Visual LDAP user name

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello,
> I run JSPWiki with Web Container Authentication via LDAP and it runs
> fine (JSPWIki 2.8.2, OpenLDAP 2.4.11, Apache 6.0.20, OpenJDK 6).
>
> Only the visualization of real user name is still missing. I get only
> the login name (short name) instead of the full name in the change
> history and so on.  Is it a default behaviour or misconfiguration?
>
> Nice greetings,
> Harald
>
> - --
>
> Harald Krammer
> Brucknerstrasse 33
> A - 4020  Linz
> AUSTRIA
>
> Mobil +43.(0) 664. 130 59 58
> Mail: Harald.Krammer (at) hkr.at
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEAREIAAYFAkrgwegACgkQ9QlAsubHO9vd7QCfT5rEQYRsPUAVvbs/HrqMiWfZ
> w6cAnjEp4FKX+3T3szBwW1n+DbCMd0z0
> =Kd7Y
> -----END PGP SIGNATURE-----

> If a user creates a user profile after logging into the container,  
> he or she will have an opportunity to specify a "full name." If a  
> full name is supplied, it will be used in page histories etc from  
> that point forward.
>
> Andrew
>
> On Oct 22, 2009, at 16:34, Harald Krammer <Harald.Krammer@...>  
> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Hello,
>> I run JSPWiki with Web Container Authentication via LDAP and it runs
>> fine (JSPWIki 2.8.2, OpenLDAP 2.4.11, Apache 6.0.20, OpenJDK 6).
>>
>> Only the visualization of real user name is still missing. I get only
>> the login name (short name) instead of the full name in the change
>> history and so on.  Is it a default behaviour or misconfiguration?
>>
>> Nice greetings,
>> Harald
>>
>> - --
>>
>> Harald Krammer
>> Brucknerstrasse 33
>> A - 4020  Linz
>> AUSTRIA
>>
>> Mobil +43.(0) 664. 130 59 58
>> Mail: Harald.Krammer (at) hkr.at
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>>
>> iEYEAREIAAYFAkrgwegACgkQ9QlAsubHO9vd7QCfT5rEQYRsPUAVvbs/HrqMiWfZ
>> w6cAnjEp4FKX+3T3szBwW1n+DbCMd0z0
>> =Kd7Y
>> -----END PGP SIGNATURE-----

> I would suggest a change, if a ldap user is logging the first time.  the
> Wiki should create the user in the user.xml - it gives a lot of problem when
> adding a ldap user to a wiki group, since it possible that the user isn't
> created.
>
>
> On Oct 23, 2009, at 00:38 , Andrew Jaquith wrote:
>
>  If a user creates a user profile after logging into the container, he or
>> she will have an opportunity to specify a "full name." If a full name is
>> supplied, it will be used in page histories etc from that point forward.
>>
>> Andrew
>>
>> On Oct 22, 2009, at 16:34, Harald Krammer <Harald.Krammer@...> wrote:
>>
>>  -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Hello,
>>> I run JSPWiki with Web Container Authentication via LDAP and it runs
>>> fine (JSPWIki 2.8.2, OpenLDAP 2.4.11, Apache 6.0.20, OpenJDK 6).
>>>
>>> Only the visualization of real user name is still missing. I get only
>>> the login name (short name) instead of the full name in the change
>>> history and so on.  Is it a default behaviour or misconfiguration?
>>>
>>> Nice greetings,
>>> Harald
>>>
>>> - --
>>>
>>> Harald Krammer
>>> Brucknerstrasse 33
>>> A - 4020  Linz
>>> AUSTRIA
>>>
>>> Mobil +43.(0) 664. 130 59 58
>>> Mail: Harald.Krammer (at) hkr.at
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>>
>>> iEYEAREIAAYFAkrgwegACgkQ9QlAsubHO9vd7QCfT5rEQYRsPUAVvbs/HrqMiWfZ
>>> w6cAnjEp4FKX+3T3szBwW1n+DbCMd0z0
>>> =Kd7Y
>>> -----END PGP SIGNATURE-----
>>>
>>
>

> Why allow people to eliminate the user.xml?
>
> Why not allow the use of LDAP for the user profile?
>
> Allow mapping the LDAP attributes to the profile values?
>
> Enterprises have no desire to maintain another separate user store of
> information. Many already have a central LDAP store.
>
> -jim
> Jim Willeke
>
>
> On Fri, Oct 23, 2009 at 2:09 PM, Thomas Engelschmidt <te@...>  
> wrote:
>
>> I would suggest a change, if a ldap user is logging the first  
>> time.  the
>> Wiki should create the user in the user.xml - it gives a lot of  
>> problem when
>> adding a ldap user to a wiki group, since it possible that the user  
>> isn't
>> created.
>>
>>
>> On Oct 23, 2009, at 00:38 , Andrew Jaquith wrote:
>>
>> If a user creates a user profile after logging into the container,  
>> he or
>>> she will have an opportunity to specify a "full name." If a full  
>>> name is
>>> supplied, it will be used in page histories etc from that point  
>>> forward.
>>>
>>> Andrew
>>>
>>> On Oct 22, 2009, at 16:34, Harald Krammer <Harald.Krammer@...>  
>>> wrote:
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA256
>>>>
>>>> Hello,
>>>> I run JSPWiki with Web Container Authentication via LDAP and it  
>>>> runs
>>>> fine (JSPWIki 2.8.2, OpenLDAP 2.4.11, Apache 6.0.20, OpenJDK 6).
>>>>
>>>> Only the visualization of real user name is still missing. I get  
>>>> only
>>>> the login name (short name) instead of the full name in the change
>>>> history and so on.  Is it a default behaviour or misconfiguration?
