directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Boorshtein <mboorsht...@gmail.com>
Subject Re: Using Eve as a proxy to an existing LDAP server - Interceptor HOW-TO
Date Tue, 16 Aug 2005 15:56:01 GMT
OK, 2 things:

1.  I don't think apacheds will support multiple partitions with
overlapping namespaces.
2.  Yes, what you state below is correct.  What I was saying was that
once you are authenticated, it may not matter what credentials you use
when performing searchs/adds/mods...., so the two can be indepndent. 
So for instance:

1.  User connects to apacheds
2.  User binds as cn=user,dc=domain,dc=com
3.  a custom authenticator binds to the proxied server
4.  user performs a search
5.  apacheds hands the search off to your custom partition
6.  your partition performs the search with a pre-defined set of credentials.

This would alleve you from having to connect the authenticator with
the custom partition.

Marc

On 8/16/05, Jérôme Baumgarten <jbaumgarten@gmail.com> wrote:
> You kinda lost me in your reply.
> 
> My first step is to do pass-through. But I still need to be able to
> authenticate the user. Lets' assume the following example with two
> proxied LDAP servers A and B.
> If my "proxyA" partition root DN is "dc=domainA,dc=com" and the user
> DN is "uid=userA,dc=domainA,dc=com" I need to authenticate against the
> proxied LDAP server A.
> 
> If my "proxyB" partition root DN is "dc=domainB,dc=com" and the user
> DN is "uid=userB,dc=domainB,dc=com" I need to authenticate against the
> proxied LDAP server B.
> 
> Otherwise I can consider that the default ApacheDS authenticator will reply.
> 
> Also, when my authenticator is called, knowing if the associated
> partition does not serve the user DN can reduce network trafic by just
> trying to bind to the LDAP server.
> 
> Jerome
> 
> On 8/16/05, Marc Boorshtein <mboorshtein@gmail.com> wrote:
> > Well, another way to look at it is wether or not you want to do "pass
> > through" operations.  For instance if I could bind as
> > "cn=user,dc=domain,dc=com"  but it might not matter how i perform
> > operations.  If this is the case you don't need to worry about tying
> > them together.  Otherwise I don't think there's an easy tie back from
> > the authenticator, or at least there wasn't the last time I tried to
> > build a proxy (apacheds .9).  You may be able to use a Singleton.
> >
> > Marc
> >
> > On 8/16/05, Jérôme Baumgarten <jbaumgarten@gmail.com> wrote:
> > > I know about Penrose but I would preferably use ApacheDS since Penrose
> > > does more than I actually need.
> > >
> > > With a proxy, the information about the user won't be in the ApacheDS
> > > base but part of the proxyed LDAP server. From what I've understood I
> > > thus need to provide my own Authenticator. That authenticator should
> > > just authentify the user against the proxyed LDAP. To do that I need
> > > to know to which ContextPartition that user (DN) belongs to. Is it
> > > possible to get that information from within the authenticator ? Like
> > > given a DN, is it possible to get the ContextPartition it belongs to ?
> > > Another way, is it possible to associate an authenticator with one or
> > > more partitions ?
> > >
> > > Regards,
> > > Jérôme
> > >
> > > On 8/16/05, Marc Boorshtein <mboorshtein@gmail.com> wrote:
> > > > Ah, yes.  You are 100% correct in your assumptions then.  BTW, there
> > > > is already a virtual directory (based on apacheds) Called Penrose.
> > > > I've not tried it but I think it has a mapping capability in addition
> > > > to proxy support.
> > > >
> > > > Marc
> > > >
> > > >
> > > > On 8/16/05, Jérôme Baumgarten <jbaumgarten@gmail.com> wrote:
> > > > > I understand that to do simple proxying all I need to do is to
> > > > > implement my own ContextPartition. But this is only the first step
of
> > > > > what I plan to do.
> > > > >
