directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jérôme Baumgarten <jbaumgar...@gmail.com>
Subject Re: Using Eve as a proxy to an existing LDAP server - Interceptor HOW-TO
Date Tue, 16 Aug 2005 15:44:48 GMT
You kinda lost me in your reply.

My first step is to do pass-through. But I still need to be able to
authenticate the user. Lets' assume the following example with two
proxied LDAP servers A and B.
If my "proxyA" partition root DN is "dc=domainA,dc=com" and the user
DN is "uid=userA,dc=domainA,dc=com" I need to authenticate against the
proxied LDAP server A.

If my "proxyB" partition root DN is "dc=domainB,dc=com" and the user
DN is "uid=userB,dc=domainB,dc=com" I need to authenticate against the
proxied LDAP server B.

Otherwise I can consider that the default ApacheDS authenticator will reply.

Also, when my authenticator is called, knowing if the associated
partition does not serve the user DN can reduce network trafic by just
trying to bind to the LDAP server.

Jerome

On 8/16/05, Marc Boorshtein <mboorshtein@gmail.com> wrote:
> Well, another way to look at it is wether or not you want to do "pass
> through" operations.  For instance if I could bind as
> "cn=user,dc=domain,dc=com"  but it might not matter how i perform
> operations.  If this is the case you don't need to worry about tying
> them together.  Otherwise I don't think there's an easy tie back from
> the authenticator, or at least there wasn't the last time I tried to
> build a proxy (apacheds .9).  You may be able to use a Singleton.
> 
> Marc
> 
> On 8/16/05, Jérôme Baumgarten <jbaumgarten@gmail.com> wrote:
> > I know about Penrose but I would preferably use ApacheDS since Penrose
> > does more than I actually need.
> >
> > With a proxy, the information about the user won't be in the ApacheDS
> > base but part of the proxyed LDAP server. From what I've understood I
> > thus need to provide my own Authenticator. That authenticator should
> > just authentify the user against the proxyed LDAP. To do that I need
> > to know to which ContextPartition that user (DN) belongs to. Is it
> > possible to get that information from within the authenticator ? Like
> > given a DN, is it possible to get the ContextPartition it belongs to ?
> > Another way, is it possible to associate an authenticator with one or
> > more partitions ?
> >
> > Regards,
> > Jérôme
> >
> > On 8/16/05, Marc Boorshtein <mboorshtein@gmail.com> wrote:
> > > Ah, yes.  You are 100% correct in your assumptions then.  BTW, there
> > > is already a virtual directory (based on apacheds) Called Penrose.
> > > I've not tried it but I think it has a mapping capability in addition
> > > to proxy support.
> > >
> > > Marc
> > >
> > >
> > > On 8/16/05, Jérôme Baumgarten <jbaumgarten@gmail.com> wrote:
> > > > I understand that to do simple proxying all I need to do is to
> > > > implement my own ContextPartition. But this is only the first step of
> > > > what I plan to do.
> > > >
> > > > The second step (as explained in my first post) is to be able to
> > > > change, if necessary,  incoming requests (like the filter), change the
> > > > outgoing results, and maybe send the proxyed LDAP server some LDAP
> > > > requests to enrich the results ApacheDS should send back to the
> > > > client. To my understanding, this could be done as an interceptor,
> > > > thus leaving my ContextPartition just doing proxying and nothing else.
> > > > Am I correct ? My intend is to have a ContextPartition that only does
> > > > proxying, nothing else, making it a reusable component for myself and
> > > > anyone else interested. I believe that what needs to be done to
> > > > realize my step 2 should definitely not be in the ContextPartition.
> > > >
> > > > On 8/16/05, Marc Boorshtein <mboorshtein@gmail.com> wrote:
> > > > > I thinkyou are confusing interceptors and contexts.  An interceptor
is
> > > > > something that sits between the protocol stack and the context (just
> > > > > as a servlet filter sits between the container and the servlet/jsp).
> > > > > You want to look at implementing a custom partition, which is covered
> > > > > in the wikis.
> > > > >
> > > > > You are correct in your assertion that you do not need to worry about
> > > > > schema (for the most part) when proxying a remote directory.
> > > > >
> > > > > Marc
> > > > >
> > > > > On 8/16/05, Jérôme Baumgarten <jbaumgarten@gmail.com> wrote:
> > > > > > On 8/12/05, Trustin Lee <trustin@gmail.com> wrote:
> > > > > > > Hello,
> > > > > > >
> > > > > > > 2005/8/11, Jérôme Baumgarten <jbaumgarten@gmail.com>:
> > > > > > > > In this PowerPoint presentation
> > > > > > > > (
> > > > > > > http://www.google.com/url?sa=t&ct=res&cd=1&url=https%3A//karasulu.homeip.net/svn/akarasulu/apachecon/eve-presentation/eve-intro-long.ppt&ei=DTb7QuLIE8emQeOnwNMB),
> > > > > > > > I've read that it is possible to use Eve as a proxy
to an existing
> > > > > > > > LDAP server.
> > > > > > >
> > > > > > >  Yes, you can.  There is an interface called 'ContextPartition'
that you can
> > > > > > > implement.  You could implement it to work as a proxy to
other LDAP server.
> > > > > > >
> > > > > > >
> > > > > > > > The second step is a bit more complicated but it seems
that with some
> > > > > > > > coding that should be possible. To make that off-the-shelf
application
> > > > > > > > work my own LDAP using custom model and schema, I
would need to be
> > > > > > > > able to "catch" incoming requests and under some conditions
> > > > > > > > re-evaluate search to return the correct results.
According to that
> > > > > > > > same presentation, I believe that I should go for
the Interceptor. Is
> > > > > > > > there any information available out there to help
me deal with it ?
> > > > > > >
> > > > > > >  You can generate ApacheDS schema classes from LDAP schema
file using a
> > > > > > > Maven plugin we've created.  And of course you can configure
ApacheDS to
> > > > > > > load them when it starts up.
> > > > > >
> > > > > > Thanks, But is this mandatory ? In the first step, all I want
it to do
> > > > > > is to proxy (relay) incoming LDAP requests to another LDAP server.
To
> > > > > > what extend ApacheDS needs to know the schema to just relay
the
> > > > > > requests ?
> > > > > >
> > > > > > Also, is there any publicly available documentation on the
> > > > > > interceptors ? It looks like that is the way to go to fulfill
myu
> > > > > > second step.
> > > > > >
> > > > > > >  Trustin--
> > > > > > > what we call human nature is actually human habit
> > > > > > > --
> > > > > > > http://gleamynode.net/
> > > > > >
> > > > > > Regards,
> > > > > > Jérôme
> > > > > >
> > > > >
> > > >
> > >
> >
>

Mime
View raw message