directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryce L Nordgren <bnordg...@fs.fed.us>
Subject Re: Some developer documentation on the delegation of authentication feature
Date Mon, 02 Nov 2009 20:51:43 GMT
On 9/24/07, Alex Karasulu <akarasulu@apache.org> wrote:
>
> Hi all,
>
> Here's a document I've been preparing for enabling the delegation of
> authentication feature.  It's
> minimal for now until we flush out some of the ideas but any feedback is
> going to be greatly
> appreciated.
>
> Overall I am finding that this feature will really be half a solution
> without enabling some kind
> of virtualization within the server.  And when we do enable 
virtualization
> it will completely impact
> the implementation of the feature.  So going back to Ersin's point about
> enabling virtual attributes
> within the server I am seeing repeated that it's a big must.
>
> Alex


I was wondering if anything further had been done with the delegation of 
authority feature described on the wiki page (
http://directory.apache.org/apacheds/1.5/delegation-of-authentication.html
)?

This page describes exactly what I need to do, but in looking around,  I 
was not able to find a feature description, a new feature ticket in jira, 
or even discussion on the mailing lists.  I actually have a sort of 
limited special case application.  The objects in the apache directory 
would be manipulated by authorized users either within the apache 
directory or within the corporate Active directory.  Essentially, the only 
objects in the Apache directory (controlled by me) would be the 
"additional" objects not present in the corporate directory (controlled by 
the powers that be).  I would have user objects for our collaborators, as 
well as groups denoting committees, projects, etc.

The feature is also described on the 389 directory server page (here: 
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Using_the_Pass_through_Authentication_Plug_in.html
). 

My question is: Does "Pass Thru Authentication" as described on the 389 
server page still open a pandora's box of internal issues as alluded to on 
the ApacheDS wiki page?  Or does the PTA plugin map reasonably well to a 
"custom authenticator" implementation with relatively minimal impact on 
the rest of the server? 

Thx,
Bryce

Mime
View raw message