>>>>
>>>> Nice greetings,
>>>> Harald
>>>>
>>>> - --
>>>>
>>>> Harald Krammer
>>>> Brucknerstrasse 33
>>>> A - 4020  Linz
>>>> AUSTRIA
>>>>
>>>> Mobil +43.(0) 664. 130 59 58
>>>> Mail: Harald.Krammer (at) hkr.at
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>>>
>>>> iEYEAREIAAYFAkrgwegACgkQ9QlAsubHO9vd7QCfT5rEQYRsPUAVvbs/HrqMiWfZ
>>>> w6cAnjEp4FKX+3T3szBwW1n+DbCMd0z0
>>>> =Kd7Y
>>>> -----END PGP SIGNATURE-----
>>>>
>>>
>>

> The group and permission system in the jspwiki is rather dynamic, and ldaps
> tends to be readonly except for a groups of administrators. There for there
> is still need for the user.xml and group.xml. But in my opinion the user.xml
> needs to be automatically updated when a new ldap user is logged in.
>
> Otherwise granting and managing jspwiki permissions i a nightmare, this also
> enhanced since there is no check on if a user exist - when adding users to
> wiki group or setting a page permission.
>
> I think the following should be changed.
>
> - First time a new user is logged in - the user should be added to the the
> user.xml and redirect to the profile page for setting additional information
> (email, full name and section edition etc)
>
> - Adding page permission should lookup if the group or the user exist.
>
> - Adding users to a wiki group should only be possible for existing users.
>
> /Thomas
>
>
> On Oct 24, 2009, at 10:57 , Jim Willeke wrote:
>
>> Why allow people to eliminate the user.xml?
>>
>> Why not allow the use of LDAP for the user profile?
>>
>> Allow mapping the LDAP attributes to the profile values?
>>
>> Enterprises have no desire to maintain another separate user store of
>> information. Many already have a central LDAP store.
>>
>> -jim
>> Jim Willeke
>>
>>
>> On Fri, Oct 23, 2009 at 2:09 PM, Thomas Engelschmidt <te@...> wrote:
>>
>>> I would suggest a change, if a ldap user is logging the first time.  the
>>> Wiki should create the user in the user.xml - it gives a lot of problem
>>> when
>>> adding a ldap user to a wiki group, since it possible that the user isn't
>>> created.
>>>
>>>
>>> On Oct 23, 2009, at 00:38 , Andrew Jaquith wrote:
>>>
>>> If a user creates a user profile after logging into the container, he or
>>>>
>>>> she will have an opportunity to specify a "full name." If a full name is
>>>> supplied, it will be used in page histories etc from that point forward.
>>>>
>>>> Andrew
>>>>
>>>> On Oct 22, 2009, at 16:34, Harald Krammer <Harald.Krammer@...> wrote:
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>
>>>>> Hash: SHA256
>>>>>
>>>>> Hello,
>>>>> I run JSPWiki with Web Container Authentication via LDAP and it runs
>>>>> fine (JSPWIki 2.8.2, OpenLDAP 2.4.11, Apache 6.0.20, OpenJDK 6).
>>>>>
>>>>> Only the visualization of real user name is still missing. I get only
>>>>> the login name (short name) instead of the full name in the change
>>>>> history and so on.  Is it a default behaviour or misconfiguration?
>>>>>
>>>>> Nice greetings,
>>>>> Harald
>>>>>
>>>>> - --
>>>>>
>>>>> Harald Krammer
>>>>> Brucknerstrasse 33
>>>>> A - 4020  Linz
>>>>> AUSTRIA
>>>>>
>>>>> Mobil +43.(0) 664. 130 59 58
>>>>> Mail: Harald.Krammer (at) hkr.at
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>>>>
>>>>> iEYEAREIAAYFAkrgwegACgkQ9QlAsubHO9vd7QCfT5rEQYRsPUAVvbs/HrqMiWfZ
>>>>> w6cAnjEp4FKX+3T3szBwW1n+DbCMd0z0
>>>>> =Kd7Y
>>>>> -----END PGP SIGNATURE-----
>>>>>
>>>>
>>>
>
>

> JSPWiki 3.0 trunk already has an LdapUserDatabase and LdapAuthorizer,
> which means that it can obtain user profiles on a read-only basis from
> LDAP, and obtain roles from LDAP groups. So if you use LDAP, your
> users will be "provisioned" in JSPWiki automatically. This should
> solve the user-experience problem you described.
>
> The upcoming 3.0 LDAP features have been developed and tested with
> Active Directory and OpenLDAP. It is configured via the GUI at
> install-time.
>
> With respect to permissions and group memberships: these are good
> suggestions. We still have some work to do for the GUI for ACLs for
> 3.0. I agree that we should be validating user names when users create
> the ACLs. Same for adding users to groups. These suggestions will be
> incorporated into how the ACL GUIs work -- likely via AJAX in
> real-time.
>
> Andrew
>
> On Sat, Oct 24, 2009 at 7:25 AM, Thomas Engelschmidt <te@...> wrote:
>> The group and permission system in the jspwiki is rather dynamic, and ldaps
>> tends to be readonly except for a groups of administrators. There for there
>> is still need for the user.xml and group.xml. But in my opinion the user.xml
>> needs to be automatically updated when a new ldap user is logged in.
>>
>> Otherwise granting and managing jspwiki permissions i a nightmare, this also
>> enhanced since there is no check on if a user exist - when adding users to
>> wiki group or setting a page permission.
>>
>> I think the following should be changed.
