directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Howard Chu <>
Subject Re: ApacheDS as a front for Google Apps
Date Thu, 04 Dec 2014 16:14:16 GMT
Marc Boorshtein wrote:
> On Wed, Dec 3, 2014 at 2:17 PM, Ned Twigg <
> <>> wrote:
>     I have a small company that's moving from cloud services to internal
>     services, so we're getting our first-ever LDAP server up to manage
>     these accounts.
>     We're using ApacheDS, but I really wish we could use Google Apps to
>     manage our internal authentication requests.  We're an
>     Eclipse/OSGi/Java dev shop, so I figure we could probably hack
>     around a little to make a plugin for ApacheDS to set it up as a
>     front for our Google Apps domain.
> Why not use ApacheDS to store the passwords and use SAML2 to
> authenticate to gmail?  Doesn't work for heavy gui apps or mobile but it
> does for webapps.
>     I've got a couple questions:
>     1) Do you think this is possible?
> It would be very hard with just ApacheDS.  Most of the authentication in
> ApacheDS assumes the password is local.  If you wanted to go down this
> route I would suggest using a virtual directory in front of your
> ApacheDS, using ApacheDS for data and the virtual directory (as a
> reverse proxy) to delegate authentication to Google but pull data from
> ApacheDS over LDAP.  No one I know of does this OOTB

OpenLDAP does this, no problem. Using any of a number of approaches, 
full proxy with back-ldap, authenticate-only proxy using pbind, SASL 
passthru, remoteauth overlay, etc. etc.

  but it should be a
> pretty easy plugin.  shameless plug - MyVirtualDirectory
> (, which I'm the author, could do this
> pretty easily.  I know the folks at ForgeRock have virtual capabilities
> in their directory as well you could look at.
> Marc

   -- Howard Chu
   CTO, Symas Corp. 
   Director, Highland Sun
   Chief Architect, OpenLDAP

View raw message