:env prop="java.naming.security.authentication" 
> > value="simple" />
> >                 <bci:env prop="java.naming.ldap.attributes.binary" 
> > value="GUID" />
> >         </bci:realm>
> > </bci:realms>
> > 
> > Note that the name prefix configuration is what allowed us to pass 
> > simple names thru IdAS to the LDAP CP like "tdoman".  This will go 
> > away when we finish our mapping CP implementation.
> 
> Can you say more about allowed values for 
> java.naming.security.authentication and 
> java.naming.ldap.attributes.binary?
> 
> > As for the LDAP store itself and what data is there, what would you 
> > like to do?  Here are a few choices:
> > 1. Point your LDAP CP configuration at the LDAP directory running on
> > ldap://wag.bandit-project.org or ldaps://wag.bandit-project.org.
> > 2. Use the Novell created LDAP utility we've used to unit test our 
> > LDAP CP while it was developed in the bandit project.  It's backed 
> > by an XML file with it's own format.
> > 3. Install, configure, and populate an LDAP server\store of your own.
> 
> I am leaning towards #3 since I'd like the install to be as self 
contained 
> as possible (and the Eclipse Firewall rules are brutal).
> I tried #2, but it seems to require X Windows on Linux and that machine 
> does not have it installed.
> 
> > Thanks,
> > Tom
> > 
> > >>> Michael McIntosh <mikemci@xxxxxxxxxx> 1/7/2007 9:22 AM >>>
> > Tom,
> > 
> > I am not very directory server savvy - can you send me whatever schema 

> > files and other configuration details I'd need to have a directory 
work 
> > with your LDAP CP?
> > 
> > Thanks,
> > Mike
> > 
> > higgins-dev-bounces@xxxxxxxxxxx wrote on 01/02/2007 01:19:08 PM:
> > 
> > > Mike,
> > > 
> > > You shouldn't need anything more than what we've already setup on 
> > > the demo machines with the exception of an LDAP server of your 
> > > choice.  The LDAP CP configuration file would only need to be 
> > > modified to point at that source.  Of course, it'd be up to you to 
> > > make sure that the data you want is loaded there as well.  Anyway, 
> > > what else do you need help with?
> > > 
> > > Tom
> > > 
> > > >>> Michael McIntosh <mikemci@xxxxxxxxxx> 12/21/06 1:32 PM >>>
> > > Thanks to Valery, I've made some progress on configuring 
> > > higgins.eclipse.org.
> > > I need to get the LDAP CP configured on this machine.
> > > Can someone from Novell help me to understand what needs to be 
> installed 
> > 
> > > and configured on this machine?
> > > 
> > > thanks,
> > > Mike
> > > _______________________________________________
> > > higgins-dev mailing list
> > > higgins-dev@xxxxxxxxxxx 
> > > https://dev.eclipse.org/mailman/listinfo/higgins-dev 
> > > _______________________________________________
> > > higgins-dev mailing list
> > > higgins-dev@xxxxxxxxxxx 
> > > https://dev.eclipse.org/mailman/listinfo/higgins-dev 
> > 
> > _______________________________________________
> > higgins-dev mailing list
> > higgins-dev@xxxxxxxxxxx 
> > https://dev.eclipse.org/mailman/listinfo/higgins-dev 
> > _______________________________________________
> > higgins-dev mailing list
> > higgins-dev@xxxxxxxxxxx 
> > https://dev.eclipse.org/mailman/listinfo/higgins-dev 
> 
> _______________________________________________
> higgins-dev mailing list
> higgins-dev@xxxxxxxxxxx 
> https://dev.eclipse.org/mailman/listinfo/higgins-dev
> _______________________________________________
> higgins-dev mailing list
> higgins-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/higgins-dev

Follow-Ups:
- Re: [higgins-dev] Making progress on higgins.eclipse.org
  - From: Tom Doman

References:
- Re: [higgins-dev] Making progress on higgins.eclipse.org
  - From: Tom Doman

Prev by Date: Re: [higgins-dev] Making progress on higgins.eclipse.org
Next by Date: Re: [higgins-dev] Making progress on higgins.eclipse.org
Previous by thread: Re: [higgins-dev] Making progress on higgins.eclipse.org
Next by thread: Re: [higgins-dev] Making progress on higgins.eclipse.org
Index(es):
- Date
- Thread

Breadcrumbs