>>
>> - First time a new user is logged in - the user should be added to the the
>> user.xml and redirect to the profile page for setting additional information
>> (email, full name and section edition etc)
>>
>> - Adding page permission should lookup if the group or the user exist.
>>
>> - Adding users to a wiki group should only be possible for existing users.
>>
>> /Thomas
>>
>>
>> On Oct 24, 2009, at 10:57 , Jim Willeke wrote:
>>
>>> Why allow people to eliminate the user.xml?
>>>
>>> Why not allow the use of LDAP for the user profile?
>>>
>>> Allow mapping the LDAP attributes to the profile values?
>>>
>>> Enterprises have no desire to maintain another separate user store of
>>> information. Many already have a central LDAP store.
>>>
>>> -jim
>>> Jim Willeke
>>>
>>>
>>> On Fri, Oct 23, 2009 at 2:09 PM, Thomas Engelschmidt <te@...> wrote:
>>>
>>>> I would suggest a change, if a ldap user is logging the first time.  the
>>>> Wiki should create the user in the user.xml - it gives a lot of problem
>>>> when
>>>> adding a ldap user to a wiki group, since it possible that the user isn't
>>>> created.
>>>>
>>>>
>>>> On Oct 23, 2009, at 00:38 , Andrew Jaquith wrote:
>>>>
>>>> If a user creates a user profile after logging into the container, he or
>>>>> she will have an opportunity to specify a "full name." If a full name is
>>>>> supplied, it will be used in page histories etc from that point forward.
>>>>>
>>>>> Andrew
>>>>>
>>>>> On Oct 22, 2009, at 16:34, Harald Krammer <Harald.Krammer@...> wrote:
>>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA256
>>>>>>
>>>>>> Hello,
>>>>>> I run JSPWiki with Web Container Authentication via LDAP and it runs
>>>>>> fine (JSPWIki 2.8.2, OpenLDAP 2.4.11, Apache 6.0.20, OpenJDK 6).
>>>>>>
>>>>>> Only the visualization of real user name is still missing. I get only
>>>>>> the login name (short name) instead of the full name in the change
>>>>>> history and so on.  Is it a default behaviour or misconfiguration?
>>>>>>
>>>>>> Nice greetings,
>>>>>> Harald
>>>>>>
>>>>>> - --
>>>>>>
>>>>>> Harald Krammer
>>>>>> Brucknerstrasse 33
>>>>>> A - 4020  Linz
>>>>>> AUSTRIA
>>>>>>
>>>>>> Mobil +43.(0) 664. 130 59 58
>>>>>> Mail: Harald.Krammer (at) hkr.at
>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>>>>>
>>>>>> iEYEAREIAAYFAkrgwegACgkQ9QlAsubHO9vd7QCfT5rEQYRsPUAVvbs/HrqMiWfZ
>>>>>> w6cAnjEp4FKX+3T3szBwW1n+DbCMd0z0
>>>>>> =Kd7Y
>>>>>> -----END PGP SIGNATURE-----
>>>>>>
>>
>

> JSPWiki 3.0 trunk already has an LdapUserDatabase and LdapAuthorizer,
> which means that it can obtain user profiles on a read-only basis from
> LDAP, and obtain roles from LDAP groups. So if you use LDAP, your
> users will be "provisioned" in JSPWiki automatically. This should
> solve the user-experience problem you described.
>
> The upcoming 3.0 LDAP features have been developed and tested with
> Active Directory and OpenLDAP. It is configured via the GUI at
> install-time.
>
> With respect to permissions and group memberships: these are good
> suggestions. We still have some work to do for the GUI for ACLs for
> 3.0. I agree that we should be validating user names when users create
> the ACLs. Same for adding users to groups. These suggestions will be
> incorporated into how the ACL GUIs work -- likely via AJAX in
> real-time.
>
> Andrew
>
> On Sat, Oct 24, 2009 at 7:25 AM, Thomas Engelschmidt <te@...> wrote:
> > The group and permission system in the jspwiki is rather dynamic, and
> ldaps
> > tends to be readonly except for a groups of administrators. There for
> there
> > is still need for the user.xml and group.xml. But in my opinion the
> user.xml
> > needs to be automatically updated when a new ldap user is logged in.
> >
> > Otherwise granting and managing jspwiki permissions i a nightmare, this
> also
> > enhanced since there is no check on if a user exist - when adding users
> to
> > wiki group or setting a page permission.
> >
> > I think the following should be changed.
> >
> > - First time a new user is logged in - the user should be added to the
> the
> > user.xml and redirect to the profile page for setting additional
> information
> > (email, full name and section edition etc)
> >
> > - Adding page permission should lookup if the group or the user exist.
> >
> > - Adding users to a wiki group should only be possible for existing
> users.
> >
> > /Thomas
> >
> >
> > On Oct 24, 2009, at 10:57 , Jim Willeke wrote:
> >
> >> Why allow people to eliminate the user.xml?
> >>
> >> Why not allow the use of LDAP for the user profile?
> >>
> >> Allow mapping the LDAP attributes to the profile values?
> >>
> >> Enterprises have no desire to maintain another separate user store of
> >> information. Many already have a central LDAP store.
> >>
> >> -jim
> >> Jim Willeke
> >>
> >>
> >> On Fri, Oct 23, 2009 at 2:09 PM, Thomas Engelschmidt <te@...>
> wrote:
> >>
> >>> I would suggest a change, if a ldap user is logging the first time.
>  the
> >>> Wiki should create the user in the user.xml - it gives a lot of problem
> >>> when
> >>> adding a ldap user to a wiki group, since it possible that the user
> isn't
> >>> created.
