Tags:
create new tag
view all tags

AnA04S06LdapAuthentication

Story summary LDAP Authentication
Iteration AnA04Architecture
FEA AnA04S06LdapAuthentication
Story Lead  
Next Story  
Passed acceptance test No

Tasks

Activity diagram with the LDAP authentication final process description:

Activity_Diagram_LDAP_Authentication.png

Develope/configure handler for LDAP authentication

This task consists of configure the SpringSecurity framework in order to be able to authenticate against the LDAP.

The LDAP is used for authentication but the LibrePlan database info for users is used too. So, it is required that there is a object user in the LibrePlan database with the login that the user is inserting in the interface. So, at this first step:

  • If the authentication with LDAP fails => The user is not allowed to enter the application.
  • If the authentication succeds with LDAP but there is not user in LibrePlan with the same login => The user is not allowed to enter the application.

In this first step the configuration will be set in the XML Spring files and, therefore, is set by the user before compiling the program.

Interface for configuring the the LDAP connection and authentication parameters.

This task consists of developing an interface in ZK in order to allow to configure the LDAP connection at runtime.

The features of the interface will be the following:

  • It will be placed in the Configuration Window placed in the menu option Administration/Management.
  • It will be created a tab with title Authentication.
    • The screen will have an interface widget to select if you want to use LDAP or conventional database authentication. If the user selects LDAP then a second part of the interface with all the parameters for the connection with the LDAP will be activated.
    • The section for the LDAP parameters will have two types of parameteres:
      • Parameters to connect to the LDAP.
      • Parameters to configure the authentication of the users. Here it will be chosen if there are several alternativas the most general method if possible.

The data of the interface will be stored in the Configuration entity. It will be studied if it is needed to create composite objets to encapsulate better this information or just to create new columns, one per parameter.

At this task has to be developed and configured a runtime configuration engine for configure the Spring beans (authentication handlers) to use the current one or use the LDAP new one developed in the task before.

Tip, idea It is possible to have just one handler but with a parameter of configuration saying if it is being using the database or the LDAP+Database behaviour implemented.

Develope a composite handler LDAP/Database

The idea now is to have a composite authentication handler that first tries to authenticate againts the LDAP and if it fails use the LibrePlan database password (current behaviour).

It will be studied if the most appropiate option for doing the authentication is to have:

So, the steps that will be done at this point are the following:

  • 1) It is checked if there is a user with the login specified in the by the user in the database
    • 1.1) It there is not user => Login not allowed.
    • 1.2) If there is go to 2)
  • 2) Authentication with LDAP is tried.
    • 2.1) Successfull => User in.
    • 2.2) Error (LDAP not reachable or bad user/password combination) => Go to 3
  • 3) Try the database authentication.
    • 3.1) User in.
    • 3.2) Login not allowed.

LDAP import of users

This part is to allow to create users in the database of LibrePlan if the authentication with LDAP is sucessful and there is any user created in NavalPLan at the moment of doing login.

So, the steps now will be for the authentication:

  • 2) Authentication with LDAP is tried.
    • 2.1) Successful.
      • 2.1.1) It is checked if there is the user in the database. If this user does not exist, it will be created.
      • 2.1.2) It is checked if the field "save passwords in database" is activated. If it is goes to 2.1.3, else goes to 2.1.4.
      • 2.1.3) It is checked if the password of the user in the database is the same as the one in the LDAP. If it is not will be updated in the database. This situation handles the possible changes of passwords in the LDAP.
      • 2.1.4) User in.
    • 2.2) Error (LDAP not reachable or bad user/password combination) => Go to 3
  • 3) Try the database authentication.
    • 3.1) User in.
    • 3.2) Login not allowed.

Support for two types of users

This task will allow to have users just in the database and not in the LDAP. So, in order to have this feature the changes that are needed are the following:

  • To create an attribute in the entity User to configure if is a LDAP based user or a Database user. It will have a boolean type.
  • Change the interface for editing the users with the following points:
    • Introduce an informative label in the user form saying the type of user.
    • Modify the list of users window with a column with the information with the user type.
    • Do read-only the General User Data panel for the edition window of users of type LDAP based user

At this point it has two be introduced a check in the process to create a normal database user. If the LDAP configuration is set on, it will be checked if there is a user already in the LDAP with that login. If that user exist, then an error will be given to the user.

It will be handled here the following situation too: On doing login a user if the LDAP connection is set on it is checked if there a user in the database:

  • Now it is checked if it has the type LDAP based user. If it has not this type, the type will be changed to be this.

Match the LDAP roles with the LibrePlan permissions

This task will be assesed if it is interesting later. It can have quite a lot of possibilities depending on the structure of the LDAP.

Do compatible the change password and user roles administration with LDAP users.

Change 1

In the version 1.2.0 of LibrePlan a change user password use case was added. A user can change his password if he remembers his old password.

Now, this use case does not do any distinction between LDAP users and conventional database users. This behavior has to be changed to:

  • If a user is an LDAP user and the database authentication is enabled, then the change password per user window must be put in read-only mode and a suitable informative message explaining this: LDAP users cannot change their password in LDAP authentication is enabled. Talk to one of the administrators

Change 2

In the window to manage users for the admin users - top menu entry Administration/Management -> Users -> Accounts - now an admin user can change the password of every user.

This change consists of putting in read-only the password change fields for the users of type LDAP when the LDAP authentication is enabled in the configuration window.

An informative message explaining why the password fields are disabled must be given. For instance: Password cannot be managed for LDAP users because LDAP authentication is being used.

Change 3

In the window to manage users for admin users - top menu entry Administration/Management -> Users -> Accounts you are able to change the roles and the profiles of the users independently of the type of users.

However, the two parts related to permissions in the edition window (roles and profiles) are needed to be configured in read-only mode if two conditions are fulfilled:

  • If the user is of type LDAP.
  • If the Use LDAP roles is activated.

An informative message must be given to the user if the roles and profiles are disabled (read-only). For instance: Roles and profiles of LDAP users cannot be managed because LDAP roles are being used.

User stories

Tasks in this story

Total Hours in this Story

%RPSHOWTOTALHOURS%


Topic attachments
I Attachment History Action Size Date Who Comment
PNGpng ActivityDiagram_LDAP_NavalPlan.png r1 manage 34.0 K 12 May 2011 - 14:57 UnknownUser LDAP authentication actividy diagram
Unknown file formatxmi ActivityDiagram_LDAP_NavalPlan.xmi r1 manage 28.3 K 12 May 2011 - 14:56 UnknownUser LDAP authentication activity diagram - Umbrello
PNGpng Activity_Diagram_LDAP_Authentication.png r1 manage 34.8 K 24 May 2011 - 10:34 UnknownUser LDAP authentication activity diagram
Edit | Attach | Watch | Print version | History: r11 < r10 < r9 < r8 < r7 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r11 - 20 Aug 2012 - mrego
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback