On Tue, Mar 15, 2011 at 6:40 AM, Sanjiva Weerawarana <[email protected]>wrote:
> So in effect you're moving the SPOF from IS to the new LDAP instance :). Yes... but if its ApacheDS we have limitations in FO/LB setups - which our embedded LDAP based on. So, in this case we can use OpenLDAP - with HA setup.. [sent a link on that to stratos-dev] > > OK that's fine (fewer pieces in that to fail so its better) but you didn't > answer my second question .. is the standalone LDAP a Carbon server with > just the LDAP component in it? > Sorry - I missed it. The standalone LDAP server is not a Carbon server - it would be an OpenLDAP instance.. Thanks & regards, -Prabath > > Sanjiva. > > > On Sun, Mar 13, 2011 at 8:59 AM, Prabath Siriwardana <[email protected]>wrote: > >> >> >> On Sun, Mar 13, 2011 at 8:09 AM, Sanjiva Weerawarana <[email protected]>wrote: >> >>> Prabath why do we not want to use embedded LDAP for Stratos? >> >> >> Say, we have embedded LDAP - and assume it's running with IS >> [identity.cloud] [that is in the same JVM] - then we need all the other >> servers, connecting to this LDAP >> >> Say we have two AppServer nodes, two ESB nodes - all need to connect to >> the same LDAP - running under IS. >> >> We also need two IS instances at least [considering FO/LB].. >> >> Which LDAP should this second IS connect to..? It also has to connect to >> the Embedded LDAP of the 1st IS node. >> >> Then - we are creating a single point of failure at IS - node-1. >> >> IS Node -1 is down --> Embedded LDAP is down --> 2nd IS Node cannot >> function -although it's up. >> >> If we use a separate LDAP server - then we remove the single point of >> failure from IS and move it to the standalone LDAP server. >> >> To get rid of that, we can use LDAP clustering.. >> >> Please let me know if I am not clear... >> >> Thanks & regards, >> -Prabath >> >> >> >>> >>> If its a separate LDAP is it still a Carbon server running just the LDAP >>> component? If not why not? >>> >>> Sanjiva. >>> >>> On Sun, Mar 6, 2011 at 10:01 PM, Prabath Siriwardana >>> <[email protected]>wrote: >>> >>>> In the case of Stratos - we do not need to have the embedded LDAP - but >>>> it will be a separate LDAP server. We need to test the OU based tenant >>>> isolation we did with LDAP in Stratos.. >>>> >>>> Thanks & regards, >>>> -Prabath >>>> >>>> >>>> On Sun, Mar 6, 2011 at 2:56 PM, Hasini Gunasinghe <[email protected]>wrote: >>>> >>>>> >>>>> >>>>> On Sun, Mar 6, 2011 at 1:06 PM, Afkham Azeez <[email protected]> wrote: >>>>> >>>>>> Have you tested this with Stratos? >>>>> >>>>> Not with a complete Stratos setup. >>>>> How I tested this was: installing multi tenancy feature to IS using >>>>> necessary stratos components built from stratos branch. >>>>> >>>>> Do we need to do any LDAP initialization when the tenant >>>>>> ConfigurationContext is created? >>>>> >>>>> Sorry, at the moment I do not have an idea what is tenant >>>>> ConfiguratioContext. >>>>> >>>>> But, as I understood your question, if you use embedded-ldap server in >>>>> carbon core, you do not have to initialize LDAP since it is started with >>>>> carbon server. >>>>> If you use an external LDAP, then you need to start up a LDAP server >>>>> and point the user-mgt.xml to that. >>>>> >>>>>> >>>>>> >>>>>> On Sun, Mar 6, 2011 at 11:45 AM, Hasini Gunasinghe >>>>>> <[email protected]>wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Sat, Mar 5, 2011 at 11:13 PM, Amila Jayasekara >>>>>>> <[email protected]>wrote: >>>>>>> >>>>>>>> Hi Azeez, >>>>>>>> >>>>>>>> Please find answers inline. >>>>>>>> >>>>>>>> Thanks >>>>>>>> AmilaJ >>>>>>>> >>>>>>>> On Fri, Mar 4, 2011 at 5:59 PM, Afkham Azeez <[email protected]> >>>>>>>> wrote: >>>>>>>> Can somebody briefly explain what were the changes that were carried >>>>>>>> out to >>>>>>>> Carbon core to make this work? Where these ports can be defined >>>>>>>> >>>>>>>> The apacheds server code is wrapped as an OSGi bundle in >>>>>>>> orbit/apacheds component. org.wso2.carbon.ldap.server is the >>>>>>>> component >>>>>>>> which is responsible for managing LDAP server. It starts, stops LDAP >>>>>>>> server, in addition it also does partition management. >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> >>>>>>>> This component >>>>>>>> starts before user core in carbon. >>>>>>>> >>>>>>> >>>>>>> Can I please know how have we specified that this component starts >>>>>>> before