> >>>
> >>>
> >>> On Oct 23, 2009, at 00:38 , Andrew Jaquith wrote:
> >>>
> >>> If a user creates a user profile after logging into the container, he
> or
> >>>>
> >>>> she will have an opportunity to specify a "full name." If a full name
> is
> >>>> supplied, it will be used in page histories etc from that point
> forward.
> >>>>
> >>>> Andrew
> >>>>
> >>>> On Oct 22, 2009, at 16:34, Harald Krammer <Harald.Krammer@...>
> wrote:
> >>>>
> >>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>>>
> >>>>> Hash: SHA256
> >>>>>
> >>>>> Hello,
> >>>>> I run JSPWiki with Web Container Authentication via LDAP and it runs
> >>>>> fine (JSPWIki 2.8.2, OpenLDAP 2.4.11, Apache 6.0.20, OpenJDK 6).
> >>>>>
> >>>>> Only the visualization of real user name is still missing. I get only
> >>>>> the login name (short name) instead of the full name in the change
> >>>>> history and so on.  Is it a default behaviour or misconfiguration?
> >>>>>
> >>>>> Nice greetings,
> >>>>> Harald
> >>>>>
> >>>>> - --
> >>>>>
> >>>>> Harald Krammer
> >>>>> Brucknerstrasse 33
> >>>>> A - 4020  Linz
> >>>>> AUSTRIA
> >>>>>
> >>>>> Mobil +43.(0) 664. 130 59 58
> >>>>> Mail: Harald.Krammer (at) hkr.at
> >>>>> -----BEGIN PGP SIGNATURE-----
> >>>>> Version: GnuPG v1.4.9 (GNU/Linux)
> >>>>>
> >>>>> iEYEAREIAAYFAkrgwegACgkQ9QlAsubHO9vd7QCfT5rEQYRsPUAVvbs/HrqMiWfZ
> >>>>> w6cAnjEp4FKX+3T3szBwW1n+DbCMd0z0
> >>>>> =Kd7Y
> >>>>> -----END PGP SIGNATURE-----
> >>>>>
> >>>>
> >>>
> >
> >
>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> That sounds interesting.
> It is noted that the trunk is heavily under construction and the  
> code is
> broken. Does it make sense to test current trunk version or is it  
> too early?
>
> Greetings,
> Harald
>
> Andrew Jaquith schrieb:
>> JSPWiki 3.0 trunk already has an LdapUserDatabase and LdapAuthorizer,
>> which means that it can obtain user profiles on a read-only basis  
>> from
>> LDAP, and obtain roles from LDAP groups. So if you use LDAP, your
>> users will be "provisioned" in JSPWiki automatically. This should
>> solve the user-experience problem you described.
>>
>> The upcoming 3.0 LDAP features have been developed and tested with
>> Active Directory and OpenLDAP. It is configured via the GUI at
>> install-time.
>>
>> With respect to permissions and group memberships: these are good
>> suggestions. We still have some work to do for the GUI for ACLs for
>> 3.0. I agree that we should be validating user names when users  
>> create
>> the ACLs. Same for adding users to groups. These suggestions will be
>> incorporated into how the ACL GUIs work -- likely via AJAX in
>> real-time.
>>
>> Andrew
>>
>> On Sat, Oct 24, 2009 at 7:25 AM, Thomas Engelschmidt <te@...>  
>> wrote:
>>> The group and permission system in the jspwiki is rather dynamic,  
>>> and ldaps
>>> tends to be readonly except for a groups of administrators. There  
>>> for there
>>> is still need for the user.xml and group.xml. But in my opinion  
>>> the user.xml
>>> needs to be automatically updated when a new ldap user is logged in.
>>>
>>> Otherwise granting and managing jspwiki permissions i a nightmare,  
>>> this also
>>> enhanced since there is no check on if a user exist - when adding  
>>> users to
>>> wiki group or setting a page permission.
>>>
>>> I think the following should be changed.
>>>
>>> - First time a new user is logged in - the user should be added to  
>>> the the
>>> user.xml and redirect to the profile page for setting additional  
>>> information
>>> (email, full name and section edition etc)
>>>
>>> - Adding page permission should lookup if the group or the user  
>>> exist.
>>>
>>> - Adding users to a wiki group should only be possible for  
>>> existing users.
>>>
>>> /Thomas
>>>
>>>
>>> On Oct 24, 2009, at 10:57 , Jim Willeke wrote:
>>>
>>>> Why allow people to eliminate the user.xml?
>>>>
>>>> Why not allow the use of LDAP for the user profile?
>>>>
>>>> Allow mapping the LDAP attributes to the profile values?
>>>>
>>>> Enterprises have no desire to maintain another separate user  
>>>> store of
>>>> information. Many already have a central LDAP store.
>>>>
>>>> -jim
>>>> Jim Willeke
>>>>
>>>>
>>>> On Fri, Oct 23, 2009 at 2:09 PM, Thomas Engelschmidt  
>>>> <te@...> wrote:
>>>>
>>>>> I would suggest a change, if a ldap user is logging the first  
>>>>> time.  the
>>>>> Wiki should create the user in the user.xml - it gives a lot of  
>>>>> problem
>>>>> when
>>>>> adding a ldap user to a wiki group, since it possible that the  
>>>>> user isn't
>>>>> created.
>>>>>
>>>>>
>>>>> On Oct 23, 2009, at 00:38 , Andrew Jaquith wrote:
>>>>>
>>>>> If a user creates a user profile after logging into the  
>>>>> container, he or
>>>>>> she will have an opportunity to specify a "full name." If a  
>>>>>> full name is
>>>>>> supplied, it will be used in page histories etc from that point  
>>>>>> forward.
