I started working on the concept of a delegated authenticator. The concept is simple: if a principal matches
certain criteria, the bind operation delegates authenticating the user to some external system.
At first I wanted this feature to delegate authentication to AD. ApacheDS while used for many applications
often needs to point to AD as the primary credential store. You just can't expect companies to drop AD for
us just yet :). So the aim driving this is to delegate authentication to AD.
In doing this I realized that I could just make it work with any LDAP server since the mechanism would
essentially be the same. The solution could however be generalized even farther by enabling delegated
authentication to any external system but at this point I don't think I'm going to bother with this.
Now I am thinking how to enable delegation to multiple LDAP servers and how to map users to these
servers. Then how do you make users in ApacheDS to another principalDn in the external server?
Any thoughts on this?