So in effect you're moving the SPOF from IS to the new LDAP instance :). OK that's fine (fewer pieces in that to fail so its better) but you didn't answer my second question .. is the standalone LDAP a Carbon server with just the LDAP component in it?
Sanjiva. On Sun, Mar 13, 2011 at 8:59 AM, Prabath Siriwardana <[email protected]>wrote: > > > On Sun, Mar 13, 2011 at 8:09 AM, Sanjiva Weerawarana <[email protected]>wrote: > >> Prabath why do we not want to use embedded LDAP for Stratos? > > > Say, we have embedded LDAP - and assume it's running with IS > [identity.cloud] [that is in the same JVM] - then we need all the other > servers, connecting to this LDAP > > Say we have two AppServer nodes, two ESB nodes - all need to connect to the > same LDAP - running under IS. > > We also need two IS instances at least [considering FO/LB].. > > Which LDAP should this second IS connect to..? It also has to connect to > the Embedded LDAP of the 1st IS node. > > Then - we are creating a single point of failure at IS - node-1. > > IS Node -1 is down --> Embedded LDAP is down --> 2nd IS Node cannot > function -although it's up. > > If we use a separate LDAP server - then we remove the single point of > failure from IS and move it to the standalone LDAP server. > > To get rid of that, we can use LDAP clustering.. > > Please let me know if I am not clear... > > Thanks & regards, > -Prabath > > > >> >> If its a separate LDAP is it still a Carbon server running just the LDAP >> component? If not why not? >> >> Sanjiva. >> >> On Sun, Mar 6, 2011 at 10:01 PM, Prabath Siriwardana <[email protected]>wrote: >> >>> In the case of Stratos - we do not need to have the embedded LDAP - but >>> it will be a separate LDAP server. We need to test the OU based tenant >>> isolation we did with LDAP in Stratos.. >>> >>> Thanks & regards, >>> -Prabath >>> >>> >>> On Sun, Mar 6, 2011 at 2:56 PM, Hasini Gunasinghe <[email protected]>wrote: >>> >>>> >>>> >>>> On Sun, Mar 6, 2011 at 1:06 PM, Afkham Azeez <[email protected]> wrote: >>>> >>>>> Have you tested this with Stratos? >>>> >>>> Not with a complete Stratos setup. >>>> How I tested this was: installing multi tenancy feature to IS using >>>> necessary stratos components built from stratos branch. >>>> >>>> Do we need to do any LDAP initialization when the tenant >>>>> ConfigurationContext is created? >>>> >>>> Sorry, at the moment I do not have an idea what is tenant >>>> ConfiguratioContext. >>>> >>>> But, as I understood your question, if you use embedded-ldap server in >>>> carbon core, you do not have to initialize LDAP since it is started with >>>> carbon server. >>>> If you use an external LDAP, then you need to start up a LDAP server and >>>> point the user-mgt.xml to that. >>>> >>>>> >>>>> >>>>> On Sun, Mar 6, 2011 at 11:45 AM, Hasini Gunasinghe <[email protected]>wrote: >>>>> >>>>>> >>>>>> >>>>>> On Sat, Mar 5, 2011 at 11:13 PM, Amila Jayasekara <[email protected]>wrote: >>>>>> >>>>>>> Hi Azeez, >>>>>>> >>>>>>> Please find answers inline. >>>>>>> >>>>>>> Thanks >>>>>>> AmilaJ >>>>>>> >>>>>>> On Fri, Mar 4, 2011 at 5:59 PM, Afkham Azeez <[email protected]> wrote: >>>>>>> Can somebody briefly explain what were the changes that were carried >>>>>>> out to >>>>>>> Carbon core to make this work? Where these ports can be defined >>>>>>> >>>>>>> The apacheds server code is wrapped as an OSGi bundle in >>>>>>> orbit/apacheds component. org.wso2.carbon.ldap.server is the >>>>>>> component >>>>>>> which is responsible for managing LDAP server. It starts, stops LDAP >>>>>>> server, in addition it also does partition management. >>>>>> >>>>>> Hi, >>>>>> >>>>>> >>>>>>> This component >>>>>>> starts before user core in carbon. >>>>>>> >>>>>> >>>>>> Can I please know how have we specified that this component starts >>>>>> before user-core? >>>>>> >>>>>> The LDAP server specific configurations reside in a file called >>>>>>> embedded-ldap.xml in repository/conf (In <EmbeddedLDAP> configuration >>>>>>> segment). You can change parameters like, ports, connection passwords >>>>>>> in this file. In addition to LDAP server specific configurations, it >>>>>>> also has KDC specific configurations. >>>>>>> >>>>>>> ,what the following messages mean etc. >>>>>>> >>>>>>> Log messages starting with >>>>>>> org.apache.directory.server.ldap.LdapServer >>>>>>> are coming from apacheds implementation. >>>>>>> LDAP server needs a schema to construct the initial LDAP tree >>>>>>> structure. The default schema for the LDAP server is located at >>>>>>> repository/data as a zip file (is-default-schema.zip). Thus when we >>>>>>> start server for the first time apacheds component will extract this >>>>>>> zip file and create a schema directory. In addition, when we start >>>>>>> embedded LDAP for the first time it creates a default partition. The >>>>>>> default partition name and other properties are read from the >>>>>>> embedded-ldap.xml configuration file (<DefaultPartition>). The latter >>>>>>> messages you see in the log are relevant to above actions. >>>>>>> >>>>>>> How MT ins handled >>>>>>> >>>>>>> I assume MT=Multi-tenancy. >>>>>> >>>>>> >>>>>>> Hasini: Please explain how MT is handled with embedded-ldap. >>>>>>> >>>>>> >>>>>> We have two ways that we can make LDAP user-store multi-tenanted. >>>>>> >>>>>> 1. Creating a new partition (i.e new directory tree) for each tenant. >>>>>> This is specific to embedded-apacheds because here we use their API. >>>>>> 2. Creating a new context ('ou' by default) under same directory tree, >>>>>> for each tenant. This is generic because here we use JNDI and hence, not >>>>>> coupled with any LDAP server implementation. >>>>>> >>>>>> We can use any of the above methods with embedded-ldap comes in core. >>>>>> But we can only use the second method above with an external LDAP. >>>>>> >>>>>> Let me briefly describe implementation details of two methods. >>>>>> >>>>>> 1st Method: >>>>>> i. In tenant-mgt.xml we specify "HybridLDAPTenantManager" as the >>>>>> tenant manager which is initialized when the user-core starts. (at >>>>>> DefaultRealmService.) >>>>>> ii. At the start of ldap.server component, we register an >>>>>> implementation of LDAPTenantManager in OSGi registry, through which >>>>>> managing >>>>>> partitions of tenants happens. >>>>>> iii. HybridLDAPTenantManager uses a reference of an above registered >>>>>> LDAPTenantManager service, to handle tenant mgt with LDAP. >>>>>> iv. Users and groups of a particular tenant is stored inside its >>>>>> partition. >>>>>> v. In stratos-tenant-mgt component, tenant specific user-mgt.xml is >>>>>> stored in registry/JDBC database which is used to map the tenant to >>>>>> specific >>>>>> partition. >>>>>> >>>>>> I have included a class diagram and a screenshot related to this >>>>>> here<http://hasini-gunasinghe.blogspot.com/2011/01/tenant-management-in-wso2-carbon-with.html> >>>>>> . >>>>>> >>>>>> 2nd Method: >>>>>> i. In tenant-mgt.xml we specify "CommonHybridLDAPTenantManager" as >>>>>> the tenant manager which is initialized when the user-core starts. >>>>>> ii. Users and groups of a particular tenant is stored under its >>>>>> context. >>>>>> iii. In stratos-tenant-mgt component, tenant specific user-mgt.xml is >>>>>> stored in registry/JDBC database which is used to map the tenant to >>>>>> specific >>>>>> context. >>>>>> >>>>>> Common remarks regarding both the methods: >>>>>> 1. Hybrid approach is used where mapping between tenant and the >>>>>> user-mgt.xml, and other meta-data is stored in JDBC database. >>>>>> 2. Class names used for tenant manager at each scenario is not that >>>>>> clear. We may need to rename them. >>>>>> >>>>>> Thanks, >>>>>> Hasini. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> etc. Sorry, I wasn't >>>>>>> > following the entire conversation. >>>>>>> > [2011-03-05 07:24:03,001] INFO >>>>>>> > {org.wso2.carbon.ldap.server.DirectoryActivator} - Starting >>>>>>> directory >>>>>>> > service on port 10389 >>>>>>> > [2011-03-05 07:24:03,022] INFO >>>>>>> > {org.apache.directory.server.ldap.LdapServer} - Added Extended >>>>>>> Request >>>>>>> > Handler: 1.3.6.1.4.1.1466.20037 >>>>>>> > [2011-03-05 07:24:03,106] INFO >>>>>>> > {org.apache.directory.server.ldap.LdapServer} - Added Extended >>>>>>> Request >>>>>>> > Handler: 1.3.6.1.4.1.18060.0.1.6 >>>>>>> > [2011-03-05 07:24:03,116] INFO >>>>>>> > {org.apache.directory.server.ldap.LdapServer} - Successful bind of >>>>>>> an LDAP >>>>>>> > Service (10389) is completed. >>>>>>> > [2011-03-05 07:24:03,116] INFO >>>>>>> > {org.apache.directory.server.ldap.LdapServer} - Ldap service >>>>>>> started. >>>>>>> > [2011-03-05 07:24:03,116] INFO >>>>>>> > {org.wso2.carbon.apacheds.impl.ApacheLDAPServer} - LDAP server >>>>>>> started. >>>>>>> > [2011-03-05 07:24:03,139] INFO >>>>>>> > {org.wso2.carbon.apacheds.impl.ApacheDirectoryPartitionManager} - >>>>>>> Partition >>>>>>> > directory - >>>>>>> > >>>>>>> /Users/azeez/projects/wso2/org/trunk/carbon/products/appserver/modules/distribution/target/wso2appserver-4.1.0-SNAPSHOT/repository/data/org.wso2.carbon.directory/root >>>>>>> > already exists. >>>>>>> > [2011-03-05 07:24:03,140] INFO >>>>>>> > {org.wso2.carbon.apacheds.impl.ApacheDirectoryPartitionManager} - >>>>>>> > Partitionroot created from existing partition directory. <-- >>>>>>> Partitionroot >>>>>>> > or Partition Root >>>>>>> > [2011-03-05 07:24:03,211] INFO >>>>>>> > {org.wso2.carbon.apacheds.impl.ApacheDirectoryPartitionManager} - >>>>>>> > Partitionroot added to directory service. >>>>>>> >>>>>>> Do we have to show all these INFO messages? >>>>>>> >>>>>>> We can get rid of some of above log messages, if you think that they >>>>>>> are redundant. We can suppress the INFO messages comming from >>>>>>> apacheds >>>>>>> implementation in log4j properties file. Also we can remove some log >>>>>>> messages from the code. >>>>>>> >>>>>>> >>>>>>> > >>>>>>> > -- >>>>>>> > Afkham Azeez >>>>>>> > Senior Software Architect & Senior Manager; WSO2, Inc.; >>>>>>> http://wso2.com, >>>>>>> > >>>>>>> > Member; Apache Software Foundation; http://www.apache.org/ >>>>>>> > email: [email protected] cell: <%2B94%2077%203320919>+94 77 3320919 >>>>>>> > blog: http://blog.afkham.org >>>>>>> > twitter: http://twitter.com/afkham_azeez >>>>>>> > linked-in: http://lk.linkedin.com/in/afkhamazeez >>>>>>> > >>>>>>> > Lean . Enterprise . Middleware >>>>>>> > >>>>>>> > _______________________________________________ >>>>>>> > Carbon-dev mailing list >>>>>>> > [email protected] >>>>>>> > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>>>>> > >>>>>>> > >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Afkham Azeez* >>>>> Senior Software Architect & Senior Manager; WSO2, Inc.; >>>>> http://wso2.com, >>>>> * >>>>> * >>>>> *Member; Apache Software Foundation; >>>>> **http://www.apache.org/*<http://www.apache.org/> >>>>> * >>>>> email: **[email protected]* <[email protected]>* cell: >>>>> <%2B94%2077%203320919>+94 77 3320919 >>>>> blog: **http://blog.afkham.org* <http://blog.afkham.org>* >>>>> twitter: >>>>> **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> >>>>> * >>>>> linked-in: **http://lk.linkedin.com/in/afkhamazeez* >>>>> * >>>>> * >>>>> *Lean . Enterprise . Middleware* >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Carbon-dev mailing list >>>> [email protected] >>>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>> >>>> >>> >>> >>> -- >>> Thanks & Regards, >>> Prabath >>> >>> http://blog.facilelogin.com >>> http://RampartFAQ.com >>> >>> _______________________________________________ >>> Carbon-dev mailing list >>> [email protected] >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >>> >> >> >> -- >> Sanjiva Weerawarana, Ph.D. >> Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/ >> email: [email protected]; phone: +94 11 763 9614; cell: +94 77 787 6880 | +1 >> 650 265 8311 >> blog: http://sanjiva.weerawarana.org/ >> >> Lean . Enterprise . Middleware >> > > > > -- > Thanks & Regards, > Prabath > > http://blog.facilelogin.com > http://RampartFAQ.com > -- Sanjiva Weerawarana, Ph.D. Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/ email: [email protected]; phone: +94 11 763 9614; cell: +94 77 787 6880 | +1 650 265 8311 blog: http://sanjiva.weerawarana.org/ Lean . Enterprise . Middleware
_______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