>>>>>>
>>>>>> Andrew
>>>>>>
>>>>>> On Oct 22, 2009, at 16:34, Harald Krammer  
>>>>>> <Harald.Krammer@...> wrote:
>>>>>>
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>> Hash: SHA256
>>>>>>>
>>>>>>> Hello,
>>>>>>> I run JSPWiki with Web Container Authentication via LDAP and  
>>>>>>> it runs
>>>>>>> fine (JSPWIki 2.8.2, OpenLDAP 2.4.11, Apache 6.0.20, OpenJDK 6).
>>>>>>>
>>>>>>> Only the visualization of real user name is still missing. I  
>>>>>>> get only
>>>>>>> the login name (short name) instead of the full name in the  
>>>>>>> change
>>>>>>> history and so on.  Is it a default behaviour or  
>>>>>>> misconfiguration?
>>>>>>>
>>>>>>> Nice greetings,
>>>>>>> Harald
>>>>>>>
>>>>>>> - --
>>>>>>>
>>>>>>> Harald Krammer
>>>>>>> Brucknerstrasse 33
>>>>>>> A - 4020  Linz
>>>>>>> AUSTRIA
>>>>>>>
>>>>>>> Mobil +43.(0) 664. 130 59 58
>>>>>>> Mail: Harald.Krammer (at) hkr.at
>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>>>>>>
>>>>>>> iEYEAREIAAYFAkrgwegACgkQ9QlAsubHO9vd7QCfT5rEQYRsPUAVvbs/HrqMiWfZ
>>>>>>> w6cAnjEp4FKX+3T3szBwW1n+DbCMd0z0
>>>>>>> =Kd7Y
>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>
>>>
>>
>
>
> - --
>
> Harald Krammer
> Brucknerstrasse 33
> A - 4020  Linz
> AUSTRIA
>
> Mobil +43.(0) 664. 130 59 58
> Mail: Harald.Krammer (at) hkr.at
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEAREIAAYFAkrkGqEACgkQ9QlAsubHO9vsYACgriH34OZiGCZq6Ac2DayNJnd3
> SKQAni/X1DtibeNEbZKtnzNAe+OHUwt2
> =KwyM
> -----END PGP SIGNATURE-----

> But what about de-provisioning users?
>
> The issue with putting users in yet another database in the  
> enterprise world
> central provisioning, de-provisioning and RBAC are the strategic  
> directions
> with no desire to mange users in remote stores.
>
> And why would someone want to put in information into the WIKI when  
> it is
> already been add to the user in LDAP via the enterprise portal?
>
> I will agree the local "groups" concept is necessary, but it should  
> be an
> agumnetation to container managed security that most enterprises would
> utilize.
>
> So users in the role (perhaps by department) "Sales" would always be  
> able to
> view any pages with "Sales":
>
> Then the local "groups" would be done to perform "teaming"  
> arrangements as
> would be done in a project that would cross departmental lines.
>
> -jim
> Jim Willeke
>
>
> On Sat, Oct 24, 2009 at 11:12 AM, Andrew Jaquith <andrew.r.jaquith@...
>> wrote:
>
>> JSPWiki 3.0 trunk already has an LdapUserDatabase and LdapAuthorizer,
>> which means that it can obtain user profiles on a read-only basis  
>> from
>> LDAP, and obtain roles from LDAP groups. So if you use LDAP, your
>> users will be "provisioned" in JSPWiki automatically. This should
>> solve the user-experience problem you described.
>>
>> The upcoming 3.0 LDAP features have been developed and tested with
>> Active Directory and OpenLDAP. It is configured via the GUI at
>> install-time.
>>
>> With respect to permissions and group memberships: these are good
>> suggestions. We still have some work to do for the GUI for ACLs for
>> 3.0. I agree that we should be validating user names when users  
>> create
>> the ACLs. Same for adding users to groups. These suggestions will be
>> incorporated into how the ACL GUIs work -- likely via AJAX in
>> real-time.
>>
>> Andrew
>>
>> On Sat, Oct 24, 2009 at 7:25 AM, Thomas Engelschmidt <te@...>  
>> wrote:
>>> The group and permission system in the jspwiki is rather dynamic,  
>>> and
>> ldaps
>>> tends to be readonly except for a groups of administrators. There  
>>> for
>> there
>>> is still need for the user.xml and group.xml. But in my opinion the
>> user.xml
>>> needs to be automatically updated when a new ldap user is logged in.
>>>
>>> Otherwise granting and managing jspwiki permissions i a nightmare,  
>>> this
>> also
>>> enhanced since there is no check on if a user exist - when adding  
>>> users
>> to
>>> wiki group or setting a page permission.
>>>
>>> I think the following should be changed.
>>>
>>> - First time a new user is logged in - the user should be added to  
>>> the
>> the
>>> user.xml and redirect to the profile page for setting additional
>> information
>>> (email, full name and section edition etc)
>>>
>>> - Adding page permission should lookup if the group or the user  
>>> exist.
>>>
>>> - Adding users to a wiki group should only be possible for existing
>> users.
>>>
>>> /Thomas
>>>
>>>
>>> On Oct 24, 2009, at 10:57 , Jim Willeke wrote:
>>>
>>>> Why allow people to eliminate the user.xml?
>>>>
>>>> Why not allow the use of LDAP for the user profile?
>>>>
>>>> Allow mapping the LDAP attributes to the profile values?
>>>>
>>>> Enterprises have no desire to maintain another separate user  
>>>> store of
>>>> information. Many already have a central LDAP store.
