OFBiz privileges management with LDAP

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

OFBiz privileges management with LDAP

stewie
Hi.

I am working on a project which is using OFBiz as a framework.
I have already found some information about integration OFBiz with CAS and
LDAP.
But the only information I found is about performing authentication.
Unfortunately, I need more advanced functionality. The concept is to keep
all privilege rules in central server working with LDAP, independently
from
OFBiz database. For example, when some user logs in, wants to show/modify
some his project tasks, he can only see the data that he is allowed to by
some rules stored on external server.
Are there any solutions to this problem already present or I have to
implement this all on my own?

Thank you for your time.

Reply | Threaded
Open this post in threaded view
|

Re: OFBiz privileges management with LDAP

BJ Freeman
there has been a lot of discussion both on the Dev and User mailing list
over the years. Research of the archives or google ofbiz LDAP should get
you them.
You can review the code in specialpurpose/ldap
It is compiled but not loaded.

stewie sent the following on 9/13/2011 12:19 AM:

> Hi.
>
> I am working on a project which is using OFBiz as a framework.
> I have already found some information about integration OFBiz with CAS and
> LDAP.
> But the only information I found is about performing authentication.
> Unfortunately, I need more advanced functionality. The concept is to keep
> all privilege rules in central server working with LDAP, independently
> from
> OFBiz database. For example, when some user logs in, wants to show/modify
> some his project tasks, he can only see the data that he is allowed to by
> some rules stored on external server.
> Are there any solutions to this problem already present or I have to
> implement this all on my own?
>
> Thank you for your time.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: OFBiz privileges management with LDAP

Adrian Crum-3
In reply to this post by stewie
CAS/LDAP is only used for authentication, not for authorization.

-Adrian

On 9/13/2011 8:19 AM, stewie wrote:

> Hi.
>
> I am working on a project which is using OFBiz as a framework.
> I have already found some information about integration OFBiz with CAS and
> LDAP.
> But the only information I found is about performing authentication.
> Unfortunately, I need more advanced functionality. The concept is to keep
> all privilege rules in central server working with LDAP, independently
> from
> OFBiz database. For example, when some user logs in, wants to show/modify
> some his project tasks, he can only see the data that he is allowed to by
> some rules stored on external server.
> Are there any solutions to this problem already present or I have to
> implement this all on my own?
>
> Thank you for your time.
>
Reply | Threaded
Open this post in threaded view
|

Re: OFBiz privileges management with LDAP

Jacques Le Roux
Administrator
For authorization you need to use OFBiz permissions: https://cwiki.apache.org/confluence/display/OFBTECH/OFBiz+security

Jacques

From: "Adrian Crum" <[hidden email]>

> CAS/LDAP is only used for authentication, not for authorization.
>
> -Adrian
>
> On 9/13/2011 8:19 AM, stewie wrote:
>> Hi.
>>
>> I am working on a project which is using OFBiz as a framework.
>> I have already found some information about integration OFBiz with CAS and
>> LDAP.
>> But the only information I found is about performing authentication.
>> Unfortunately, I need more advanced functionality. The concept is to keep
>> all privilege rules in central server working with LDAP, independently
>> from
>> OFBiz database. For example, when some user logs in, wants to show/modify
>> some his project tasks, he can only see the data that he is allowed to by
>> some rules stored on external server.
>> Are there any solutions to this problem already present or I have to
>> implement this all on my own?
>>
>> Thank you for your time.
>>

Reply | Threaded
Open this post in threaded view
|

Re: OFBiz privileges management with LDAP

stewie
In reply to this post by Adrian Crum-3
Dnia 13 września 2011 10:59 Adrian Crum <[hidden email]> napisał(a):

> CAS/LDAP is only used for authentication, not for authorization.

I was afraid that answer would be such.
I have already noticed that OFBiz has a pretty complex privileges management on his own, storing rules on its database.
I am wondering now if it would be hard to rewrite this part of OFBiz and force it to use LDAP or better idea is to start from scratch and build own module.
Reply | Threaded
Open this post in threaded view
|

Re: OFBiz privileges management with LDAP

stewie
In reply to this post by Jacques Le Roux
Dnia 13 września 2011 11:11 "Jacques Le Roux" <[hidden email]> napisał(a):

> For authorization you need to use OFBiz permissions: https://cwiki.apache.org/confluence/display/OFBTECH/OFBiz+security

I know that and I find it pretty useful, but unfortunately my client requirement is to use external LDAP server to privileges management, so I have to find solution to reconstruct this part of OFBiz. For now I don't have clear vision.
Anyway, thanks for the link.
Reply | Threaded
Open this post in threaded view
|

Re: OFBiz privileges management with LDAP

Adrian Crum-3
In reply to this post by stewie
A rewrite has been proposed:

https://cwiki.apache.org/confluence/display/OFBTECH/OFBiz+Security+Redesign

and a repository branch was created to implement and demonstrate it:

https://svn.apache.org/repos/asf/ofbiz/branches/executioncontext20091231

-Adrian

On 9/13/2011 10:15 AM, andromeda wrote:
> Dnia 13 września 2011 10:59 Adrian Crum<[hidden email]>  napisał(a):
>
>> CAS/LDAP is only used for authentication, not for authorization.
> I was afraid that answer would be such.
> I have already noticed that OFBiz has a pretty complex privileges management on his own, storing rules on its database.
> I am wondering now if it would be hard to rewrite this part of OFBiz and force it to use LDAP or better idea is to start from scratch and build own module.