Anonymous_User Absent Member.
Absent Member.
369 views

Using a User Store different from LDAP to identify users


Hello everybody,
I've developed a couple of authentication classes in Access Manager and
I found the constrain to use a LDAP user store very limitative.

I have to develop a class that check the credential against a table in
a database. I've no LDAP user store at all. I find all the relevant
information in the db. So I can correctly authenticate the user but I
can't "say" to the Identity Server that the user is also correctly
identified. In the code I can create a new NIDPPrincipal object with a
(null UserAuthority) setting its properties for the authenticated user.
It works but anyway I've to add a "fake" LDAP User store to be able to
check the "identify user" option in the method definition in the
Administration Console. And I presume that the Identity Server can
became unstable because it can not find the User in the user store.

I've looked at the LDAP Plugin extesion, trying to create a "wrapper"
to the db, but the documented API is only about the LDAP definition and
does not expose any interface to catch ldap search or read (or whatever
else the Indentity Server may ask to the User store) so I guess that the
LDAP access is hard-wired in the Identity server code. This approach
seems very strange because the modular architecture of the NAM solution
could work very well with other type of user stores than LDAP. I
expected to find an interface to abstract the User Authority.

I'm missing something or my argumentations are very wrong?

Thanks
Giovanni


--
cannata_g
------------------------------------------------------------------------
cannata_g's Profile: http://forums.novell.com/member.php?userid=17484
View this thread: http://forums.novell.com/showthread.php?t=422784

Labels (1)
0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Using a User Store different from LDAP to identify users

cannata g wrote:

>
> Hello everybody,
> I've developed a couple of authentication classes in Access Manager
> and I found the constrain to use a LDAP user store very limitative.
>
> I have to develop a class that check the credential against a table in
> a database. I've no LDAP user store at all. I find all the relevant
> information in the db. So I can correctly authenticate the user but I
> can't "say" to the Identity Server that the user is also correctly
> identified. In the code I can create a new NIDPPrincipal object with a
> (null UserAuthority) setting its properties for the authenticated
> user. It works but anyway I've to add a "fake" LDAP User store to be
> able to check the "identify user" option in the method definition in
> the Administration Console. And I presume that the Identity Server can
> became unstable because it can not find the User in the user store.
>
> I've looked at the LDAP Plugin extesion, trying to create a "wrapper"
> to the db, but the documented API is only about the LDAP definition
> and does not expose any interface to catch ldap search or read (or
> whatever else the Indentity Server may ask to the User store) so I
> guess that the LDAP access is hard-wired in the Identity server code.
> This approach seems very strange because the modular architecture of
> the NAM solution could work very well with other type of user stores
> than LDAP. I expected to find an interface to abstract the User
> Authority.
>
> I'm missing something or my argumentations are very wrong?


I'm probably not really the right person but the way I see it is that
NAM supports LDAP userstores therefore it kinda makes why the LDAP code
is so heavily embedded. Maybe log an enhancement request to see if JDBC
can be supported as an authentication mechanism.


--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Using a User Store different from LDAP to identify users


Hello Edward,
I think you're right, LDAP code is embedded in the Access Manager. It
seems to me an arbitrary decision. I think that User Authority doesn't
need to be mapped only to an LDAP store, it should be abstracted in an
interface so other developers could write their implementation. Anyway
it's made in this way "by design" so we need to accept this.

Thanks,
Giovanni


--
cannata_g
------------------------------------------------------------------------
cannata_g's Profile: http://forums.novell.com/member.php?userid=17484
View this thread: http://forums.novell.com/showthread.php?t=422784

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.