directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Directory Wiki] Update of "ApacheDirectoryServer" by CKoppelt
Date Thu, 22 Feb 2007 12:47:23 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Directory Wiki" for change notification.

The following page has been changed by CKoppelt:
http://wiki.apache.org/directory/ApacheDirectoryServer

------------------------------------------------------------------------------
+ deleted
- ## page was renamed from EveGeneral
- ##language:en
  
- = General Things About Apache Directory Server =
- 
- == Development Ideas ==
- Use this list to categorise development ideas for the server.
-  1.#1 LoggingPlan
- 
- == Out-of-the-box Authentication ==
- 
-  * ApacheDS's super-user (uid=admin,ou=system) account is created on the first start and
has its userPassword field set to "secret".  It's created when the system partition is created.
 From here on its up to the administrator to change this password.  No other user besides
admin has access to the superuser's entry.
- 
-  * Another test user account uid=akarasulu,ou=users,ou=system is created on first startup
and has password "test".  Use it to play. 
- 
-  * Any entry with a userPassword attribute containing a plain text password can be authenticated.
 The user need not be under ou=users, ou=system.
- 
-  * There are advantages to creating entries with userPassword fields under ou=users, ou=system.
 First the entry is available regardless of the context partitions that are created.  The
entry is also protected by some hardcoded authorization rules within the system.  Namely only
self read is possible for all non-admin principals on their own accounts.  Standard principals
cannot see the credentials of others minus the super-user of course.  This is an intermediate
hardcoded authorization rule set until the authorization subsystem matures.
- 
-  * By default, anonymous binds are allowed both via JNDI interfaces and via LDAP based network
clients.  So the server will start and work without any initial configuration.  The presence
of the "server.disable.anonymous" property key disables anonymous user access on both interfaces
(JNDI and LDAP).
- 
- = Authenticator SPI =
- There are 3 ways in which a client can authenticate to the ApacheDS: anonymous, simple,
and SASL. Currently only anonymous and simple mechanism (with plain text password) are supported
by default in ApacheDS. See http://java.sun.com/products/jndi/tutorial/ldap/security/index.html
for more information.
- 
- Using the Authenticator SPI you can implement your own authentication mechanism. You can
create an authenticator to extend the simple authentication mechanism to support encryption
such as Crypt, SHA, etc. You can also create an authenticator to support SASL mechanisms such
as DIGEST-MD5, etc.
- 
- == Writing Authenticator ==
- Your authenticator class has to extend the org.apache.ldap.server.authn.AbstractAuthenticator.
See the following example:
- 
- {{{
- import javax.naming.NamingException;
- 
- import org.apache.ldap.server.authn.AbstractAuthenticator;
- import org.apache.ldap.server.authn.LdapPrincipal;
- import org.apache.ldap.server.jndi.ServerContext;
- import org.apache.ldap.common.exception.LdapNoPermissionException;
- import org.apache.ldap.common.name.LdapName;
- 
- public class MyAuthenticator extends AbstractAuthenticator {
- 
-     public MyAuthenticator( )
-     {
-         // create authenticator that will handle "simple" authentication mechanism
-         super( "simple" );
-     }
- 
-     public void init() throws NamingException
-     {
-         ...
-     }
- 
-     public LdapPrincipal authenticate( ServerContext ctx ) throws NamingException
-     {
-         ...
- 
-         // return the authorization id
-         return createLdapPrincipal( dn );
-     }
- }
- }}}
- 
- This class needs to have a no-argument constructor. The constructor should call the super()
constructor with the authentication mechanism it is going to handle. In the above example,
MyAuthenticator class is going to handle the simple authentication mechanism. To implement
a SASL mechanism you need to call super() with the name of the SASL mechanism, e.g. super(
"DIGEST-MD5" ).
- 
- You can optionally implement the init() method to initialize your authenticator class. This
will be called when the authenticator is loaded by ApacheDS during start-up.
- 
- When a client performs an authentication, ApacheDS will call the authenticate() method.
You can get the client authentication info from the server context. After you authenticate
the client, you need to return the authorization id. If the authentication fails, you should
throw an LdapNoPermissionException.
- 
- When there are multiple authenticators registered with the same authentication type, ApacheDS
will try to use them in the order it was registered. If one fails it will use the next one,
until it finds one that successfully authenticates the client.
