Dashboard > Penrose > ... > Developer Guide > Custom Adapters
Penrose
Custom Adapters
Added by Endi S. Dewata, last edited by Endi S. Dewata on Feb 09, 2006  (view change)
Labels: 
(None)


Introduction

Many applications support using LDAP for authentication and authorization. Apache HTTP server is an example of such applications. See http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html. You can use Penrose as an LDAP server to delegate these functionalities to your data source.

Currently Penrose only supports adapters for database and LDAP servers. It is possible to write custom adapters to support other data sources (e.g. webservices, stored procedures). However, since the application expects Penrose to behave as an LDAP server, there will be some restrictions.

Authentication

When a user logs in to the application with a user ID and credentials (e.g. username and password), first the application will try to authenticate the user. Depending on your application, there are several methods to perform authentication:

  1. Search only: The application will search for the user's info (including password) based on the given user ID, then compare the credentials internally in the application.
  2. Bind only: The application will map the user ID into a DN then perform the bind operation with the supplied credentials.
  3. Search & bind: The application will search for all possible users matching the given user ID, then perform a bind operation using the supplied password.

Since Penrose will delegate these operations to the underlying data source using an adapter, either the adapter or the data source must support the operations required by the method that you selected.

The search operation must accept a search filter (e.g. username) and return all users (including the info) matching the filter.

The bind operation must accept a user ID and credentials and return a true/false.

See also Adapter API.

Authorization

Once a user is authenticated, the application will try to find out what groups the user belongs to or what role the user is authorized to perform. Depending on your application, there are several methods to perform authorization:

  1. Authenticated user: All authenticated users are authorized.
  2. User list: All users included in the list are authorized.
  3. Group list: The application will search for all groups to which the user belongs. If at least one of the groups matches the group list then the user is authenticated.
  4. Attribute comparison: The application will check the user's attribute with the specified value. If they matches, then the user is authorized.

The first two methods are performed internally in the application. The remaining methods require Penrose to support some operations.

In method #3, the search operation must accept the user ID and return a list of groups where the user is a member.

In method #4, depending on the application the comparison could be done either as a search operation or a compare operation. The search operation here is the same as the one used earlier in the authentication phase. The compare operation must accept the user ID and the attribute name and value to be compared and return true if they match.

See also Adapter API.
Site running on a free Atlassian Confluence Open Source Project License granted to Safehaus. Evaluate Confluence today.
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.5.4 Build:#809 Jun 12, 2007) - Bug/feature request - Contact Administrators