[GeoNetwork-devel] Use of LDAP with geonetwork

Hi,

The planning shows an extension of functionality in V2.2 allowing
authentication against corporate LDAP. I have a few general questions on
this.

1. What will be the official LDAP support matrix? (Need support for Sun1
LDAP and Win AD?)

2. Is this planned as a pre or post install configuration?

3. Are there any plans to also use corporate LDAP as the authorisation
mechanism? Or possibly completely revert to using an LDAP as the data
store instead of an RDBMS?

Regards,
Kevin

------------------------------------------------------------------------
The information contained in this communication is for the use of the
individual or entity to whom it is addressed, and may contain
information which is the subject of legal privilege and/or copyright.
If you have received this communication in error, please notify the
sender by return E-Mail and delete the transmission, together with any
attachments, from your system. Thank you.
-------------------------------------------------------------------------

Hi Kevin,

our LDAP authentication implementation will be a first step on using LDAP.
The implementation will be "simple" for now, just to accomodate some FAO's
needs. The configuration will probably go in the config.xml file due to the
usual lack of money.

Anyway, any suggestion is welcome because we would like to provide an
implementation that can be used by other users. The Australian guys
made one but I'm still waiting for some code.

Cheers,
Andrea

Hi,

The planning shows an extension of functionality in V2.2 allowing
authentication against corporate LDAP. I have a few general questions on
this.

1. What will be the official LDAP support matrix? (Need support for Sun1
LDAP and Win AD?)

2. Is this planned as a pre or post install configuration?

3. Are there any plans to also use corporate LDAP as the authorisation
mechanism? Or possibly completely revert to using an LDAP as the data
store instead of an RDBMS?

Regards,
Kevin

Hi Andrea,

Ok, I'm one of the Australian guys now here at AIMS and we have come up
with a modified version of org.fao.geonet.services.login.Login which
uses the javax.naming.ldap.InitialLdapContext class to interact with
LDAP. This class will also allow you to perform all the standard LDAP
operations over a secure connection, currently we're just using it for a
trivial non-secure user password authentication. When Greg (the other
Australian guy you've been dealing with) gets back into the office I'll
have a chat to him about us providing this code, we were not aware you
wanted us to provide this code. I also need to check with AIMS (org I
work for) on whether or not we're allowed to hand out this code. So I
will get back to you on that (but the extension is trivial).

To move towards using LDAP will require probably going via the Jeeves
resource path, that is some how get LDAP as a supported resource by
Jeeves resource manager, not sure that's so trivial. And the code
changes might be across much of the code, for example all DB queries
would need to be changed to LDAP queries. Interesting work though, might
be something AIMS is keen to do but it's currently not a priority. Our
current priority is to get geonetwork working with a modified 19115
schema and set of style sheets for managing marine metadata. The focus
is such that we're still using V2.0.2 with some custom modifications.
I'm hoping we can upgrade but that's not in my control.

Our LDAP configuration is done via config.xml, a few mandatory param's
have been added which enable the LDAP authentication, and also provide
the required details such as the context factory, LDAP URL etc. But
while doing this I did try to add encryption to the password in the
database. Just using password key encryption with a salt and iterator,
but JDOM doesn't like it, crashes on character errors.

What modifications to the style sheets do you think are required to get
the password field into a CDATA section (or something like that to
ignore these chars)? I'm still coming up to speed on the XSLT work flow
and how the schema's tie in. Is there a general schema that defines the
XML for managing user account details and other geonetwork non-metadata
related objects? Or is this just add-hock XML produced by the Service
classes?

Any thoughts on getting the password encryption working would be great,
because then I can look at getting the LDAP password synchronised with
the RDBMS password. Perhaps you can shed some light on what was done, or
is planned for V2.2 because I need to get this working in V2.0.2.

Forgive me if these questions seem trivial or I described something
incorrectly, only been working with the product for 3 weeks now.