- 
- == JNDI Properties ==
- To tell ApacheDS to load your custom authenticators, you need to specify it in the JNDI
Properties. You can also optionally specify the location of a .properties file containing
the initialization parameters. See the following example: 
- 
- {{{
- server.authenticators=myauthenticator yourauthenticator
- 
- server.authenticator.class.myauthenticator=com.mycompany.MyAuthenticator
- server.authenticator.properties.myauthenticator=myauthenticator.properties
- 
- server.authenticator.class.yourauthenticator=com.yourcompany.YourAuthenticator
- server.authenticator.properties.yourauthenticator=yourauthenticator.properties
- }}}
- 
- 
- == Custom Partition ==
- ApacheDS functionalities can be extended using a custom partition. With custom partition
you have a full control of how the data should be stored/retrieved in the backend. To use
a custom partition first you need to write an implementation class, then configure it in the
JNDI Properties, and optionally write a .properties file containing the initialization parameters
for your custom partition.
- 
- === Writing Custom Partition ===
- Your custom partition class has to implement the org.apache.ldap.server.ContextPartition
interface. This class needs to have a constructor that takes three parameters:
- 
-  * The un-normalized suffix of this partition
-  * The normalized suffix
-  * The path to the .properties file containing the initialization parameters
- 
- See the following example:
- {{{
- package com.mycompany;
- 
- import java.util.Map;
- import javax.naming.Name;
- import javax.naming.NamingEnumeration;
- import javax.naming.NamingException;
- import javax.naming.directory.Attributes;
- import javax.naming.directory.ModificationItem;
- import javax.naming.directory.SearchControls;
- 
- import org.apache.ldap.common.filter.ExprNode;
- import org.apache.ldap.server.ContextPartition;
- 
- public class MyPartition implements ContextPartition {
- 
-     /**
-      * Constructor.
-      *
-      * @param upSuffix         the user provided suffix without normalization
-      * @param normalizedSuffix the normalized suffix
-      * @param properties       path to the properties file
-      */
-     public MyPartition(Name upSuffix, Name normalizedSuffix, String properties)
-         throws Exception { ... }
- 
-     /**
-      * @see org.apache.ldap.server.ContextPartition
-      * @see org.apache.ldap.server.BackingStore
-      */
-     public Name getSuffix(boolean normalized) { .... }
- 
-     public void delete(Name dn) throws NamingException { ... }
- 
-     public void add(String upName, Name normName, Attributes entry)
-         throws NamingException { ... }
- 
-     public void modify(Name name, int i, Attributes attributes)
-         throws NamingException { ... }
- 
-     public void modify(Name name, ModificationItem[] modificationItems)
-         throws NamingException { ... }
- 
-     public NamingEnumeration list(Name dn)
-         throws NamingException { ... }
- 
-     public NamingEnumeration search(Name base, Map env, ExprNode filter,
-         SearchControls searchControls) throws NamingException { ... }
- 
-     public Attributes lookup(Name dn) throws NamingException { ... }
- 
-     public Attributes lookup(Name dn, String[] attrIds)
-         throws NamingException { ... }
- 
-     public boolean hasEntry(Name name) throws NamingException { ... }
- 
-     public boolean isSuffix(Name name) throws NamingException { ... }
- 
-     public void modifyRn(Name name, String newRn, boolean deleteOldRn)
-         throws NamingException { ... }
- 
-     public void move(Name oriChildName, Name newParentName)
-         throws NamingException { ... }
- 
-     public void move(Name oriChildName, Name newParentName,
-         String newRn, boolean deleteOldRn) throws NamingException { ... }
- 
-     public void sync() throws NamingException { ... }
- 
-     public void close() throws NamingException { ... }
- 
-     public boolean isClosed() { ... }
- }
- }}}
- 
- === JNDI Properties ===
- Configuring a custom partition is similar to configuring a regular partition with the addition
of two property keys:
-  * '''server.db.partition.class.${id}''': your custom partition class
-  * '''server.db.partition.properties.${id}''': path to the .properties file (optional)
- 
- See the following example:
- {{{
- server.db.partitions                                   = mypartition
- server.db.partition.suffix.mypartition                 = dc=mycompany,dc=com
- server.db.partition.class.mypartition                  = com.mycompany.MyPartition
- server.db.partition.properties.mypartition             = mypartition.properties
- server.db.partition.indices.mypartition                = objectClass ou uid
- server.db.partition.attributes.mypartition.objectClass = top domain extensibleObject
- server.db.partition.attributes.mypartition.dc          = mycompany
- }}}
- 

Mime
View raw message