From dev-return-21497-apmail-directory-dev-archive=directory.apache.org@directory.apache.org Fri Sep 21 16:55:36 2007 Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 7601 invoked from network); 21 Sep 2007 16:55:34 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 21 Sep 2007 16:55:34 -0000 Received: (qmail 5238 invoked by uid 500); 21 Sep 2007 16:55:25 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 5107 invoked by uid 500); 21 Sep 2007 16:55:25 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 5096 invoked by uid 99); 21 Sep 2007 16:55:25 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Sep 2007 09:55:25 -0700 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of akarasulu@gmail.com designates 64.233.162.233 as permitted sender) Received: from [64.233.162.233] (HELO nz-out-0506.google.com) (64.233.162.233) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Sep 2007 16:55:25 +0000 Received: by nz-out-0506.google.com with SMTP id o1so667992nzf for ; Fri, 21 Sep 2007 09:55:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:references:x-google-sender-auth; bh=mz8/PX5MrGBh6zm4qfZf6s/wufCBmsPUtncPnLv6HA4=; b=KxCkRwBa7e8UzeWwvAyz1iV6Yy/8MjgFLpNg4becDXWL/Z6ASfsmO5GozCXrBm9DvnroANF3WLxiiQPrJGCuh/FbGWaNPjnSRLh3yex4CoMxRbrNYfKuPFqU5X/oR3JmR5Ja6z43hJGKE3g/fOVO4YQE5vUOLm8uebAVRtGD4+g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:references:x-google-sender-auth; b=AwjoqAD/Mhki4iTYBU2kHJTM9a8GmFL7LYHCr7ETmmgU0x3pvQ9Gmh1+6k1LLnG2EIZUYnUk2EpEc43w0QUsNIaRr9zk6o+zbfIVQ05jd9o1esTxtn4k/kbQDIwdnLATtLL8if9pKQKhYAFsglrgqobdi6wIjwEa2g4BnCe/d5s= Received: by 10.114.200.2 with SMTP id x2mr3734949waf.1190393697723; Fri, 21 Sep 2007 09:54:57 -0700 (PDT) Received: by 10.115.76.8 with HTTP; Fri, 21 Sep 2007 09:54:57 -0700 (PDT) Message-ID: Date: Fri, 21 Sep 2007 12:54:57 -0400 From: "Alex Karasulu" Sender: akarasulu@gmail.com To: "Apache Directory Developers List" Subject: Re: [ApacheDS] Delegated authenticator ideas In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_30992_33398667.1190393697709" References: <800df6390709201850n3aaeb9d4p28d140fbc435223e@mail.gmail.com> X-Google-Sender-Auth: 693b55da2c350631 X-Virus-Checked: Checked by ClamAV on apache.org ------=_Part_30992_33398667.1190393697709 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Here's what I'm thinking about doing to start enabling this feature: Define a class to encapsulate the connection settings (minus principal and credentials) for various external servers. Define a principal mapper interface that has a method that looks something like this: LdapDN map( LdapDN principalDn, Attributes entry, LdapServer target ); Add a subtree selector construct to the server which was in my previous emails. This way we can construct dynamic groups based on subtree specifications. Extend this to represent a mapping for delegating authentication to external servers. Specify a means to configure mappers in the delegated authenticator. Have the delegated authenticator lookup the external servers to try for a specific principal and use that with the associated mapper[s] to determine the principal DN to use. One of my motives for doing it like this is to decouple the mapping technique from the external server and the grouping of users which triggers the delegated authentication. Thoughts? Alex On 9/21/07, Alex Karasulu wrote: > > Thanks for the feedback. > > Alex > > On 9/20/07, Marc Boorshtein wrote: > > > > > Now I am thinking how to enable delegation to multiple LDAP servers > > and how > > > to map users to these > > > servers. Then how do you make users in ApacheDS to another > > principalDn in > > > the external server? > > > > > > > MyVirtualDirectory handles this as part of the joiner system. When a > > user binds to the virtual directory the joiner system loads the entry > > and determines all of the 'DN's the user is joined with and attempts a > > bind on each one. If any succeed the overall bind succeeds. If all > > the attempts fail the overall bind fails. > > > > For instance a user binds with the DN > > > > uid=tuser,ou=users,dc=domain,dc=com > > > > This user maps to the remote directory entry > > > > uid=tuser,ou=users,c=mycompany,c=us > > > > and is joined to the AD entry > > > > cn=Test User,cn=Users,dc=domain,dc=com > > > > The joiner will attempt an internal bind for both > > > > uid=tuser,ou=users,c=mycompany,c=us > > cn=Test User,cn=Users,dc=domain,dc=com > > > > internally returning success if either succeeds. > > > > I don't know if you want to implement a full joiner subsystem but > > there's one way to implement it. > > > > Marc > > > > ------=_Part_30992_33398667.1190393697709 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Here's what I'm thinking about doing to start enabling this feature:

Define a class to encapsulate the connection settings (minus principal and credentials) for
various external servers.

Define a principal mapper interface that has a method that looks something like this:
    LdapDN map( LdapDN principalDn, Attributes entry, LdapServer target );

Add a subtree selector construct to the server which was in my previous emails.  This way
we can construct dynamic groups based on subtree specifications.  Extend this to represent
a mapping for delegating authentication to external servers.

Specify a means to configure mappers in the delegated authenticator.  Have the delegated
authenticator lookup the external servers to try for a specific principal and use that with the
associated mapper[s] to determine the principal DN to use.

One of my motives for doing it like this is to decouple the mapping technique from the external
server and the grouping of users which triggers the delegated authentication.

Thoughts?

Alex


On 9/21/07, Alex Karasulu <akarasulu@apache.org> wrote:
Thanks for the feedback. 

Alex


On 9/20/07, Marc Boorshtein < mboorshtein@gmail.com> wrote:
> Now I am thinking how to enable delegation to multiple LDAP servers and how
> to map users to these
>  servers.  Then how do you make users in ApacheDS to another principalDn in
> the external server?
>

MyVirtualDirectory handles this as part of the joiner system.  When a
user binds to the virtual directory the joiner system loads the entry
and determines all of the 'DN's the user is joined with and attempts a
bind on each one.  If any succeed the overall bind succeeds.  If all
the attempts fail the overall bind fails.

For instance a user binds with the DN

uid=tuser,ou=users,dc=domain,dc=com

This user maps to the remote directory entry

uid=tuser,ou=users,c=mycompany,c=us

and is joined to the AD entry

cn=Test User,cn=Users,dc=domain,dc=com

The joiner will attempt an internal bind for both

uid=tuser,ou=users,c=mycompany,c=us
cn=Test User,cn=Users,dc=domain,dc=com

internally returning success if either succeeds.

I don't know if you want to implement a full joiner subsystem but
there's one way to implement it.

Marc


------=_Part_30992_33398667.1190393697709--