- This topic has 7 replies, 2 voices, and was last updated 10 years, 10 months ago by sdc-support.
-
AuthorPosts
-
ic.gc.caParticipantWhen writing a DeliveryExternalUsersExtension is the extension responsible for administering groups or is the Groups section of the SDC Admin Console still control which users are in or out?
For example: All users in the ‘company’ will be able to authenticate, but only those whom are in a Group defined by SDC Admin will be allowed to see an Eclipse distribution.
From my understanding if the extension does not include the ExternalUserCapability.SYSTEM_ADMIN_MANAGEMENT capability then who is an Admin is controlled by the SDC Admin Console; but under Basic External User Example in the documentation it states … ” No administrators are managed by the system, so make sure you create an administrator, for example “user100″, before you enable this example. ” Does that mean that user100 should be created in the external user repository or through the SDC Admin Console or both? If the extension does not want to manage administrators is it sufficient to create an admin user through SDC Admin Console, say sdcAdmin, that also exists in the external repository? Effectively the sdcAdmin user will be authenticated by the extension, but assigned the Admin role by SDC Admin Console.
Thanks in advance!
sdc-supportMemberHello,
groups are always managed by the Group section, despite the extensions.
Installation of your LDAP extension which doesn’t control administration requires a little sleight-of-hand trick to bootstrap administrators. You need to create an administrator in SDC with the same ID as will come from LDAP before installing the extension. Normally, people do this for their own LDAP user. So let’s say your LDAP user is icgcca, then you’ll want to create a user “icgcca” and mark it as an administrator and then install your LDAP extension. The administrative rights are associated with the user ID, not with the LDAP entry so any administrator you create before installing your extension will still be an administrator after installing the extension, provided that their user IDs match. Finally, once you have the extension installed, you can search and assign administrative rights to new users from LDAP.
Hope this helps you to move forward.
If you have additional questions, please, let us know. We appreciate your comments.
Regards, Hugo Herrera.
ic.gc.caParticipantThanks, it’s clear now.
One request for the future is to provide and interface for these classes, or make then non-final, so that mocks can be created for them to test outside of the RPC dependencies.
DeliveryExternalUserAuthenticateRequest
DeliveryExternalUserAuthenticateResponse
DeliveryExternalUserSearchRequest
DeliveryExternalUserSearchResponse
sdc-supportMemberHello,
We are glad to hear you are able to move forward and thank you very much for your suggestion.
I will create an internal feature request to discuss it with the team.Regards, Hugo Herrera.
ic.gc.caParticipantThe plugin is now installed via the Manifest inspection method. Prior to installation a new admin account called extAdmin was created and granted the admin rights. The server (Linux) is started via the ./deliveryCenterServer method and the Admin Console can now be accessed through the extAdmin account.
*** This is a symptom of the polling from the Web Console, so is not an issue. ***
However the server is still looking to authenticate the original default ‘admin’ account. That default ‘admin’ account is not managed by the extension. Should that account be deleted through the Admin Console? If that is true when / if the extension is ‘unplugged’ how does one resurrect the default ‘admin’, same way add a non-extension-managed account through Admin Console and then ‘unplug’ the extension?
ic.gc.caParticipantAlso roughly every 5-15 seconds it attempts a re-authentication. Is there a config file to control the frequency? It seems that when a user is logged into the web console http://hostname:1305/ is the only time this happens as soon as you log out it stops. The Thick-Client (Admin Console) is fine.
ic.gc.caParticipantAlso for the Manifest the javadoc states the Manifest should include:
Delivery-External-Users-Extension: com.example.ExampleExternalUsersExtensionImpl
but the example states the Manifest should include:
Delivery-External-Users: com.example.TheBobsExternalUsersImpl
The example way works the javadoc way does not.
sdc-supportMemberHello,
I apologizes for this late respond.
There is no problem whether you decide to delete or keep your old admin account since you already created the ‘extAdmin’. If you remove the plugin, the ‘extAdmin’ already have the access rights to do any admin task within the Admin Console as the default ‘admin’ does. If you decide to keep it if you remove the plugin both accounts will work.
*** This is a symptom of the polling from the Web Console, so is not an issue. ***
However the server is still looking to authenticate the original default ‘admin’ account. That default ‘admin’ account is not managed by the extension. Should that account be deleted through the Admin Console? If that is true when / if the extension is ‘unplugged’ how does one resurrect the default ‘admin’, same way add a non-extension-managed account through Admin Console and then ‘unplug’ the extension?As you suspect this only happen when the admin portal is open, this is because it is trying to pull info via an AJAX request every couple of seconds. Once the portal is closed that tick will go away. Unfortunately there is no way to change the frequency on which the portal perform this requests, please, let us know if this implies a problem to you.
Also roughly every 5-15 seconds it attempts a re-authentication. Is there a config file to control the frequency? It seems that when a user is logged into the web console http://hostname:1305/ is the only time this happens as soon as you log out it stops. The Thick-Client (Admin Console) is fine.
We will open a documentation bug to update it.
Also for the Manifest the javadoc states the Manifest should include:
Delivery-External-Users-Extension: com.example.ExampleExternalUsersExtensionImpl
but the example states the Manifest should include:
Delivery-External-Users: com.example.TheBobsExternalUsersImpl
The example way works the javadoc way does not.We appreciate your comments, please let us know if you have any questions.
Regards, Hugo Herrera.
-
AuthorPosts