Here's what I'm thinking about doing to start enabling this feature:

Define a class to encapsulate the connection settings (minus principal and credentials) for
various external servers.

Define a principal mapper interface that has a method that looks something like this:
    LdapDN map( LdapDN principalDn, Attributes entry, LdapServer target );

Add a subtree selector construct to the server which was in my previous emails.  This way
we can construct dynamic groups based on subtree specifications.  Extend this to represent
a mapping for delegating authentication to external servers.

Specify a means to configure mappers in the delegated authenticator.  Have the delegated
authenticator lookup the external servers to try for a specific principal and use that with the
associated mapper[s] to determine the principal DN to use.

One of my motives for doing it like this is to decouple the mapping technique from the external
server and the grouping of users which triggers the delegated authentication.



On 9/21/07, Alex Karasulu <> wrote:
Thanks for the feedback. 


On 9/20/07, Marc Boorshtein <> wrote:
> Now I am thinking how to enable delegation to multiple LDAP servers and how
> to map users to these
>  servers.  Then how do you make users in ApacheDS to another principalDn in
> the external server?

MyVirtualDirectory handles this as part of the joiner system.  When a
user binds to the virtual directory the joiner system loads the entry
and determines all of the 'DN's the user is joined with and attempts a
bind on each one.  If any succeed the overall bind succeeds.  If all
the attempts fail the overall bind fails.

For instance a user binds with the DN


This user maps to the remote directory entry


and is joined to the AD entry

cn=Test User,cn=Users,dc=domain,dc=com

The joiner will attempt an internal bind for both

cn=Test User,cn=Users,dc=domain,dc=com

internally returning success if either succeeds.

I don't know if you want to implement a full joiner subsystem but
there's one way to implement it.