Re: Accessing Open Directory Information
Re: Accessing Open Directory Information
- Subject: Re: Accessing Open Directory Information
- From: Joe Little <email@hidden>
- Date: Wed, 6 Jul 2005 12:55:02 -0700
On 7/6/05, Chuck Hill <email@hidden> wrote:
>
> On Jul 6, 2005, at 11:31 AM, Joe Little wrote:
>
> Do you know if it will accept TLS as well? I've used raw JNDI to do
> TLS encrypted binds, but failed to get SASL working with that LDAP
> server (the exact problem has long since fled my memory, could be it
> did not support it).
It apparently does not, complaining about SSL handshake issues with
either an ldaps:// URL is used or the port is directed to 636.
>
>
> IIRC, you could do this with a plugin for the JNDI adaptor, which is
> not to suggest that I ever got it to function. :-) I don't actually
> need to query against a bound, authenticated connection. I was just
> wondering how much effort it would be to use OpenDirectory to
> authenticate users rather than storing a user ID and credential in
> the app's database. If it supports TLS then it will be little effort.
>
Ah.. Well, if you want to authenticate users, you are wanting to
perform an LDAP bind (success=authenticated, failure=invalid/failed)
to test authentication. In this case, the JNDI adaptor holds little
value. Instead, you can use the native Java JNDI support (the raw you
mentioned above) to do this. EOModeler and by it WO do not provide for
either the SASL or TLS/SSL connection. You are right in that
alternative plugins, if they exist, probably could provide the SASL
part. But the TLS/SSL part seems more fundamentally tied to the
connection dictionary and what it considers to be valid protocol. The
JNDI context factory seems valid, but the apple-provided plugin seems
not: com.webobjects.jndiadaptor.LDAPPlugIn
Mentions are on the net off someone trying to build a SecureLDAPPlugin
but giving up. Here's a fragment showing the RAW connection (thank you
google), with a setting for the protocol that is otherwise not offered
in WO's EOModeler.
LdapContext ctx1;
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://machinename:636/";;);
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.SECURITY_AUTHENTICATION, "simple" );
env.put(Context.SECURITY_PRINCIPAL, "cn=username,dc=company,dc=com" );
env.put(Context.SECURITY_CREDENTIALS, "password" );
try {
LOG.info("Creating first connection.");
ctx1 = new InitialLdapContext(env, null);
ctx1.close();
LOG.info("Done creating conenctions.");
} catch (Throwable e) {
LOG.error( "Unable to connect to LDAP server. Exception
thrown: " + e.toString() );
}
Here's the jar's makeup for the plugin:
yukikaze:/Library/WebObjects/lib jlittle$ jar tf JavaJNDIAdaptor.jar
META-INF/
META-INF/MANIFEST.MF
Resources/
Resources/Info.plist
WebServerResources/
com/
com/webobjects/
com/webobjects/jndiadaptor/
com/webobjects/jndiadaptor/JNDIAdaptor$_Environment.class
com/webobjects/jndiadaptor/JNDIAdaptor$_ContextFactory.class
com/webobjects/jndiadaptor/JNDIAdaptor$1.class
com/webobjects/jndiadaptor/JNDIAdaptor.class
com/webobjects/jndiadaptor/_EOCachedObjectFactory.class
com/webobjects/jndiadaptor/JNDIContext$_ChannelFactory.class
com/webobjects/jndiadaptor/JNDIContext$1.class
com/webobjects/jndiadaptor/JNDIContext.class
com/webobjects/jndiadaptor/JNDIChannel$1.class
com/webobjects/jndiadaptor/JNDIChannel$_EntityExternalNamesBuilderImpl.class
com/webobjects/jndiadaptor/JNDIChannel$2.class
com/webobjects/jndiadaptor/JNDIChannel$_ModelBuilderImpl.class
com/webobjects/jndiadaptor/JNDIChannel.class
com/webobjects/jndiadaptor/_EOReverseEngineeringDirector$_EntityExternalNamesBuilder.class
com/webobjects/jndiadaptor/_EOReverseEngineeringDirector$_ModelBuilder.class
com/webobjects/jndiadaptor/_EOReverseEngineeringDirector.class
com/webobjects/jndiadaptor/_JNDITypeMap.class
com/webobjects/jndiadaptor/JNDIType.class
com/webobjects/jndiadaptor/_JNDIDeleter.class
com/webobjects/jndiadaptor/_JNDIWorker$1.class
com/webobjects/jndiadaptor/_JNDIWorker$2.class
com/webobjects/jndiadaptor/_JNDIWorker.class
com/webobjects/jndiadaptor/_EOChannelIterator.class
com/webobjects/jndiadaptor/_EOChannelWorker.class
com/webobjects/jndiadaptor/JNDIPlugIn$ChannelOperation.class
com/webobjects/jndiadaptor/JNDIPlugIn$_BaseVisitor.class
com/webobjects/jndiadaptor/JNDIPlugIn$_FilterVisitor.class
com/webobjects/jndiadaptor/JNDIPlugIn.class
com/webobjects/jndiadaptor/_JNDIFetcher.class
com/webobjects/jndiadaptor/_JNDIInserter.class
com/webobjects/jndiadaptor/_EOChannelExporter.class
