[SAC] Fw: [GeoNetwork-devel] LDAP planning: a sample implementation?

Jo Walsh jo at frot.org
Sat Mar 10 16:00:37 EST 2007

this LDAP+geonetwork hookup sounds exciting, i would be interested in
trying it out at some more restful time, connecting the OSGeo LDAP to
the geonetwork installation at telascience so people can... er
contribute geodata ... 

----- Forwarded message from Simon Pigot <p76corty at tpg.com.au> -----

Date: Sat, 10 Mar 2007 13:33:19 +1100
From: Simon Pigot <p76corty at tpg.com.au>
To: geonetwork-devel at lists.sourceforge.net

Hi Everyone,

We've implemented an OpenLDAP solution with geonetwork 2.0.2/3 that 
might be of interest to the community.

The basics are:

1. Uses the intrinsic JNDI interface
2. Integrates existing directories into a specific geonetwork directory:

    - using an OU or organizationalUnit with children that are referrals 
to existing LDAP directories for authentication (can be any number)

eg. ou=authentication in our geonetwork directory has three referrals to 
remote ldap servers:

- ou=adpeople (active directory people) slurped from Windows domain A/D
- ou=extpeople (external people)
- ou=ftp (people from our ftp server)

3. Admin overhead is removed by authenticating against each child of 
ou=authentication and then adding users from those existing LDAP 
directories to an ou=geonetworkusers and groups in ou=geonetworkgroups. 

- new user to a child ou of ou=geonetworkusers eg. a user geoff 
authenticated against ou=adpeople would be added as 
uid=geoff,ou=adpeople,ou=geonetworkusers,..... - given a profile of 
RegisteredUser and a generated userid

- a group representing the ou they logged in from is created if not 
present and/or the user is added as a member

- an invisible group with just the new user as the only member for use 
when creating new metadata records

4. I've removed the user admin interface (coz ldap users do these kinds 
of things elsewhere and we don't need the userPassword field in the 
geonetwork directory) and changed the groups interface to just a show 
and list (still need to add a group mod interface)

5. You can have a group as a member of a group eg. my registeredusers 
group has three group members: adpeople, extpeople and ftp

6. ldap replaces users, groups and usergroups tables in geonetwork 
database implementation - rest of the geonetwork db implementation 
remains the same

It's kind of a minimalist approach but it works well and draws on some 
of the strengths of the ldap hierarchy. But I think the lack of an admin 
overhead is helpful - the geonetwork user and group stuff is built from 
existing directories.

Anyways its a suggestion about how an LDAP implementation could be done. 
I did add some simple schema objectclasses (geonetworkUser and 
geonetworkGroup) which use built in ldap attributes (eg uidNumber and 
gidNumber) and use OIDs from the experimental range.


Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
GeoNetwork-devel mailing list
GeoNetwork-devel at lists.sourceforge.net
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

----- End forwarded message -----


More information about the Sac mailing list