Thanks
Kevin

-----Original Message-----
From: Andrea Carboni [mailto:acarboni@anonymised.com]
Sent: Wednesday, 23 May 2007 01:36 AM
To: geonetwork-devel@lists.sourceforge.net
Subject: Re: [GeoNetwork-devel] Use of LDAP with geonetwork

Hi Kevin,

our LDAP authentication implementation will be a first step on using
LDAP.
The implementation will be "simple" for now, just to accomodate some
FAO's
needs. The configuration will probably go in the config.xml file due to
the
usual lack of money.

Anyway, any suggestion is welcome because we would like to provide an
implementation that can be used by other users. The Australian guys
made one but I'm still waiting for some code.

Cheers,
Andrea

Hi,

The planning shows an extension of functionality in V2.2 allowing
authentication against corporate LDAP. I have a few general questions

on

this.

1. What will be the official LDAP support matrix? (Need support for

Sun1

LDAP and Win AD?)

2. Is this planned as a pre or post install configuration?

3. Are there any plans to also use corporate LDAP as the authorisation
mechanism? Or possibly completely revert to using an LDAP as the data
store instead of an RDBMS?

Regards,
Kevin

------------------------------------------------------------------------
The information contained in this communication is for the use of the
individual or entity to whom it is addressed, and may contain
information which is the subject of legal privilege and/or copyright.
If you have received this communication in error, please notify the
sender by return E-Mail and delete the transmission, together with any
attachments, from your system. Thank you.
-------------------------------------------------------------------------

Hi Kevin,

Hi Andrea,

Ok, I'm one of the Australian guys now here at AIMS and we have come up
with a modified version of org.fao.geonet.services.login.Login which
uses the javax.naming.ldap.InitialLdapContext class to interact with
LDAP. This class will also allow you to perform all the standard LDAP
operations over a secure connection, currently we're just using it for a
trivial non-secure user password authentication. When Greg (the other
Australian guy you've been dealing with) gets back into the office I'll
have a chat to him about us providing this code, we were not aware you
wanted us to provide this code. I also need to check with AIMS (org I
work for) on whether or not we're allowed to hand out this code. So I
will get back to you on that (but the extension is trivial).

Ok. To accept the code it should be released into the GPLv2 license.

To move towards using LDAP will require probably going via the Jeeves
resource path, that is some how get LDAP as a supported resource by
Jeeves resource manager, not sure that's so trivial. And the code
changes might be across much of the code, for example all DB queries
would need to be changed to LDAP queries. Interesting work though, might
be something AIMS is keen to do but it's currently not a priority. Our
current priority is to get geonetwork working with a modified 19115
schema and set of style sheets for managing marine metadata. The focus
is such that we're still using V2.0.2 with some custom modifications.
I'm hoping we can upgrade but that's not in my control.

I did not address the LDAP implementation yet but it should regard only
geonetwork, not jeeves. Jeeves should receive a username/password
couple from LDAP or normal user authentication. Do you propose to
use jeeves' resources?

I have already added password encryption for geonetwork's users. Have a
look at jeeves (method Util.scramble) to find an encryption method.

Our LDAP configuration is done via config.xml, a few mandatory param's
have been added which enable the LDAP authentication, and also provide
the required details such as the context factory, LDAP URL etc. But
while doing this I did try to add encryption to the password in the
database. Just using password key encryption with a salt and iterator,
but JDOM doesn't like it, crashes on character errors.

Do you want to encrypt passwords in the config.xml file for the database
account ?

What modifications to the style sheets do you think are required to get
the password field into a CDATA section (or something like that to
ignore these chars)? I'm still coming up to speed on the XSLT work flow
and how the schema's tie in. Is there a general schema that defines the
XML for managing user account details and other geonetwork non-metadata
related objects? Or is this just add-hock XML produced by the Service
classes?

Any thoughts on getting the password encryption working would be great,
because then I can look at getting the LDAP password synchronised with
the RDBMS password. Perhaps you can shed some light on what was done, or
is planned for V2.2 because I need to get this working in V2.0.2.

Thanks
Kevin

It is still not clear to me if you want to encrypt users' passwords or the db
account in config.xml. For users it is already done, for the config.xml it is a bit
harder: you should use a tool to scramble the password, get the scrambled
text and put it into the config.xml file. Jeeves should then de-scramble the
password. This could be a viable solution.

Cheers,
Andrea