>>>>
>>>> -jim
>>>> Jim Willeke
>>>>
>>>>
>>>> On Fri, Oct 23, 2009 at 2:09 PM, Thomas Engelschmidt <te@...>
>> wrote:
>>>>
>>>>> I would suggest a change, if a ldap user is logging the first  
>>>>> time.
>> the
>>>>> Wiki should create the user in the user.xml - it gives a lot of  
>>>>> problem
>>>>> when
>>>>> adding a ldap user to a wiki group, since it possible that the  
>>>>> user
>> isn't
>>>>> created.
>>>>>
>>>>>
>>>>> On Oct 23, 2009, at 00:38 , Andrew Jaquith wrote:
>>>>>
>>>>> If a user creates a user profile after logging into the  
>>>>> container, he
>> or
>>>>>>
>>>>>> she will have an opportunity to specify a "full name." If a  
>>>>>> full name
>> is
>>>>>> supplied, it will be used in page histories etc from that point
>> forward.
>>>>>>
>>>>>> Andrew
>>>>>>
>>>>>> On Oct 22, 2009, at 16:34, Harald Krammer <Harald.Krammer@...>
>> wrote:
>>>>>>
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>
>>>>>>> Hash: SHA256
>>>>>>>
>>>>>>> Hello,
>>>>>>> I run JSPWiki with Web Container Authentication via LDAP and  
>>>>>>> it runs
>>>>>>> fine (JSPWIki 2.8.2, OpenLDAP 2.4.11, Apache 6.0.20, OpenJDK 6).
>>>>>>>
>>>>>>> Only the visualization of real user name is still missing. I  
>>>>>>> get only
>>>>>>> the login name (short name) instead of the full name in the  
>>>>>>> change
>>>>>>> history and so on.  Is it a default behaviour or  
>>>>>>> misconfiguration?
>>>>>>>
>>>>>>> Nice greetings,
>>>>>>> Harald
>>>>>>>
>>>>>>> - --
>>>>>>>
>>>>>>> Harald Krammer
>>>>>>> Brucknerstrasse 33
>>>>>>> A - 4020  Linz
>>>>>>> AUSTRIA
>>>>>>>
>>>>>>> Mobil +43.(0) 664. 130 59 58
>>>>>>> Mail: Harald.Krammer (at) hkr.at
>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>>>>>>
>>>>>>> iEYEAREIAAYFAkrgwegACgkQ9QlAsubHO9vd7QCfT5rEQYRsPUAVvbs/HrqMiWfZ
>>>>>>> w6cAnjEp4FKX+3T3szBwW1n+DbCMd0z0
>>>>>>> =Kd7Y
>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>
>>>>>>
>>>>>
>>>
>>>
>>

> I should not have used the magic word "provision" in my last post.  
> The important concept is that when the LdapUserDatabase is used,  
> LDAP *is* the user database
>
> On Oct 25, 2009, at 6:38, Jim Willeke <jim@...> wrote:
>
>> But what about de-provisioning users?
>>
>> The issue with putting users in yet another database in the  
>> enterprise world
>> central provisioning, de-provisioning and RBAC are the strategic  
>> directions
>> with no desire to mange users in remote stores.
>>
>> And why would someone want to put in information into the WIKI when  
>> it is
>> already been add to the user in LDAP via the enterprise portal?
>>
>> I will agree the local "groups" concept is necessary, but it should  
>> be an
>> agumnetation to container managed security that most enterprises  
>> would
>> utilize.
>>
>> So users in the role (perhaps by department) "Sales" would always  
>> be able to
>> view any pages with "Sales":
>>
>> Then the local "groups" would be done to perform "teaming"  
>> arrangements as
>> would be done in a project that would cross departmental lines.
>>
>> -jim
>> Jim Willeke
>>
>>
>> On Sat, Oct 24, 2009 at 11:12 AM, Andrew Jaquith <andrew.r.jaquith@...
>>> wrote:
>>
>>> JSPWiki 3.0 trunk already has an LdapUserDatabase and  
>>> LdapAuthorizer,
>>> which means that it can obtain user profiles on a read-only basis  
>>> from
>>> LDAP, and obtain roles from LDAP groups. So if you use LDAP, your
>>> users will be "provisioned" in JSPWiki automatically. This should
>>> solve the user-experience problem you described.
>>>
>>> The upcoming 3.0 LDAP features have been developed and tested with
>>> Active Directory and OpenLDAP. It is configured via the GUI at
>>> install-time.
>>>
>>> With respect to permissions and group memberships: these are good
>>> suggestions. We still have some work to do for the GUI for ACLs for
>>> 3.0. I agree that we should be validating user names when users  
>>> create
>>> the ACLs. Same for adding users to groups. These suggestions will be
>>> incorporated into how the ACL GUIs work -- likely via AJAX in
>>> real-time.
>>>
>>> Andrew
>>>
>>> On Sat, Oct 24, 2009 at 7:25 AM, Thomas Engelschmidt <te@...>  
>>> wrote:
>>>> The group and permission system in the jspwiki is rather dynamic,  
>>>> and
>>> ldaps
>>>> tends to be readonly except for a groups of administrators. There  
>>>> for
>>> there
>>>> is still need for the user.xml and group.xml. But in my opinion the
>>> user.xml
>>>> needs to be automatically updated when a new ldap user is logged  
>>>> in.
>>>>
>>>> Otherwise granting and managing jspwiki permissions i a  
>>>> nightmare, this
>>> also
>>>> enhanced since there is no check on if a user exist - when adding  
>>>> users
>>> to
>>>> wiki group or setting a page permission.
>>>>
>>>> I think the following should be changed.
