shibboleth-dev - reminder - conf call today (5/20), 3 pm edt
Subject: Shibboleth Developers
List archive
- From:
- To:
- Subject: reminder - conf call today (5/20), 3 pm edt
- Date: Mon, 20 May 2002 11:59:21 -0400
usual logistics:
Phone #: 800-998-2462
Pin #: 5601277
Agenda:
0) status - IBM
1) Discuss Parviz's note describing AA design (pasted into bottom of this
note)
2) Agree on contents of next two packages (alpha-2, beta-1). Updated version of doc describing these: http://stc.cis.brown.edu/~stc/Projects/Shibboleth/Design/Versions.html
See psu note down below; it affects target date for alpha-2.
3) Other items?
4) status updates:
a) I2/OpenLdap:
Date: Tue, 14 May 2002 17:32:12 -0400
From: Iljun Kim
<>
To:
Cc:
Subject: Re: heads up... openldap use coming....
Steve,
We would like to manage the ldap servers. Please let us know if you
have any requests.
b) penn state/ webassign
this morning, I spoke with John Hopkins, from the psu physics department. He's got a summer course with 50 (fifty) students starting on june 24, and they'll be using webassign. I like the date.... and I like the size of the class. Next fall, he has 3 classes using WA, with 1000, 1000, and 500 students respectively. I said we'd talk about the fall later in the summer... once we get some experience with the first class....
June 24 is a monday. I expect this means we should aim to deliver the next version to PSU IT folks two weeks before that -- 6/12.
----------------------------------------
Delivered-To:
Date: Fri, 17 May 2002 14:41:07 -0400
From: Parviz Dousti
<>
To:
Subject: AA design
Originator-Info: login-token=Mulberry:01kYsby/X6kD7X/2pC3AuSOuTokvcX9qi/7ohAkfuOVA==;
Sender:
Folks,
There was some interest past Monday to talk about how the attribute values are fetched by (or provided to) AA. I guess the objective here is to implement this to be quite flexible and yet work out of the box for the most straight forward cases.
I explain how the current implementation works and we go from there. This might be useful for documentation too.
When AAServlet starts up, it creates a AAResponder object. Among arguments past to constructor of this object is an object called "Context" which would be used for getting attribute values. Context is created by a plugin (a Java class). Name of this plugin is given to the servlet as a parameter. Plugin must implement "javax.naming.spi.InitialContextFactory". The Context that plugin creates must implement "javax.naming.directory.DirContext" interface. Plugin must also implement "javax.naming.directory.Attribute" and "javax.naming.directory.Attributes". Our default plugin is the one provided by Sun called "com.sun.jndi.ldap.LdapCtxFactory".
At this point an initial Context is created and kept around by servlet engine. This allows for good performance as the "connection" to the directory or database or whatever is done once.
Once AA gets a request for a given user it needs to change the Context to this user's context. In ldap terminology it needs to move from e.g. "ou=person, dc=myUniversity ,dc=edu" to "uid=user, ou=person, dc=myUniversity, dc=edu". In SQL terms it might need to create a result set that holds this users attributes, etc. This operation is done by calling the "lookup" method of the Context and passing in a string like "uid=user" .
Now AA works on ARPs and comes up with a set of ArpAttribute objects. For each one of these objects it calls their "getDirAttribute" method and passes in the Context. This method in turn calls the "getAttributes" method of the Context and also passes in the name of the attribute. At this point Context can do what ever it likes to obtain a set of values for this attribute. Our default Context simply looks up Ldap to get the values.
Values are returned to AAResponder which creates an Array of SAMLAttributes.
This would work out of the box for sites that use LDAP and user is identified by uid which is kept in the Handle. All one needs to do is set 2 parameters in AAServlet. One would look like
dirUrl = ldap://metadir.andrew.cmu.edu/ou=person,dc=myUniversity, dc=edu
and
ldapUserDnPhrase = uid
I could not use the default for CMU as here a Person is identified by a guid (a very long number) but one authenticates by an Account ID (mine is ). I had to write my own plugin to get around this. The only thing I really had to implement was the "lookup" method which did a search on account ID and found the Guid. Then set the context to guid=xxxx. Plugin is very simple and can be seen in the src directory (files CmuCtxFactory.java and CmuDirContext.java).
I also provided a plugin to get the attribute values from a SQL database. You have seen this in ArpUtil. It is pretty crude but it is just to demonstrate how thing like that can be done.
Hope this helps,
Parviz
------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
------------------------------------------------------mace-shib-design--
- reminder - conf call today (5/20), 3 pm edt, Steven_Carmody, 05/20/2002
Archive powered by MHonArc 2.6.16.