-
Notifications
You must be signed in to change notification settings - Fork 0
AnA04S06LdapAuthentication
TWiki> LibrePlan Web>AnA04S06LdapAuthentication (20 Aug 2012, ManuelRego)EditAttach
Story summary | LDAP Authentication |
Iteration | AnA04Architecture |
FEA | AnA04S06LdapAuthentication |
Story Lead | |
Next Story | |
Passed acceptance test | No |
Activity diagram with the LDAP authentication final process description:
This task consists of configure the SpringSecurity framework in order to be able to authenticate against the LDAP.
The LDAP is used for authentication but the LibrePlan database info for users is used too. So, it is required that there is a object user in the LibrePlan database with the login that the user is inserting in the interface. So, at this first step:
- If the authentication with LDAP fails => The user is not allowed to enter the application.
- If the authentication succeds with LDAP but there is not user in LibrePlan with the same login => The user is not allowed to enter the application.
In this first step the configuration will be set in the XML Spring files and, therefore, is set by the user before compiling the program.
This task consists of developing an interface in ZK in order to allow to configure the LDAP connection at runtime.
The features of the interface will be the following:
- It will be placed in the Configuration Window placed in the menu option Administration/Management.
- It will be created a tab with title Authentication.
- The screen will have an interface widget to select if you want to use LDAP or conventional database authentication. If the user selects LDAP then a second part of the interface with all the parameters for the connection with the LDAP will be activated.
- The section for the LDAP parameters will have two types of parameteres:
- Parameters to connect to the LDAP.
- Parameters to configure the authentication of the users. Here it will be chosen if there are several alternativas the most general method if possible.
The data of the interface will be stored in the Configuration
entity. It will be studied if it is needed to create composite objets to encapsulate better this information or just to create new columns, one per parameter.
At this task has to be developed and configured a runtime configuration engine for configure the Spring beans (authentication handlers) to use the current one or use the LDAP new one developed in the task before.
It is possible to have just one handler but with a parameter of configuration saying if it is being using the database or the LDAP+Database behaviour implemented.
The idea now is to have a composite authentication handler that first tries to authenticate againts the LDAP and if it fails use the LibrePlan database password (current behaviour).
It will be studied if the most appropiate option for doing the authentication is to have:
So, the steps that will be done at this point are the following:
-
- It is checked if there is a user with the login specified in the by the user in the database
- 1.1) It there is not user => Login not allowed.
- 1.2) If there is go to 2)
-
- Authentication with LDAP is tried.
- 2.1) Successfull => User in.
- 2.2) Error (LDAP not reachable or bad user/password combination) => Go to 3
-
- Try the database authentication.
- 3.1) User in.
- 3.2) Login not allowed.
This part is to allow to create users in the database of LibrePlan if the authentication with LDAP is sucessful and there is any user created in NavalPLan? at the moment of doing login.
So, the steps now will be for the authentication:
-
- Authentication with LDAP is tried.
- 2.1) Successful.
- 2.1.1) It is checked if there is the user in the database. If this user does not exist, it will be created.
- 2.1.2) It is checked if the field "save passwords in database" is activated. If it is goes to 2.1.3, else goes to 2.1.4.
- 2.1.3) It is checked if the password of the user in the database is the same as the one in the LDAP. If it is not will be updated in the database. This situation handles the possible changes of passwords in the LDAP.
- 2.1.4) User in.
- 2.2) Error (LDAP not reachable or bad user/password combination) => Go to 3
-
- Try the database authentication.
- 3.1) User in.
- 3.2) Login not allowed.
This task will allow to have users just in the database and not in the LDAP. So, in order to have this feature the changes that are needed are the following:
- To create an attribute in the entity
User
to configure if is a LDAP based user or a Database user. It will have a boolean type. - Change the interface for editing the users with the following points:
- Introduce an informative label in the user form saying the type of user.
- Modify the list of users window with a column with the information with the user type.
- Do read-only the General User Data panel for the edition window of users of type LDAP based user
At this point it has two be introduced a check in the process to create a normal database user. If the LDAP configuration is set on, it will be checked if there is a user already in the LDAP with that login. If that user exist, then an error will be given to the user.
