Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Shibboleth Authentication
10-05-2010, 11:27 PM,
#1
Shibboleth Authentication
Hi

i am implementing shibboleth authentication into letoDMS and have some general questions so that i know how to go on. see http://shibboleth.internet2.edu/ for more information about shibboleth.

shibboleth is an single-sign-on system used at a lot of academic institutions. the shibboleth daemon is running on the webserver and if a directory/location is protected by it, then the webserver will set the attribute received by the shibboleth for the user into the $_SERVER variable. this includes a uniqueID (similiar to a username) and additional information e.g. first name, last name, email-address etc.

in contrast to the normal authentication and LDAP, where the user has to enter his credentials on the letoDMS site, the user is already authenticated when he gets to the letoDMS site.

as there is no plugin-structure for letoDMS i have implemented the login into the normal op.Login.php file. the best way would be to move all the authentication/authorization logic into a separate file for each auth-mechanism. for the moment its fine with me... would be perhaps a nicer solution in the future. i have added a "_authType" setting in the settings file so that could be used to distinguish between which auth mechanism has to be used.

as i would like to implement also the groups retrieved by shibboleth and i would like to have for every group a separate environment where they have their own "root" folder and can do inside it whatever they want. (finally the different groups shouldn't see each other...). is that possible with the current implementation? as i haven't found any specific option for that (to set a root folder for a group or user?, everybody just starts at "DMS"?)

thanks for this great piece of software and your help is appreciated :-)
KoS

ps.: i'll post my code as soon as i'm a little bit further.
Reply
10-06-2010, 03:45 PM, (This post was last modified: 10-06-2010, 03:47 PM by matteo lucarelli.)
#2
RE: Shibboleth Authentication
Hi KoS,
be sure to work on the last (2.0.1) release.
You're welcome to ask if you have some doubt about the coding.

Matteo
Reply
10-06-2010, 04:59 PM,
#3
RE: Shibboleth Authentication
Hi Matteo

yes i'm working on the 2.0.1 release.

i have different groups with users. the groups are NOT overlapping. i would like to have the users to see only the files of their own group and nothing else. but as i read in the forum, it's not possible to do that with different "root" directories, is that right? what would be the right way to go?

i think i would just use different instances of the letoDMS for each group one... (and use a shared codebase, that should work as far as i see).

KoS
Reply
10-07-2010, 06:56 PM,
#4
RE: Shibboleth Authentication
Yes, you CAN have folders visible only to a group, and to a user, and..the file permission system gives you far more than this possibilty.

What's the problem?
Reply
10-07-2010, 08:21 PM,
#5
RE: Shibboleth Authentication
(10-07-2010, 06:56 PM)matteo lucarelli Wrote: Yes, you CAN have folders visible only to a group, and to a user, and..the file permission system gives you far more than this possibilty.

ups sorry, i was not to precise. yes i see the options with the permissions etc.

but as far as i can see, for every user (or group of users) they share the same environment. even if the folders/files are no accessible (or visible), they still share the same namespace, right?

if user A logs in, he sees only his folder/files (and the root is the "DMS" folder?). if he creates a folder "myfolder" and then a user B logs in, which is completely independent of user A. if this user B tries to create also a folder called "myfolder" then this won't work if i understand it right?

i need for every group a completely independent environment, so i think the best solution is just to create dynamically for every group a new letoDMS instance? (so they don't share any information and can not access each other, in NO way).

KoS
Reply
10-11-2010, 05:00 PM,
#6
RE: Shibboleth Authentication
Currently there are no limitation about folder/files sharing the same name. That's because the system refer to files and folders using different IDs. The showed name is simply a string in the DB. Try it.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)

Contact Us | LetoDMS Community Forum | Return to Top | | Lite (Archive) Mode | RSS Syndication