Portlet Factory, Version 6.1.2
LDAPSelectionHandler
The LDAP Profile Selection Handler is used to select a profile for a user.
This handler matches the user's LDAP groups against LDAP groups specified in a profile. The handler class uses the J2EE Servlet APIs HttpServletRequest getRemoteUser(..) method to retrieve the authenticated user name. It then uses the LDAP configuration information from the handler definition file to connect to an LDAP server, retrieve an LDAP DN for this username/userid, and search for all LDAP groups with that user DN as a member. This list of groups for the user is compared against LDAP groups previously applied to profiles in the profile set, to select a profile from the set. The definition file for this handler is in the following location.
J2EERoot/WEB-INF/conf/selection_handlers/ldapselectionhandler.xmlHere is sample content of the ldapselectionhandler definition file.
<Handler name="LDAP Group Based Selection Handler"> <Description>Handler that maps a user authenticated via LDAP to a profile by using the user's LDAP Group membership as the segments associated with profiles. </Description> <Selection class="com.bowstreet.profiles.LDAPSelectionHandler"> <Properties> <!-- Properties for connecting to the LDAP server --> <Property name="java.naming.provider.url">ldap://myldapserver:389</Property> <Property name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</Property> <Property name="bowstreet.ldap.root">o=mycompany,c=us</Property> <!-- Properties for finding a user dn based on username --> <Property name="bowstreet.ldap.user.root">o=mycompany,c=us</Property> <Property name="bowstreet.ldap.user.objectClass">inetorgperson</Property> <Property name="bowstreet.ldap.user.namingAttribute">uid</Property> <!-- Properties for doing group membership searches --> <Property name="bowstreet.ldap.group.root">o=mycompany,c=us</Property> <Property name="bowstreet.ldap.group.objectClass">groupofuniquenames</Property> <Property name="bowstreet.ldap.group.memberAttribute">uniquemember</Property> <!-- Account used by the handler to authenticate to the server, to do the above lookups with --> <Property name="bowstreet.ldap.account.userdn">uid=myldapserveraccount,o=mycompany,c=us</Property> <!-- Obscured password for the above account --> <!-- Use "obscure mypassword" in WEB-INF/bin/ to obscure a cleartext password --> <Property name="bowstreet.ldap.account.userpassword">2Gj+pV4mC98BUWTUYfpiOm/KaFRpf3M=</Property> <!-- How long (in seconds) do we trust the list of groups we store in the user's session after lookup --> <Property name="bowstreet.ldap.cache.timeout">3600</Property> </Properties> </Selection> <SegmentList class="com.bowstreet.profiles.LDAPSelectionHandler"> <Properties> <!-- Properties for connecting to the LDAP server --> <Property name="java.naming.provider.url">ldap://myldapserver:389</Property> <Property name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</Property> <Property name="bowstreet.ldap.root">o=mycompany,c=us</Property> <!-- LDAP objectclass for groups, for retrieving a list of known groups in given container--> <Property name="bowstreet.ldap.group.root">o=mycompany,c=us</Property> <Property name="bowstreet.ldap.group.objectClass">groupofuniquenames</Property> <!-- Account used by the handler to authenticate to the server, to do the above lookups with --> <Property name="bowstreet.ldap.account.userdn">uid=myldapserveraccount,o=mycompany,c=us</Property> <!-- Obscured password for the above account --> <!-- Use "obscure mypassword" in WEB-INF/bin/ to obscure a cleartext password --> <Property name="bowstreet.ldap.account.userpassword">2Gj+pV4mC98BUWTUYfpiOm/KaFRpf3M=</Property> </Properties> </SegmentList> </Handler>
Clearing LDAP information from the handler
In some situations, you might need to clear information cached by this handler. For example, you might want to remove the list of user's groups that this handler caches in the user's session if you dynamically change a user's group membership. You can clear cached information using the following calls to remove the information from the session:
// Get the global data space for the user (the session by default) WebAppData webAppData = webAppAccess.getWebAppData(); // Remove the cached List of groups the users is a member of. webAppData.remove(LDAPSelectionHandler.LDAP_GROUPS_CACHE);Note: LDAPSelectionHandler implements both the ProfileSelection and SegmentList interfaces so it is specified as the Selection class and the SegmentList class.
Note: The Password properties are in an obscured format. Use the script obscure in WEB-INF/bin with a cleartext password argument to get an obscured version of that password suitable for storing as a password property in this configuration file. This is to prevent casual observance by innocent bystanders of an actual password value in the config file (for example, if the file were opened on an administrators console for editing).
Parent topic: Using sample handlers
Library | Support |