It will be handled here the following situation too: On doing login a user if the LDAP connection is set on it is checked if there a user in the database:
- Now it is checked if it has the type LDAP based user. If it has not this type, the type will be changed to be this.
Match the LDAP roles with the LibrePlan permissions
This task will be assesed if it is interesting later. It can have quite a lot of possibilities depending on the structure of the LDAP.
Change 1
In the version 1.2.0 of LibrePlan a change user password use case was added. A user can change his password if he remembers his old password.
Now, this use case does not do any distinction between LDAP users and conventional database users. This behavior has to be changed to:
- If a user is an LDAP user and the database authentication is enabled, then the change password per user window must be put in read-only mode and a suitable informative message explaining this: LDAP users cannot change their password in LDAP authentication is enabled. Talk to one of the administrators
Change 2
In the window to manage users for the admin users - top menu entry Administration/Management -> Users -> Accounts
- now an admin user can change the password of every user.
This change consists of putting in read-only the password change fields for the users of type LDAP when the LDAP authentication is enabled in the configuration window.
An informative message explaining why the password fields are disabled must be given. For instance: Password cannot be managed for LDAP users because LDAP authentication is being used.
Change 3
In the window to manage users for admin users - top menu entry Administration/Management -> Users -> Accounts
you are able to change the roles and the profiles of the users independently of the type of users.
However, the two parts related to permissions in the edition window (roles and profiles) are needed to be configured in read-only mode if two conditions are fulfilled:
- If the user is of type LDAP.
- If the Use LDAP roles is activated.
An informative message must be given to the user if the roles and profiles are disabled (read-only). For instance: Roles and profiles of LDAP users cannot be managed because LDAP roles are being used.
Tasks | Est | Spent | To do | Risk | Reviewer | Developer | Task Name | Start Date | Est End Date | End Date |
---|---|---|---|---|---|---|---|---|---|---|
Task | 20 | 29 | 0 | Low | JavierMoran | IgnacioDiaz CristinaAlvarino | Develope/configure handler for LDAP authentication | 13/05/2011 | 20/05/2011 | 20/05/2011 |
Task | 20 | 20 | 0 | Low | JavierMoran | IgnacioDiaz CristinaAlvarino | Interface for configuring the the LDAP connection and authentication parameters. | |||
Task | 20 | 16 | 0 | Low | JavierMoran | IgnacioDiaz CristinaAlvarino | Develope a composite handler LDAP/Database | |||
Task | 20 | 12 | 0 | Low | JavierMoran | IgnacioDiaz CristinaAlvarino | LDAP import of users | |||
Task | 20 | 10 | 0 | Low | JavierMoran | IgnacioDiaz CristinaAlvarino | Support for two types of users | |||
Task | 20 | 20 | 0 | Low | JavierMoran | IgnacioDiaz CristinaAlvarino | Match the LDAP roles with the LibrePlan permissions | |||
Task | 7 | 7 | 0 | Low | JavierMoran | IgnacioDiaz CristinaAlvarino | Do compatible the change password and user roles administration with LDAP users. |
User | Spent in XpTracker | Spent in phpReport | Ok? |
---|---|---|---|
IgnacioDiaz CristinaAlvarino | 114 | 0 | |
Total | 114 | 0 |
I | Attachment | Action | Size | Date | Who | Comment |
---|---|---|---|---|---|---|
png | ActivityDiagram_LDAP_NavalPlan.png | manage | 34.0 K | 12 May 2011 - 14:57 | JavierMoran | LDAP authentication actividy diagram |
xmi | ActivityDiagram_LDAP_NavalPlan.xmi | manage | 28.3 K | 12 May 2011 - 14:56 | JavierMoran | LDAP authentication activity diagram - Umbrello |
png | Activity_Diagram_LDAP_Authentication.png | manage | 34.8 K | 24 May 2011 - 10:34 | IgnacioDiaz | LDAP authentication activity diagram |
Copyright (c) by the contributing authors. All material on this collaboration platform is the property of the contributing authors.