[SAC] Fw: [GeoNetwork-devel] LDAP planning: a sample implementation?

John Graham johng at telascience.org
Sat Mar 10 18:55:41 EST 2007


This sounds great .. I will upgrade my geonetwork install


Jo Walsh wrote:
> this LDAP+geonetwork hookup sounds exciting, i would be interested in
> trying it out at some more restful time, connecting the OSGeo LDAP to
> the geonetwork installation at telascience so people can... er
> contribute geodata ... 
> ----- Forwarded message from Simon Pigot <p76corty at tpg.com.au> -----
> Date: Sat, 10 Mar 2007 13:33:19 +1100
> From: Simon Pigot <p76corty at tpg.com.au>
> To: geonetwork-devel at lists.sourceforge.net
> Hi Everyone,
> We've implemented an OpenLDAP solution with geonetwork 2.0.2/3 that 
> might be of interest to the community.
> The basics are:
> 1. Uses the intrinsic JNDI interface
> 2. Integrates existing directories into a specific geonetwork directory:
>     - using an OU or organizationalUnit with children that are referrals 
> to existing LDAP directories for authentication (can be any number)
> eg. ou=authentication in our geonetwork directory has three referrals to 
> remote ldap servers:
> - ou=adpeople (active directory people) slurped from Windows domain A/D
> - ou=extpeople (external people)
> - ou=ftp (people from our ftp server)
> 3. Admin overhead is removed by authenticating against each child of 
> ou=authentication and then adding users from those existing LDAP 
> directories to an ou=geonetworkusers and groups in ou=geonetworkgroups. 
> Specifically:
> - new user to a child ou of ou=geonetworkusers eg. a user geoff 
> authenticated against ou=adpeople would be added as 
> uid=geoff,ou=adpeople,ou=geonetworkusers,..... - given a profile of 
> RegisteredUser and a generated userid
> - a group representing the ou they logged in from is created if not 
> present and/or the user is added as a member
> - an invisible group with just the new user as the only member for use 
> when creating new metadata records
> 4. I've removed the user admin interface (coz ldap users do these kinds 
> of things elsewhere and we don't need the userPassword field in the 
> geonetwork directory) and changed the groups interface to just a show 
> and list (still need to add a group mod interface)
> 5. You can have a group as a member of a group eg. my registeredusers 
> group has three group members: adpeople, extpeople and ftp
> 6. ldap replaces users, groups and usergroups tables in geonetwork 
> database implementation - rest of the geonetwork db implementation 
> remains the same
> It's kind of a minimalist approach but it works well and draws on some 
> of the strengths of the ldap hierarchy. But I think the lack of an admin 
> overhead is helpful - the geonetwork user and group stuff is built from 
> existing directories.
> Anyways its a suggestion about how an LDAP implementation could be done. 
> I did add some simple schema objectclasses (geonetworkUser and 
> geonetworkGroup) which use built in ldap attributes (eg uidNumber and 
> gidNumber) and use OIDs from the experimental range.
> Cheers,
> Simon
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> GeoNetwork-devel mailing list
> GeoNetwork-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
> GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork
> ----- End forwarded message -----

More information about the Sac mailing list