>>>>
>>>> - First time a new user is logged in - the user should be added  
>>>> to the
>>> the
>>>> user.xml and redirect to the profile page for setting additional
>>> information
>>>> (email, full name and section edition etc)
>>>>
>>>> - Adding page permission should lookup if the group or the user  
>>>> exist.
>>>>
>>>> - Adding users to a wiki group should only be possible for existing
>>> users.
>>>>
>>>> /Thomas
>>>>
>>>>
>>>> On Oct 24, 2009, at 10:57 , Jim Willeke wrote:
>>>>
>>>>> Why allow people to eliminate the user.xml?
>>>>>
>>>>> Why not allow the use of LDAP for the user profile?
>>>>>
>>>>> Allow mapping the LDAP attributes to the profile values?
>>>>>
>>>>> Enterprises have no desire to maintain another separate user  
>>>>> store of
>>>>> information. Many already have a central LDAP store.
>>>>>
>>>>> -jim
>>>>> Jim Willeke
>>>>>
>>>>>
>>>>> On Fri, Oct 23, 2009 at 2:09 PM, Thomas Engelschmidt <te@...>
>>> wrote:
>>>>>
>>>>>> I would suggest a change, if a ldap user is logging the first  
>>>>>> time.
>>> the
>>>>>> Wiki should create the user in the user.xml - it gives a lot of  
>>>>>> problem
>>>>>> when
>>>>>> adding a ldap user to a wiki group, since it possible that the  
>>>>>> user
>>> isn't
>>>>>> created.
>>>>>>
>>>>>>
>>>>>> On Oct 23, 2009, at 00:38 , Andrew Jaquith wrote:
>>>>>>
>>>>>> If a user creates a user profile after logging into the  
>>>>>> container, he
>>> or
>>>>>>>
>>>>>>> she will have an opportunity to specify a "full name." If a  
>>>>>>> full name
>>> is
>>>>>>> supplied, it will be used in page histories etc from that point
>>> forward.
>>>>>>>
>>>>>>> Andrew
>>>>>>>
>>>>>>> On Oct 22, 2009, at 16:34, Harald Krammer  
>>>>>>> <Harald.Krammer@...>
>>> wrote:
>>>>>>>
>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>
>>>>>>>> Hash: SHA256
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>> I run JSPWiki with Web Container Authentication via LDAP and  
>>>>>>>> it runs
>>>>>>>> fine (JSPWIki 2.8.2, OpenLDAP 2.4.11, Apache 6.0.20, OpenJDK  
>>>>>>>> 6).
>>>>>>>>
>>>>>>>> Only the visualization of real user name is still missing. I  
>>>>>>>> get only
>>>>>>>> the login name (short name) instead of the full name in the  
>>>>>>>> change
>>>>>>>> history and so on.  Is it a default behaviour or  
>>>>>>>> misconfiguration?
>>>>>>>>
>>>>>>>> Nice greetings,
>>>>>>>> Harald
>>>>>>>>
>>>>>>>> - --
>>>>>>>>
>>>>>>>> Harald Krammer
>>>>>>>> Brucknerstrasse 33
>>>>>>>> A - 4020  Linz
>>>>>>>> AUSTRIA
>>>>>>>>
>>>>>>>> Mobil +43.(0) 664. 130 59 58
>>>>>>>> Mail: Harald.Krammer (at) hkr.at
>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>>>>>>>
>>>>>>>> iEYEAREIAAYFAkrgwegACgkQ9QlAsubHO9vd7QCfT5rEQYRsPUAVvbs/
>>>>>>>> HrqMiWfZ
>>>>>>>> w6cAnjEp4FKX+3T3szBwW1n+DbCMd0z0
>>>>>>>> =Kd7Y
>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>>>
>>>

> Sorry-- I fat-fingered the send button!
>
> Anyhow, with the LdapUserDatabase you won't need to provision or  
> deprovision because everything will be in LDAP. We will keep some  
> data locally (user prefs) but that's it.
>
> At this point, if you still have concerns I'd recommend yo
>
> On Oct 25, 2009, at 7:04, Andrew Jaquith  
> <andrew.r.jaquith@...> wrote:
>
>> I should not have used the magic word "provision" in my last post.  
>> The important concept is that when the LdapUserDatabase is used,  
>> LDAP *is* the user database
>>
>> On Oct 25, 2009, at 6:38, Jim Willeke <jim@...> wrote:
>>
>>> But what about de-provisioning users?
>>>
>>> The issue with putting users in yet another database in the  
>>> enterprise world
>>> central provisioning, de-provisioning and RBAC are the strategic  
>>> directions
>>> with no desire to mange users in remote stores.
>>>
>>> And why would someone want to put in information into the WIKI  
>>> when it is
>>> already been add to the user in LDAP via the enterprise portal?
>>>
>>> I will agree the local "groups" concept is necessary, but it  
>>> should be an
>>> agumnetation to container managed security that most enterprises  
>>> would
>>> utilize.
>>>
>>> So users in the role (perhaps by department) "Sales" would always  
>>> be able to
>>> view any pages with "Sales":
>>>
>>> Then the local "groups" would be done to perform "teaming"  
>>> arrangements as
>>> would be done in a project that would cross departmental lines.
>>>
>>> -jim
>>> Jim Willeke
>>>
>>>
>>> On Sat, Oct 24, 2009 at 11:12 AM, Andrew Jaquith <andrew.r.jaquith@...
>>>> wrote:
>>>
>>>> JSPWiki 3.0 trunk already has an LdapUserDatabase and  
>>>> LdapAuthorizer,
>>>> which means that it can obtain user profiles on a read-only basis  
>>>> from
>>>> LDAP, and obtain roles from LDAP groups. So if you use LDAP, your
>>>> users will be "provisioned" in JSPWiki automatically. This should
>>>> solve the user-experience problem you described.
