[Carbon-dev] Verifying few things regarding creating user groups in LDAP.
hasini at wso2.com
Wed Mar 9 02:40:41 PST 2011
This is implemented in user core now and I would like to mention some of the
implementation level decisions made while doing the $subject, which are
different from JDBCUserStoreManager.
If you see any flaws or better alternatives, please let me know.
1. 'Everyone role' and 'registry anonymous role' are carbon server specific.
Hence they are not written to LDAP user store.
They are handled by hybrid role manager as it has been done with read only
LDAP user store.
2. In LDAP groups, there's a requirement that at least one user should be a
When creating a role, we need to include at least one user to that
role. Otherwise an error is set to be shown through management console.
Also, when deleting a user, if that user has been the only member of
any of the existing role, user is not allowed to be removed. (As an
alternative, may be we can remove the role also when its last user entry is
I am wondering whether above would be confusing to user since it is
different from previous behavior.
Then I would like to clarify following things too regarding this:
i. There are some user-level functionalites which include several LDAP
operations. And currently these are not atomic. Do we need to make them
(LDAP itself does not support transaction concept. But I read about a
spring API which allows to make LDAP operations atomic.)
Currently "WriteLDAPGroups" property is set to false by default in
Before configuring it to true by default, I would really appreciate any
comments, feedback on the above
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Carbon-dev