user-core? >>>>>>> >>>>>>> The LDAP server specific configurations reside in a file called >>>>>>>> embedded-ldap.xml in repository/conf (In <EmbeddedLDAP> >>>>>>>> configuration >>>>>>>> segment). You can change parameters like, ports, connection >>>>>>>> passwords >>>>>>>> in this file. In addition to LDAP server specific configurations, it >>>>>>>> also has KDC specific configurations. >>>>>>>> >>>>>>>> ,what the following messages mean etc. >>>>>>>> >>>>>>>> Log messages starting with >>>>>>>> org.apache.directory.server.ldap.LdapServer >>>>>>>> are coming from apacheds implementation. >>>>>>>> LDAP server needs a schema to construct the initial LDAP tree >>>>>>>> structure. The default schema for the LDAP server is located at >>>>>>>> repository/data as a zip file (is-default-schema.zip). Thus when we >>>>>>>> start server for the first time apacheds component will extract this >>>>>>>> zip file and create a schema directory. In addition, when we start >>>>>>>> embedded LDAP for the first time it creates a default partition. The >>>>>>>> default partition name and other properties are read from the >>>>>>>> embedded-ldap.xml configuration file (<DefaultPartition>). The >>>>>>>> latter >>>>>>>> messages you see in the log are relevant to above actions. >>>>>>>> >>>>>>>> How MT ins handled >>>>>>>> >>>>>>>> I assume MT=Multi-tenancy. >>>>>>> >>>>>>> >>>>>>>> Hasini: Please explain how MT is handled with embedded-ldap. >>>>>>>> >>>>>>> >>>>>>> We have two ways that we can make LDAP user-store multi-tenanted. >>>>>>> >>>>>>> 1. Creating a new partition (i.e new directory tree) for each tenant. >>>>>>> This is specific to embedded-apacheds because here we use their API. >>>>>>> 2. Creating a new context ('ou' by default) under same directory >>>>>>> tree, for each tenant. This is generic because here we use JNDI and >>>>>>> hence, >>>>>>> not coupled with any LDAP server implementation. >>>>>>> >>>>>>> We can use any of the above methods with embedded-ldap comes in core. >>>>>>> But we can only use the second method above with an external LDAP. >>>>>>> >>>>>>> Let me briefly describe implementation details of two methods. >>>>>>> >>>>>>> 1st Method: >>>>>>> i. In tenant-mgt.xml we specify "HybridLDAPTenantManager" as the >>>>>>> tenant manager which is initialized when the user-core starts. (at >>>>>>> DefaultRealmService.) >>>>>>> ii. At the start of ldap.server component, we register an >>>>>>> implementation of LDAPTenantManager in OSGi registry, through which >>>>>>> managing >>>>>>> partitions of tenants happens. >>>>>>> iii. HybridLDAPTenantManager uses a reference of an above >>>>>>> registered LDAPTenantManager service, to handle tenant mgt with LDAP. >>>>>>> iv. Users and groups of a particular tenant is stored inside its >>>>>>> partition. >>>>>>> v. In stratos-tenant-mgt component, tenant specific user-mgt.xml is >>>>>>> stored in registry/JDBC database which is used to map the tenant to >>>>>>> specific >>>>>>> partition. >>>>>>> >>>>>>> I have included a class diagram and a screenshot related to this >>>>>>> here<http://hasini-gunasinghe.blogspot.com/2011/01/tenant-management-in-wso2-carbon-with.html> >>>>>>> . >>>>>>> >>>>>>> 2nd Method: >>>>>>> i. In tenant-mgt.xml we specify "CommonHybridLDAPTenantManager" as >>>>>>> the tenant manager which is initialized when the user-core starts. >>>>>>> ii. Users and groups of a particular tenant is stored under its >>>>>>> context. >>>>>>> iii. In stratos-tenant-mgt component, tenant specific user-mgt.xml >>>>>>> is stored in registry/JDBC database which is used to map the tenant to >>>>>>> specific context. >>>>>>> >>>>>>> Common remarks regarding both the methods: >>>>>>> 1. Hybrid approach is used where mapping between tenant and the >>>>>>> user-mgt.xml, and other meta-data is stored in JDBC database. >>>>>>> 2. Class names used for tenant manager at each scenario is not that >>>>>>> clear. We may need to rename them. >>>>>>> >>>>>>> Thanks, >>>>>>> Hasini. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> etc. Sorry, I wasn't >>>>>>>> > following the entire conversation. >>>>>>>> > [2011-03-05 07:24:03,001] INFO >>>>>>>> > {org.wso2.carbon.ldap.server.DirectoryActivator} - Starting >>>>>>>> directory >>>>>>>> > service on port 10389 >>>>>>>> > [2011-03-05 07:24:03,022] INFO >>>>>>>> > {org.apache.directory.server.ldap.LdapServer} - Added Extended >>>>>>>> Request >>>>>>>> > Handler: 1.3.6.1.4.1.1466.20037 >>>>>>>> > [2011-03-05 07:24:03,106] INFO >>>>>>>> > {org.apache.directory.server.ldap.LdapServer} - Added Extended >>>>>>>> Request >>>>>>>> > Handler: 1.3.6.1.4.1.18060.0.1.6 >>>>>>>> > [2011-03-05 07:24:03,116] INFO >>>>>>>> > {org.apache.directory.server.ldap.LdapServer} - Successful bind >>>>>>>> of an LDAP >>>>>>>> > Service (10389) is completed. >>>>>>>> > [2011-03-05 07:24:03,116] INFO >>>>>>>> > {org.apache.directory.server.ldap.LdapServer} - Ldap service >>>>>>>> started. >>>>>>>> > [2011-03-05 07:24:03,116] INFO >>>>>>>> > {org.wso2.carbon.apacheds.impl.ApacheLDAPServer} - LDAP server >>>>>>>> started. >>>>>>>> > [2011-03-05 07:24:03,139] INFO >>>>>>>> > {org.wso2.carbon.apacheds.impl.ApacheDirectoryPartitionManager} - >>>>>>>> Partition >>>>>>>> > directory - >>>>>>>> > >>>>>>>> /Users/azeez/projects/wso2/org/trunk/carbon/products/appserver/modules/distribution/target/wso2appserver-4.1.0-SNAPSHOT/repository/data/org.wso2.carbon.directory/root >>>>>>>> > already exists. >>>>>>>> > [2011-03-05 07:24:03,140] INFO >>>>>>>> > {org.wso2.carbon.apacheds.impl.ApacheDirectoryPartitionManager} - >>>>>>>> > Partitionroot created from existing partition directory. <-- >>>>>>>> Partitionroot >>>>>>>> > or Partition Root >>>>>>>> > [2011-03-05 07:24:03,211] INFO >>>>>>>> > {org.wso2.carbon.apacheds.impl.ApacheDirectoryPartitionManager} - >>>>>>>> > Partitionroot added to directory service. >>>>>>>> >>>>>>>> Do we have to show all these INFO messages? >>>>>>>> >>>>>>>> We can get rid of some of above log messages, if you think that they >>>>>>>> are redundant. We can suppress the INFO messages comming from >>>>>>>> apacheds >>>>>>>> implementation in log4j properties file. Also we can remove some log >>>>>>>> messages from the code. >>>>>>>> >>>>>>>> >>>>>>>> > >>>>>>>> > -- >>>>>>>> > Afkham Azeez >>>>>>>> > Senior Software Architect & Senior Manager; WSO2, Inc.; >>>>>>>> http://wso2.com, >>>>>>>> > >>>>>>>> > Member; Apache Software Foundation; http://www.apache.org/ >>>>>>>> > email: [email protected] cell: <%2B94%2077%203320919>+94 77 3320919 >>>>>>>> > blog: http://blog.afkham.org >>>>>>>> > twitter: http://twitter.com/afkham_azeez >>>>>>>> > linked-in: http://lk.linkedin.com/in/afkhamazeez >>>>>>>> > >>>>>>>> > Lean . Enterprise . Middleware >>>>>>>> > >>>>>>>> > _______________________________________________ >>>>>>>> > Carbon-dev mailing list >>>>>>>> > [email protected] >>>>>>>> > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>>>>>> > >>>>>>>> > >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Afkham Azeez* >>>>>> Senior Software Architect & Senior Manager; WSO2, Inc.; >>>>>> http://wso2.com, >>>>>> * >>>>>> * >>>>>> *Member; Apache Software Foundation; >>>>>> **http://www.apache.org/*<http://www.apache.org/> >>>>>> * >>>>>> email: **[email protected]* <[email protected]>* cell: >>>>>> <%2B94%2077%203320919>+94 77 3320919 >>>>>> blog: **http://blog.afkham.org* <http://blog.afkham.org>* >>>>>> twitter: >>>>>> **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> >>>>>> * >>>>>> linked-in: **http://lk.linkedin.com/in/afkhamazeez* >>>>>> * >>>>>> * >>>>>> *Lean . Enterprise . Middleware* >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Carbon-dev mailing list >>>>> [email protected] >>>>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Prabath >>>> >>>> http://blog.facilelogin.com >>>> http://RampartFAQ.com >>>> >>>> _______________________________________________ >>>> Carbon-dev mailing list >>>> [email protected] >>>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>> >>>> >>> >>> >>> -- >>> Sanjiva Weerawarana, Ph.D. >>> Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/ >>> email: [email protected]; phone: +94 11 763 9614; cell: +94 77 787 6880 | >>> +1 650 265 8311 >>> blog: http://sanjiva.weerawarana.org/ >>> >>> Lean . Enterprise . Middleware >>> >> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> http://blog.facilelogin.com >> http://RampartFAQ.com >> > > > > -- > Sanjiva Weerawarana, Ph.D. > Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/ > email: [email protected]; phone: +94 11 763 9614; cell: +94 77 787 6880 | > +1 650 265 8311 > blog: http://sanjiva.weerawarana.org/ > > Lean . Enterprise . Middleware > -- Thanks & Regards, Prabath http://blog.facilelogin.com http://RampartFAQ.com
_______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
