posted 17 years ago
Haven't checked the code, but my memory of the JForum LDAP authenticator is that it can only use one ou (but may search for user info in OUs below that one).
Given what you have described, I think you'll need to write your own implimentation to get this to happen.
FWIW, when doing any SSO integration there are actually three main functions that need to be considered.
1) Authentication - Verifying that the user is who they say they are.
2) Information - e.g. real name, e-mail, avatar, and the like
3) Authorization - What can the user do?
Often people mix up all these function and call it Authentication. But you really need to consider each of these areas separately.
In addition, you need to consider how much each of these area's changes and how you need to manage the changes. I tend to think of these factors as representing how "tightly" integrated you want to make JForum with your application.
It is possible to tightly integrate all three functions into an existing service that supplies these functions. So that JForum User objects get applicable user information (like name, e-mail, etc) from your application when they are created. And that JForum's group membership is based on a non-Jforum information.
However, tightly integrated means highly customized since there are few standards that cover all these areas and each application you're integrating with is different. To do this means using the JForum SSO mechanism to deal with authentication and the DAO mechanism to deal with user information and authorization.
On the other hand, it is also possible to "loosely" integrate Jforum with an external application. This is generally done by using the SSO mechanism to populate the Jforum db with the initial user information and group membership the first time a user logs on. This can be done by just using the SSO mechanism and if much simpler to code.
[originally posted on jforum.net by monroe]