com/webobjects/jndiadaptor/_JNDIUpdater.class
com/webobjects/jndiadaptor/JNDIAdaptorException.class
com/webobjects/jndiadaptor/LDAPPlugIn$_VisitorImpl.class
com/webobjects/jndiadaptor/LDAPPlugIn$_BaseVisitorImpl.class
com/webobjects/jndiadaptor/LDAPPlugIn$_FilterVisitorImpl.class
com/webobjects/jndiadaptor/LDAPPlugIn$_KeyValueQualifierFormatter.class
com/webobjects/jndiadaptor/LDAPPlugIn$_DataType.class
com/webobjects/jndiadaptor/LDAPPlugIn$_NumberType.class
com/webobjects/jndiadaptor/LDAPPlugIn$_BooleanType.class
com/webobjects/jndiadaptor/LDAPPlugIn$_ShortType.class
com/webobjects/jndiadaptor/LDAPPlugIn$_IntegerType.class
com/webobjects/jndiadaptor/LDAPPlugIn$_LongType.class
com/webobjects/jndiadaptor/LDAPPlugIn$_FloatType.class
com/webobjects/jndiadaptor/LDAPPlugIn$_DoubleType.class
com/webobjects/jndiadaptor/LDAPPlugIn$_BigDecimalType.class
com/webobjects/jndiadaptor/LDAPPlugIn$_StringType.class
com/webobjects/jndiadaptor/LDAPPlugIn$_TimestampType.class
com/webobjects/jndiadaptor/LDAPPlugIn$_UTCTimeType.class
com/webobjects/jndiadaptor/LDAPPlugIn$_GeneralizedTimeType.class
com/webobjects/jndiadaptor/LDAPPlugIn$1.class
com/webobjects/jndiadaptor/LDAPPlugIn.class
com/webobjects/jndiadaptor/_JNDIType.class
> Chuck
>
>
> > You'll select organ*, inetorgperson, group*, person, posix* as the
> > tables to get.
> >
> > In this specific case, if you are simple using "groups" you may just
> > ideally get PosixGroup and PosixAccount as you may not care about the
> > other hierarchies or the person attributes beyond what you find in a
> > GECOS field
> >
> > On 7/6/05, Chuck Hill <email@hidden> wrote:
> >
> >> Joe,
> >>
> >> Do you know if you can you use an LDAP bind against OpenDirectory to
> >> authenticate user name / password?
> >>
> >> Chuck
> >>
> >>
> >> On Jul 5, 2005, at 11:46 PM, Joe Little wrote:
> >>
> >>
> >>> Open Directory, among other things, is just OpenLDAP 2.1.x. Use the
> >>> JNDIAdaptor against your LDAP server. You won't have access to
> >>> passwords and such, but if you just want groupings, you can query
> >>> which groups a user belongs, or the memberships of a specific group.
> >>> By making them EOs, you can mostly avoid all the LDAP specific
> >>> knowledge you would otherwise need.
> >>>
> >>> On 7/5/05, Colin Shreffler <email@hidden> wrote:
> >>>
> >>>
> >>>> What is the best way to access Open Directory information via Web
> >>>> Objects? Does Apple provide an Open Directory API?
> >>>>
> >>>> Specifically I need to incorporate role-based security
> >>>> (authorization) into my application. One approach would be to add
> >>>> users to groups in Open Directory and then check to see if the
> >>>> user is a member of that group before granting access to certain
> >>>> content.
> >>>>
> >>>> If anyone has any information about alternative methods of
> >>>> providing role-based security in Web Objects or about an API that
> >>>> will allow me to see if a User in Open Directory is a member of a
> >>>> particular Group, I'd be most grateful :)
> >>>>
> >>>> Cheers!
> >>>> -c
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> ________________________________________________________________
> >>>> Sent via the WebMail system at warp9software.com
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Do not post admin requests to the list. They will be ignored.
> >>>> Webobjects-dev mailing list (email@hidden)
> >>>> Help/Unsubscribe/Update your Subscription:
> >>>> 40gmail.com
> >>>>
> >>>> This email sent to email@hidden
> >>>>
> >>>>
> >>>>
> >>> _______________________________________________
> >>> Do not post admin requests to the list. They will be ignored.
> >>> Webobjects-dev mailing list (email@hidden)
> >>> Help/Unsubscribe/Update your Subscription:
> >>> 40global-village.net
> >>>
> >>> This email sent to email@hidden
> >>>
> >>>
> >>>
> >>
> >> --
> >> Practical WebObjects - a book for intermediate WebObjects developers
> >> who want to increase their overall knowledge of WebObjects, or those
> >> who are trying to solve specific application development problems.
> >> http://www.global-village.net/products/practical_webobjects
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
>
> --
> Practical WebObjects - a book for intermediate WebObjects developers
> who want to increase their overall knowledge of WebObjects, or those
> who are trying to solve specific application development problems.
> http://www.global-village.net/products/practical_webobjects
>
>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden