On Sun, Mar 13, 2011 at 8:09 AM, Sanjiva Weerawarana <[email protected]>wrote:
> Prabath why do we not want to use embedded LDAP for Stratos? Say, we have embedded LDAP - and assume it's running with IS [identity.cloud] [that is in the same JVM] - then we need all the other servers, connecting to this LDAP Say we have two AppServer nodes, two ESB nodes - all need to connect to the same LDAP - running under IS. We also need two IS instances at least [considering FO/LB].. Which LDAP should this second IS connect to..? It also has to connect to the Embedded LDAP of the 1st IS node. Then - we are creating a single point of failure at IS - node-1. IS Node -1 is down --> Embedded LDAP is down --> 2nd IS Node cannot function -although it's up. If we use a separate LDAP server - then we remove the single point of failure from IS and move it to the standalone LDAP server. To get rid of that, we can use LDAP clustering.. Please let me know if I am not clear... Thanks & regards, -Prabath > > If its a separate LDAP is it still a Carbon server running just the LDAP > component? If not why not? > > Sanjiva. > > On Sun, Mar 6, 2011 at 10:01 PM, Prabath Siriwardana <[email protected]>wrote: > >> In the case of Stratos - we do not need to have the embedded LDAP - but it >> will be a separate LDAP server. We need to test the OU based tenant >> isolation we did with LDAP in Stratos.. >> >> Thanks & regards, >> -Prabath >> >> >> On Sun, Mar 6, 2011 at 2:56 PM, Hasini Gunasinghe <[email protected]>wrote: >> >>> >>> >>> On Sun, Mar 6, 2011 at 1:06 PM, Afkham Azeez <[email protected]> wrote: >>> >>>> Have you tested this with Stratos? >>> >>> Not with a complete Stratos setup. >>> How I tested this was: installing multi tenancy feature to IS using >>> necessary stratos components built from stratos branch. >>> >>> Do we need to do any LDAP initialization when the tenant >>>> ConfigurationContext is created? >>> >>> Sorry, at the moment I do not have an idea what is tenant >>> ConfiguratioContext. >>> >>> But, as I understood your question, if you use embedded-ldap server in >>> carbon core, you do not have to initialize LDAP since it is started with >>> carbon server. >>> If you use an external LDAP, then you need to start up a LDAP server and >>> point the user-mgt.xml to that. >>> >>>> >>>> >>>> On Sun, Mar 6, 2011 at 11:45 AM, Hasini Gunasinghe <[email protected]>wrote: >>>> >>>>> >>>>> >>>>> On Sat, Mar 5, 2011 at 11:13 PM, Amila Jayasekara <[email protected]>wrote: >>>>> >>>>>> Hi Azeez, >>>>>> >>>>>> Please find answers inline. >>>>>> >>>>>> Thanks >>>>>> AmilaJ >>>>>> >>>>>> On Fri, Mar 4, 2011 at 5:59 PM, Afkham Azeez <[email protected]> wrote: >>>>>> Can somebody briefly explain what were the changes that were carried >>>>>> out to >>>>>> Carbon core to make this work? Where these ports can be defined >>>>>> >>>>>> The apacheds server code is wrapped as an OSGi bundle in >>>>>> orbit/apacheds component. org.wso2.carbon.ldap.server is the component >>>>>> which is responsible for managing LDAP server. It starts, stops LDAP >>>>>> server, in addition it also does partition management. >>>>> >>>>> Hi, >>>>> >>>>> >>>>>> This component >>>>>> starts before user core in carbon. >>>>>> >>>>> >>>>> Can I please know how have we specified that this component starts >>>>> before user-core? >>>>> >>>>> The LDAP server specific configurations reside in a file called >>>>>> embedded-ldap.xml in repository/conf (In <EmbeddedLDAP> configuration >>>>>> segment). You can change parameters like, ports, connection passwords >>>>>> in this file. In addition to LDAP server specific configurations, it >>>>>> also has KDC specific configurations. >>>>>> >>>>>> ,what the following messages mean etc. >>>>>> >>>>>> Log messages starting with org.apache.directory.server.ldap.LdapServer >>>>>> are coming from apacheds implementation. >>>>>> LDAP server needs a schema to construct the initial LDAP tree >>>>>> structure. The default schema for the LDAP server is located at >>>>>> repository/data as a zip file (is-default-schema.zip). Thus when we >>>>>> start server for the first time apacheds component will extract this >>>>>> zip file and create a schema directory. In addition, when we start >>>>>> embedded LDAP for the first time it creates a default partition. The >>>>>> default partition name and other properties are read from the >>>>>> embedded-ldap.xml configuration file (<DefaultPartition>). The latter >>>>>> messages you see in the log are relevant to above actions. >>>>>> >>>>>> How MT ins handled >>>>>> >>>>>> I assume MT=Multi-tenancy. >>>>> >>>>> >>>>>> Hasini: Please explain how MT is handled with embedded-ldap. >>>>>> >>>>> >>>>> We have two ways that we can make LDAP user-store multi-tenanted. >>>>> >>>>> 1. Creating a new partition (i.e new directory tree) for each tenant. >>>>> This is specific to embedded-apacheds because here we use their API. >>>>> 2. Creating a new context ('ou' by default) under same directory tree, >>>>> for each tenant. This is generic because here we use JNDI and hence, not >>>>> coupled with any LDAP server implementation. >>>>> >>>>> We can use any of the above methods with embedded-ldap comes in core. >>>>> But we can only use the second method above with an external LDAP. >>>>> >>>>> Let me briefly describe implementation details of two methods. >>>>> >>>>> 1st Method: >>>>> i. In tenant-mgt.xml we specify "HybridLDAPTenantManager" as the >>>>> tenant manager which is initialized when the user-core starts. (at >>>>> DefaultRealmService.) >>>>> ii. At the start of ldap.server component, we register an >>>>> implementation of LDAPTenantManager in OSGi registry, through which >>>>> managing >>>>> partitions of tenants happens. >>>>> iii. HybridLDAPTenantManager uses a reference of an above registered >>>>> LDAPTenantManager service, to handle tenant mgt with LDAP. >>>>> iv. Users and groups of a particular tenant is stored inside its >>>>> partition. >>>>> v. In stratos-tenant-mgt component, tenant specific user-mgt.xml is >>>>> stored in registry/JDBC database which is used to map the tenant to >>>>> specific >>>>> partition. >>>>> >>>>> I have included a class diagram and a screenshot related to this >>>>> here<http://hasini-gunasinghe.blogspot.com/2011/01/tenant-management-in-wso2-carbon-with.html> >>>>> . >>>>> >>>>> 2nd Method: >>>>> i. In tenant-mgt.xml we specify "CommonHybridLDAPTenantManager" as >>>>> the tenant manager which is initialized when the user-core starts. >>>>> ii. Users and groups of a particular tenant is stored under its >>>>> context. >>>>> iii. In stratos-tenant-mgt component, tenant specific user-mgt.xml is >>>>> stored in registry/JDBC database which is used to map the tenant to >>>>> specific >>>>> context. >>>>> >>>>> Common remarks regarding both the methods: >>>>> 1. Hybrid approach is used where mapping between tenant and the >>>>> user-mgt.xml, and other meta-data is stored in JDBC database. >>>>> 2. Class names used for tenant manager at each scenario is not that >>>>> clear. We may need to rename them. >>>>> >>>>> Thanks, >>>>> Hasini. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> etc. Sorry, I wasn't >>>>>> > following the entire conversation. >>>>>> > [2011-03-05 07:24:03,001] INFO >>>>>> > {org.wso2.carbon.ldap.server.DirectoryActivator} - Starting >>>>>> directory >>>>>> > service on port 10389 >>>>>> > [2011-03-05 07:24:03,022] INFO >>>>>> > {org.apache.directory.server.ldap.LdapServer} - Added Extended >>>>>> Request >>>>>> > Handler: 1.3.6.1.4.1.1466.20037 >>>>>> > [2011-03-05 07:24:03,106] INFO >>>>>> > {org.apache.directory.server.ldap.LdapServer} - Added Extended >>>>>> Request >>>>>> > Handler: 1.3.6.1.4.1.18060.0.1.6 >>>>>> > [2011-03-05 07:24:03,116] INFO >>>>>> > {org.apache.directory.server.ldap.LdapServer} - Successful bind of >>>>>> an LDAP >>>>>> > Service (10389) is completed. >>>>>> > [2011-03-05 07:24:03,116] INFO >>>>>> > {org.apache.directory.server.ldap.LdapServer} - Ldap service >>>>>> started. >>>>>> > [2011-03-05 07:24:03,116] INFO >>>>>> > {org.wso2.carbon.apacheds.impl.ApacheLDAPServer} - LDAP server >>>>>> started. >>>>>> > [2011-03-05 07:24:03,139] INFO >>>>>> > {org.wso2.carbon.apacheds.impl.ApacheDirectoryPartitionManager} - >>>>>> Partition >>>>>> > directory - >>>>>> > >>>>>> /Users/azeez/projects/wso2/org/trunk/carbon/products/appserver/modules/distribution/target/wso2appserver-4.1.0-SNAPSHOT/repository/data/org.wso2.carbon.directory/root >>>>>> > already exists. >>>>>> > [2011-03-05 07:24:03,140] INFO >>>>>> > {org.wso2.carbon.apacheds.impl.ApacheDirectoryPartitionManager} - >>>>>> > Partitionroot created from existing partition directory. <-- >>>>>> Partitionroot >>>>>> > or Partition Root >>>>>> > [2011-03-05 07:24:03,211] INFO >>>>>> > {org.wso2.carbon.apacheds.impl.ApacheDirectoryPartitionManager} - >>>>>> > Partitionroot added to directory service. >>>>>> >>>>>> Do we have to show all these INFO messages? >>>>>> >>>>>> We can get rid of some of above log messages, if you think that they >>>>>> are redundant. We can suppress the INFO messages comming from apacheds >>>>>> implementation in log4j properties file. Also we can remove some log >>>>>> messages from the code. >>>>>> >>>>>> >>>>>> > >>>>>> > -- >>>>>> > Afkham Azeez >>>>>> > Senior Software Architect & Senior Manager; WSO2, Inc.; >>>>>> http://wso2.com, >>>>>> > >>>>>> > Member; Apache Software Foundation; http://www.apache.org/ >>>>>> > email: [email protected] cell: +94 77 3320919 >>>>>> > blog: http://blog.afkham.org >>>>>> > twitter: http://twitter.com/afkham_azeez >>>>>> > linked-in: http://lk.linkedin.com/in/afkhamazeez >>>>>> > >>>>>> > Lean . Enterprise . Middleware >>>>>> > >>>>>> > _______________________________________________ >>>>>> > Carbon-dev mailing list >>>>>> > [email protected] >>>>>> > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>>>> > >>>>>> > >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> *Afkham Azeez* >>>> Senior Software Architect & Senior Manager; WSO2, Inc.; http://wso2.com >>>> , >>>> * >>>> * >>>> *Member; Apache Software Foundation; >>>> **http://www.apache.org/*<http://www.apache.org/> >>>> * >>>> email: **[email protected]* <[email protected]>* cell: +94 77 3320919 >>>> blog: **http://blog.afkham.org* <http://blog.afkham.org>* >>>> twitter: >>>> **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> >>>> * >>>> linked-in: **http://lk.linkedin.com/in/afkhamazeez* >>>> * >>>> * >>>> *Lean . Enterprise . Middleware* >>>> >>>> >>> >>> _______________________________________________ >>> Carbon-dev mailing list >>> [email protected] >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >>> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> http://blog.facilelogin.com >> http://RampartFAQ.com >> >> _______________________________________________ >> Carbon-dev mailing list >> [email protected] >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> >> > > > -- > Sanjiva Weerawarana, Ph.D. > Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/ > email: [email protected]; phone: +94 11 763 9614; cell: +94 77 787 6880 | > +1 650 265 8311 > blog: http://sanjiva.weerawarana.org/ > > Lean . Enterprise . Middleware > -- Thanks & Regards, Prabath http://blog.facilelogin.com http://RampartFAQ.com
_______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
