In order to connect a CMS application to a user manager based on LDAP, the LDAP server must only fulfill a small number of conditions:
First, two schemes must be defined which allow users and
user groups to be identified as Content Manager users or Content
Manager groups respectively. For example, there could be a scheme
called fionaUser
and one called fionaGroup
to which particular LDAP entries have been allocated which are to
represent the users and the groups (e.g. inetOrgPerson
and groupOfUniqueNames).
An entry which represents a Content Manager user must
possess an attribute (e.g. uid
) which is suitable for
defining a login. The login must be unique for all entries, i. e. the
user must be identified uniquely by this field. Additionally, only
values must be accepted into this field which satisfy the general
criteria for logins.
An entry for a Content Manager user must possess an
additional attribute which corresponds to the user password in the
Content Manager. The value of this attribute must satisfy the general
criteria for passwords. Passwords should be stored in unencrypted
form or encrypted using the crypt
method. Alternatively,
base64-encoding can be used.
An entry which represents a Content Manager user group must possess an attribute which is suitable for defining a group name. The login must be unique for all entries, i. e. the group must be identified uniquely by this field.
It must be possible to allocate the user groups of the CMS application and users to each other. This means that either the user entries of the CMS application must possess attributes in which the groups to which they belong are stored or the groups must contain a corresponding attribute for the users who belong to them.
Additionally, both group entries and user entries should
possess attributes in which the granted global permissions are
stored. The permissions need simply be saved as strings since the
user manager does not have to be able to administer the relevant
permissions in the Content Manager. It must be possible to determine
whether a user is a superuser or not. To do this, e.g. the users can
be allocated the superuser
attribute.