You kinda lost me in your reply. My first step is to do pass-through. But I still need to be able to authenticate the user. Lets' assume the following example with two proxied LDAP servers A and B. If my "proxyA" partition root DN is "dc=domainA,dc=com" and the user DN is "uid=userA,dc=domainA,dc=com" I need to authenticate against the proxied LDAP server A.
If my "proxyB" partition root DN is "dc=domainB,dc=com" and the user DN is "uid=userB,dc=domainB,dc=com" I need to authenticate against the proxied LDAP server B. Otherwise I can consider that the default ApacheDS authenticator will reply. Also, when my authenticator is called, knowing if the associated partition does not serve the user DN can reduce network trafic by just trying to bind to the LDAP server. Jerome On 8/16/05, Marc Boorshtein <[EMAIL PROTECTED]> wrote: > Well, another way to look at it is wether or not you want to do "pass > through" operations. For instance if I could bind as > "cn=user,dc=domain,dc=com" but it might not matter how i perform > operations. If this is the case you don't need to worry about tying > them together. Otherwise I don't think there's an easy tie back from > the authenticator, or at least there wasn't the last time I tried to > build a proxy (apacheds .9). You may be able to use a Singleton. > > Marc > > On 8/16/05, Jérôme Baumgarten <[EMAIL PROTECTED]> wrote: > > I know about Penrose but I would preferably use ApacheDS since Penrose > > does more than I actually need. > > > > With a proxy, the information about the user won't be in the ApacheDS > > base but part of the proxyed LDAP server. From what I've understood I > > thus need to provide my own Authenticator. That authenticator should > > just authentify the user against the proxyed LDAP. To do that I need > > to know to which ContextPartition that user (DN) belongs to. Is it > > possible to get that information from within the authenticator ? Like > > given a DN, is it possible to get the ContextPartition it belongs to ? > > Another way, is it possible to associate an authenticator with one or > > more partitions ? > > > > Regards, > > Jérôme > > > > On 8/16/05, Marc Boorshtein <[EMAIL PROTECTED]> wrote: > > > Ah, yes. You are 100% correct in your assumptions then. BTW, there > > > is already a virtual directory (based on apacheds) Called Penrose. > > > I've not tried it but I think it has a mapping capability in addition > > > to proxy support. > > > > > > Marc > > > > > > > > > On 8/16/05, Jérôme Baumgarten <[EMAIL PROTECTED]> wrote: > > > > I understand that to do simple proxying all I need to do is to > > > > implement my own ContextPartition. But this is only the first step of > > > > what I plan to do. > > > > > > > > The second step (as explained in my first post) is to be able to > > > > change, if necessary, incoming requests (like the filter), change the > > > > outgoing results, and maybe send the proxyed LDAP server some LDAP > > > > requests to enrich the results ApacheDS should send back to the > > > > client. To my understanding, this could be done as an interceptor, > > > > thus leaving my ContextPartition just doing proxying and nothing else. > > > > Am I correct ? My intend is to have a ContextPartition that only does > > > > proxying, nothing else, making it a reusable component for myself and > > > > anyone else interested. I believe that what needs to be done to > > > > realize my step 2 should definitely not be in the ContextPartition. > > > > > > > > On 8/16/05, Marc Boorshtein <[EMAIL PROTECTED]> wrote: > > > > > I thinkyou are confusing interceptors and contexts. An interceptor is > > > > > something that sits between the protocol stack and the context (just > > > > > as a servlet filter sits between the container and the servlet/jsp). > > > > > You want to look at implementing a custom partition, which is covered > > > > > in the wikis. > > > > > > > > > > You are correct in your assertion that you do not need to worry about > > > > > schema (for the most part) when proxying a remote directory. > > > > > > > > > > Marc > > > > > > > > > > On 8/16/05, Jérôme Baumgarten <[EMAIL PROTECTED]> wrote: > > > > > > On 8/12/05, Trustin Lee <[EMAIL PROTECTED]> wrote: > > > > > > > Hello, > > > > > > > > > > > > > > 2005/8/11, Jérôme Baumgarten <[EMAIL PROTECTED]>: > > > > > > > > In this PowerPoint presentation > > > > > > > > ( > > > > > > > http://www.google.com/url?sa=t&ct=res&cd=1&url=https%3A//karasulu.homeip.net/svn/akarasulu/apachecon/eve-presentation/eve-intro-long.ppt&ei=DTb7QuLIE8emQeOnwNMB), > > > > > > > > I've read that it is possible to use Eve as a proxy to an > > > > > > > > existing > > > > > > > > LDAP server. > > > > > > > > > > > > > > Yes, you can. There is an interface called 'ContextPartition' > > > > > > > that you can > > > > > > > implement. You could implement it to work as a proxy to other > > > > > > > LDAP server. > > > > > > > > > > > > > > > > > > > > > > The second step is a bit more complicated but it seems that > > > > > > > > with some > > > > > > > > coding that should be possible. To make that off-the-shelf > > > > > > > > application > > > > > > > > work my own LDAP using custom model and schema, I would need to > > > > > > > > be > > > > > > > > able to "catch" incoming requests and under some conditions > > > > > > > > re-evaluate search to return the correct results. According to > > > > > > > > that > > > > > > > > same presentation, I believe that I should go for the > > > > > > > > Interceptor. Is > > > > > > > > there any information available out there to help me deal with > > > > > > > > it ? > > > > > > > > > > > > > > You can generate ApacheDS schema classes from LDAP schema file > > > > > > > using a > > > > > > > Maven plugin we've created. And of course you can configure > > > > > > > ApacheDS to > > > > > > > load them when it starts up. > > > > > > > > > > > > Thanks, But is this mandatory ? In the first step, all I want it to > > > > > > do > > > > > > is to proxy (relay) incoming LDAP requests to another LDAP server. > > > > > > To > > > > > > what extend ApacheDS needs to know the schema to just relay the > > > > > > requests ? > > > > > > > > > > > > Also, is there any publicly available documentation on the > > > > > > interceptors ? It looks like that is the way to go to fulfill myu > > > > > > second step. > > > > > > > > > > > > > Trustin-- > > > > > > > what we call human nature is actually human habit > > > > > > > -- > > > > > > > http://gleamynode.net/ > > > > > > > > > > > > Regards, > > > > > > Jérôme > > > > > > > > > > > > > > > > > > > > >