>>>>
>>>> The upcoming 3.0 LDAP features have been developed and tested with
>>>> Active Directory and OpenLDAP. It is configured via the GUI at
>>>> install-time.
>>>>
>>>> With respect to permissions and group memberships: these are good
>>>> suggestions. We still have some work to do for the GUI for ACLs for
>>>> 3.0. I agree that we should be validating user names when users  
>>>> create
>>>> the ACLs. Same for adding users to groups. These suggestions will  
>>>> be
>>>> incorporated into how the ACL GUIs work -- likely via AJAX in
>>>> real-time.
>>>>
>>>> Andrew
>>>>
>>>> On Sat, Oct 24, 2009 at 7:25 AM, Thomas Engelschmidt  
>>>> <te@...> wrote:
>>>>> The group and permission system in the jspwiki is rather  
>>>>> dynamic, and
>>>> ldaps
>>>>> tends to be readonly except for a groups of administrators.  
>>>>> There for
>>>> there
>>>>> is still need for the user.xml and group.xml. But in my opinion  
>>>>> the
>>>> user.xml
>>>>> needs to be automatically updated when a new ldap user is logged  
>>>>> in.
>>>>>
>>>>> Otherwise granting and managing jspwiki permissions i a  
>>>>> nightmare, this
>>>> also
>>>>> enhanced since there is no check on if a user exist - when  
>>>>> adding users
>>>> to
>>>>> wiki group or setting a page permission.
>>>>>
>>>>> I think the following should be changed.
>>>>>
>>>>> - First time a new user is logged in - the user should be added  
>>>>> to the
>>>> the
>>>>> user.xml and redirect to the profile page for setting additional
>>>> information
>>>>> (email, full name and section edition etc)
>>>>>
>>>>> - Adding page permission should lookup if the group or the user  
>>>>> exist.
>>>>>
>>>>> - Adding users to a wiki group should only be possible for  
>>>>> existing
>>>> users.
>>>>>
>>>>> /Thomas
>>>>>
>>>>>
>>>>> On Oct 24, 2009, at 10:57 , Jim Willeke wrote:
>>>>>
>>>>>> Why allow people to eliminate the user.xml?
>>>>>>
>>>>>> Why not allow the use of LDAP for the user profile?
>>>>>>
>>>>>> Allow mapping the LDAP attributes to the profile values?
>>>>>>
>>>>>> Enterprises have no desire to maintain another separate user  
>>>>>> store of
>>>>>> information. Many already have a central LDAP store.
>>>>>>
>>>>>> -jim
>>>>>> Jim Willeke
>>>>>>
>>>>>>
>>>>>> On Fri, Oct 23, 2009 at 2:09 PM, Thomas Engelschmidt  
>>>>>> <te@...>
>>>> wrote:
>>>>>>
>>>>>>> I would suggest a change, if a ldap user is logging the first  
>>>>>>> time.
>>>> the
>>>>>>> Wiki should create the user in the user.xml - it gives a lot  
>>>>>>> of problem
>>>>>>> when
>>>>>>> adding a ldap user to a wiki group, since it possible that the  
>>>>>>> user
>>>> isn't
>>>>>>> created.
>>>>>>>
>>>>>>>
>>>>>>> On Oct 23, 2009, at 00:38 , Andrew Jaquith wrote:
>>>>>>>
>>>>>>> If a user creates a user profile after logging into the  
>>>>>>> container, he
>>>> or
>>>>>>>>
>>>>>>>> she will have an opportunity to specify a "full name." If a  
>>>>>>>> full name
>>>> is
>>>>>>>> supplied, it will be used in page histories etc from that point
>>>> forward.
>>>>>>>>
>>>>>>>> Andrew
>>>>>>>>
>>>>>>>> On Oct 22, 2009, at 16:34, Harald Krammer <Harald.Krammer@...
>>>>>>>> >
>>>> wrote:
>>>>>>>>
>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>
>>>>>>>>> Hash: SHA256
>>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>> I run JSPWiki with Web Container Authentication via LDAP and  
>>>>>>>>> it runs
>>>>>>>>> fine (JSPWIki 2.8.2, OpenLDAP 2.4.11, Apache 6.0.20, OpenJDK  
>>>>>>>>> 6).
>>>>>>>>>
>>>>>>>>> Only the visualization of real user name is still missing. I  
>>>>>>>>> get only
>>>>>>>>> the login name (short name) instead of the full name in the  
>>>>>>>>> change
>>>>>>>>> history and so on.  Is it a default behaviour or  
>>>>>>>>> misconfiguration?
>>>>>>>>>
>>>>>>>>> Nice greetings,
>>>>>>>>> Harald
>>>>>>>>>
>>>>>>>>> - --
>>>>>>>>>
>>>>>>>>> Harald Krammer
>>>>>>>>> Brucknerstrasse 33
>>>>>>>>> A - 4020  Linz
>>>>>>>>> AUSTRIA
>>>>>>>>>
>>>>>>>>> Mobil +43.(0) 664. 130 59 58
>>>>>>>>> Mail: Harald.Krammer (at) hkr.at
>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>>>>>>>>
>>>>>>>>> iEYEAREIAAYFAkrgwegACgkQ9QlAsubHO9vd7QCfT5rEQYRsPUAVvbs/
>>>>>>>>> HrqMiWfZ
>>>>>>>>> w6cAnjEp4FKX+3T3szBwW1n+DbCMd0z0
>>>>>>>>> =Kd7Y
>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>