directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <akaras...@apache.org>
Subject Re: [ApacheDS] Delegated authenticator ideas
Date Fri, 21 Sep 2007 16:54:57 GMT
Here's what I'm thinking about doing to start enabling this feature:

Define a class to encapsulate the connection settings (minus principal and
credentials) for
various external servers.

Define a principal mapper interface that has a method that looks something
like this:
    LdapDN map( LdapDN principalDn, Attributes entry, LdapServer target );

Add a subtree selector construct to the server which was in my previous
emails.  This way
we can construct dynamic groups based on subtree specifications.  Extend
this to represent
a mapping for delegating authentication to external servers.

Specify a means to configure mappers in the delegated authenticator.  Have
the delegated
authenticator lookup the external servers to try for a specific principal
and use that with the
associated mapper[s] to determine the principal DN to use.

One of my motives for doing it like this is to decouple the mapping
technique from the external
server and the grouping of users which triggers the delegated
authentication.

Thoughts?

Alex


On 9/21/07, Alex Karasulu <akarasulu@apache.org> wrote:
>
> Thanks for the feedback.
>
> Alex
>
> On 9/20/07, Marc Boorshtein <mboorshtein@gmail.com> wrote:
> >
> > > Now I am thinking how to enable delegation to multiple LDAP servers
> > and how
> > > to map users to these
> > >  servers.  Then how do you make users in ApacheDS to another
> > principalDn in
> > > the external server?
> > >
> >
> > MyVirtualDirectory handles this as part of the joiner system.  When a
> > user binds to the virtual directory the joiner system loads the entry
> > and determines all of the 'DN's the user is joined with and attempts a
> > bind on each one.  If any succeed the overall bind succeeds.  If all
> > the attempts fail the overall bind fails.
> >
> > For instance a user binds with the DN
> >
> > uid=tuser,ou=users,dc=domain,dc=com
> >
> > This user maps to the remote directory entry
> >
> > uid=tuser,ou=users,c=mycompany,c=us
> >
> > and is joined to the AD entry
> >
> > cn=Test User,cn=Users,dc=domain,dc=com
> >
> > The joiner will attempt an internal bind for both
> >
> > uid=tuser,ou=users,c=mycompany,c=us
> > cn=Test User,cn=Users,dc=domain,dc=com
> >
> > internally returning success if either succeeds.
> >
> > I don't know if you want to implement a full joiner subsystem but
> > there's one way to implement it.
> >
> > Marc
> >
>
>

Mime
View raw message