[jboss-dev-forums] [Design of JBoss Portal] - LDAP Support expectations

bdaw do-not-reply at jboss.com
Wed Oct 11 05:56:42 EDT 2006 

I would like to ask for your opinions about expected LDAP support in JBoss Portal 2.6 as it's being implemented currently

For JBoss Portal 2.6 we decided to split identity responsibilities among four modules

- UserModule - users retreival and creation
  | --- findUserByUserName()
  | --- findUserById
  | --- createUser()
  | --- removeUser()
  | --- ....

- RoleModule - roles retreival and creation
  | --- findRoleByName()
  | --- findRoleById
  | --- createRole()
  | --- removeRole()
  | --- ....

- MembershipModule - discover and assign user/role relationship
  | --- getRoles(User u)
  | --- getUsers(Role r)
  | --- assignRoles()
  | --- assignUsers()

- UserProfileModule - takes care about user properties (name, surname, email...)
  | --- getProperty()
  | --- setProperty()
  | --- getProperties()
  | (This will enables to explicitly map user properties to specific attributes in ldap or columns in db)

Such split should enable more flexible implementation and usage for DB or LDAP. It is also designed
to be easily extendable by swapping any element by own implementation targeting more complex environment.

For LDAP

1) MembershipModule
Because user/role relationship can be defined in LDAP using several ways it will be based of pluggable
MembershipStrategy interface implementation. So out of box we plan to implement few base strategies like:
- StaticRoleLDAPMembershipStrategy
- StaticGroupLDAPMembershipStrategy

2) UserModule and RoleModule
We plan to provide two implementations for each
- Simple
--- user/role can be retrieved from only one specific location (like ou=Pople,dc=example,dc=com and ou=Roles,dc...)
--- user/role create() and remove() operation is supported

- Extended 
--- user/role can be retrieved in more sophisticated way (like in http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapExtLoginModule)
--- user/role create() and remove() operation is NOT supported
--- user/role relationship assignment operations in MembershipModule could be limited in some way

The requirenment for the implementation of whole is that LDAPUserImpl or LDAPRoleImpl instance is aware of it's DN, 
to enable altering of this entry

This is the big picture from the design point of view. 

What I'm interesting to learn from the JBoss Portal community are the expectations about user provisioning 
features. LDAP servers are designed to be centralized identity repositories for whole organizations and in most cases
come with their own powerful management tools. In such cases portal will probably be one of many ldap server clients. So:

- are you interested of creating/removing users from within portal administration tools (like RolePortlet)
- are you interested in managing user/role relationship from within the portal?

Currently it's not our goal to provide any comprehensive ldap management console within the portal. We target the "simple" 
implementation of UserModule and RoleModule to cover smaller deployments with simple ldap trees. We assume that 
more complex tree shapes are managed with external tools anyway and just expect flexible authentication capabilities like those covered by LdapExtLoginModule in JBossSX framework.

Any thoughts about that?


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3977480#3977480

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3977480

More information about the jboss-dev-forums mailing list