> > > > > The second step (as explained in my first post) is to be able to
> > > > > change, if necessary,  incoming requests (like the filter), change
the
> > > > > outgoing results, and maybe send the proxyed LDAP server some LDAP
> > > > > requests to enrich the results ApacheDS should send back to the
> > > > > client. To my understanding, this could be done as an interceptor,
> > > > > thus leaving my ContextPartition just doing proxying and nothing
else.
> > > > > Am I correct ? My intend is to have a ContextPartition that only
does
> > > > > proxying, nothing else, making it a reusable component for myself
and
> > > > > anyone else interested. I believe that what needs to be done to
> > > > > realize my step 2 should definitely not be in the ContextPartition.
> > > > >
> > > > > On 8/16/05, Marc Boorshtein <mboorshtein@gmail.com> wrote:
> > > > > > I thinkyou are confusing interceptors and contexts.  An interceptor
is
> > > > > > something that sits between the protocol stack and the context
(just
> > > > > > as a servlet filter sits between the container and the servlet/jsp).
> > > > > > You want to look at implementing a custom partition, which is
covered
> > > > > > in the wikis.
> > > > > >
> > > > > > You are correct in your assertion that you do not need to worry
about
> > > > > > schema (for the most part) when proxying a remote directory.
> > > > > >
> > > > > > Marc
> > > > > >
> > > > > > On 8/16/05, Jérôme Baumgarten <jbaumgarten@gmail.com>
wrote:
> > > > > > > On 8/12/05, Trustin Lee <trustin@gmail.com> wrote:
> > > > > > > > Hello,
> > > > > > > >
> > > > > > > > 2005/8/11, Jérôme Baumgarten <jbaumgarten@gmail.com>:
> > > > > > > > > In this PowerPoint presentation
> > > > > > > > > (
> > > > > > > > http://www.google.com/url?sa=t&ct=res&cd=1&url=https%3A//karasulu.homeip.net/svn/akarasulu/apachecon/eve-presentation/eve-intro-long.ppt&ei=DTb7QuLIE8emQeOnwNMB),
> > > > > > > > > I've read that it is possible to use Eve as a
proxy to an existing
> > > > > > > > > LDAP server.
> > > > > > > >
> > > > > > > >  Yes, you can.  There is an interface called 'ContextPartition'
that you can
> > > > > > > > implement.  You could implement it to work as a proxy
to other LDAP server.
> > > > > > > >
> > > > > > > >
> > > > > > > > > The second step is a bit more complicated but
it seems that with some
> > > > > > > > > coding that should be possible. To make that
off-the-shelf application
> > > > > > > > > work my own LDAP using custom model and schema,
I would need to be
> > > > > > > > > able to "catch" incoming requests and under some
conditions
> > > > > > > > > re-evaluate search to return the correct results.
According to that
> > > > > > > > > same presentation, I believe that I should go
for the Interceptor. Is
> > > > > > > > > there any information available out there to
help me deal with it ?
> > > > > > > >
> > > > > > > >  You can generate ApacheDS schema classes from LDAP
schema file using a
> > > > > > > > Maven plugin we've created.  And of course you can
configure ApacheDS to
> > > > > > > > load them when it starts up.
> > > > > > >
> > > > > > > Thanks, But is this mandatory ? In the first step, all
I want it to do
> > > > > > > is to proxy (relay) incoming LDAP requests to another LDAP
server. To
> > > > > > > what extend ApacheDS needs to know the schema to just relay
the
> > > > > > > requests ?
> > > > > > >
> > > > > > > Also, is there any publicly available documentation on
the
> > > > > > > interceptors ? It looks like that is the way to go to fulfill
myu
> > > > > > > second step.
> > > > > > >
> > > > > > > >  Trustin--
> > > > > > > > what we call human nature is actually human habit
> > > > > > > > --
> > > > > > > > http://gleamynode.net/
> > > > > > >
> > > > > > > Regards,
> > > > > > > Jérôme
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Mime
View raw message