AnsweredAssumed Answered

LDAP Group Import Suggestion

Question asked by smyers on May 1, 2007
Latest reply on Sep 17, 2007 by andy
I'm interested in using a Samba/POSIX-oriented LDAP DIT for my Alfresco user backend, so using full DNs in whatever the "memberAtrribute" property would be rather difficult. As Alfresco's pretty much the only application I've yet to get working with this setup, my gut feeling is to add functionality to Alfresco in a clean way and hopefully get someone else out of the same bind I've gotten myself into.

While my bandaid fix is to hardcode in a string replacement of that attribute's values to make it a full DN (i.e. memberUid: username will become dn: uid=username,ou=people,dc=domain,dc=component,dc=com), I was hoping that creating some config values and doing this a little bit more like a "Good Way" would be helpful to more than just me. I plan to add properties along the lines of "memberAtrributeIsFullDN", "memberAttributeRDNPrefix", "memberAttributeDNSuffix", etc, so that I can use this for more than just my internal sandbox implementation. Since Alfresco's internals want a full DN for this, I imagine that when we configure the org.alfresco.repo.security.authentication.ldap.LDAPGroupExportSource bean, the options above would be used as in the following example:

memberAttribute = memberUid
- uid only comes from LDAP, not full DN, when using this attribute type

memberAttributeIsFullDN = false
- default this to true in the class definition

memberAttributeRDNPrefix = uid
- unused if memberAttributeIsFullDN is true
- RDNPrefix and not DNPrefix, either would really work but logically speaking I see this as attaching an RDN to a proper DN suffix

memberAttributeDNSuffix = ou=people,dc=domain,dc=component,dc=com
- unused if memberAttributeIsFullDN is true

Add it all up (rough example):
String attribute = (String) memberAttributeRDNPrefix + "=" + memAttribute.get(i); + "," + memberAttributeDNSuffix
attribute = group.distinguishedNames.add(attribute);

Again, resulting in "uid=username,ou=people,dc=domain,dc=component,dc=com"

I'm not a native Java speaker, so I figured I suggest this before plunging in and see if it flies. In general, this solves a problem that a few of us are having in implementation land, and it does it fairly simply. It provides more functionality and integration while being completely backward compatible. Let me know if it's junk, and keep in mind that I'm shooting from the hip on the code, and I'm fully aware that what little code I have presented here won't work as it is simply an abstract representation of my intentions. :)

Edit: And by the way, this is an attempt to address the following issue in JIRA: http://issues.alfresco.com/browse/AR-1026

Outcomes