Hi,
We have the need to store a large number of users in an external system, and restrict areas of our CQ powered site to those users. It looks like the Closed User Group feature is a good fit for this. It also looks like we can create a custom Login Module to authenticate users against the external system.
I'm not clear though how the users would be tied against the closed user group mechanism. It seems that when you define a CUG the ACLs for the tree are updated to restrict access to the group, which is reasonable enough. However, am I right in thinking for the ACL permissions to work the users and groups would need to by synced to the JCR from the external system, similar to how the LDAP LoginModule does ? Or in other words, is it possible to keep all user and group membership details isolated in the external system while using the CUG facility ?
Thanks.
Solved! Go to Solution.
Views
Replies
Total Likes
In theory you don't need user group in CQ for CUG. However you need something in CQ from which users (author) can select principals (user/group) and assign to page. If they can manually enter it, thats fine as well (In that case you don't need to store any thing). You need to write custom auth handler and login module to resolve principal from external system and may be store in cookie for further handling.
Yogesh
Views
Replies
Total Likes
In theory you don't need user group in CQ for CUG. However you need something in CQ from which users (author) can select principals (user/group) and assign to page. If they can manually enter it, thats fine as well (In that case you don't need to store any thing). You need to write custom auth handler and login module to resolve principal from external system and may be store in cookie for further handling.
Yogesh
Views
Replies
Total Likes
Hi Yogesh,
When an author uses the CUG facility they set the group principal in the page property dialog, which in turn sets the ACLs in the content hierarchy. However, the group principal is selected from groups held in the JCR as far as I can tell. I think I can use the CUG auth handler as it is, but write a login module for the external system.
But what I don't understand is if it's possible for my login handler to associate user principals with group principals held in the JCR for the ACLs against the content. I'm experimenting with the LDAP Login Module to see if I can get this working with the CUG facility without syncing users & groups.
Jon
Views
Replies
Total Likes