OK, 2 things: 1. I don't think apacheds will support multiple partitions with overlapping namespaces. 2. Yes, what you state below is correct. What I was saying was that once you are authenticated, it may not matter what credentials you use when performing searchs/adds/mods...., so the two can be indepndent. So for instance:
1. User connects to apacheds 2. User binds as cn=user,dc=domain,dc=com 3. a custom authenticator binds to the proxied server 4. user performs a search 5. apacheds hands the search off to your custom partition 6. your partition performs the search with a pre-defined set of credentials. This would alleve you from having to connect the authenticator with the custom partition. Marc On 8/16/05, Jérôme Baumgarten <[EMAIL PROTECTED]> wrote: > You kinda lost me in your reply. > > My first step is to do pass-through. But I still need to be able to > authenticate the user. Lets' assume the following example with two > proxied LDAP servers A and B. > If my "proxyA" partition root DN is "dc=domainA,dc=com" and the user > DN is "uid=userA,dc=domainA,dc=com" I need to authenticate against the > proxied LDAP server A. > > If my "proxyB" partition root DN is "dc=domainB,dc=com" and the user > DN is "uid=userB,dc=domainB,dc=com" I need to authenticate against the > proxied LDAP server B. > > Otherwise I can consider that the default ApacheDS authenticator will reply. > > Also, when my authenticator is called, knowing if the associated > partition does not serve the user DN can reduce network trafic by just > trying to bind to the LDAP server. > > Jerome > > On 8/16/05, Marc Boorshtein <[EMAIL PROTECTED]> wrote: > > Well, another way to look at it is wether or not you want to do "pass > > through" operations. For instance if I could bind as > > "cn=user,dc=domain,dc=com" but it might not matter how i perform > > operations. If this is the case you don't need to worry about tying > > them together. Otherwise I don't think there's an easy tie back from > > the authenticator, or at least there wasn't the last time I tried to > > build a proxy (apacheds .9). You may be able to use a Singleton. > > > > Marc > > > > On 8/16/05, Jérôme Baumgarten <[EMAIL PROTECTED]> wrote: > > > I know about Penrose but I would preferably use ApacheDS since Penrose > > > does more than I actually need. > > > > > > With a proxy, the information about the user won't be in the ApacheDS > > > base but part of the proxyed LDAP server. From what I've understood I > > > thus need to provide my own Authenticator. That authenticator should > > > just authentify the user against the proxyed LDAP. To do that I need > > > to know to which ContextPartition that user (DN) belongs to. Is it > > > possible to get that information from within the authenticator ? Like > > > given a DN, is it possible to get the ContextPartition it belongs to ? > > > Another way, is it possible to associate an authenticator with one or > > > more partitions ? > > > > > > Regards, > > > Jérôme > > > > > > On 8/16/05, Marc Boorshtein <[EMAIL PROTECTED]> wrote: > > > > Ah, yes. You are 100% correct in your assumptions then. BTW, there > > > > is already a virtual directory (based on apacheds) Called Penrose. > > > > I've not tried it but I think it has a mapping capability in addition > > > > to proxy support. > > > > > > > > Marc > > > > > > > > > > > > On 8/16/05, Jérôme Baumgarten <[EMAIL PROTECTED]> wrote: > > > > > I understand that to do simple proxying all I need to do is to > > > > > implement my own ContextPartition. But this is only the first step of > > > > > what I plan to do. > > > > > > > > > > The second step (as explained in my first post) is to be able to > > > > > change, if necessary, incoming requests (like the filter), change the > > > > > outgoing results, and maybe send the proxyed LDAP server some LDAP > > > > > requests to enrich the results ApacheDS should send back to the > > > > > client. To my understanding, this could be done as an interceptor, > > > > > thus leaving my ContextPartition just doing proxying and nothing else. > > > > > Am I correct ? My intend is to have a ContextPartition that only does > > > > > proxying, nothing else, making it a reusable component for myself and > > > > > anyone else interested. I believe that what needs to be done to > > > > > realize my step 2 should definitely not be in the ContextPartition. > > > > > > > > > > On 8/16/05, Marc Boorshtein <[EMAIL PROTECTED]> wrote: > > > > > > I thinkyou are confusing interceptors and contexts. An interceptor > > > > > > is > > > > > > something that sits between the protocol stack and the context (just > > > > > > as a servlet filter sits between the container and the servlet/jsp). > > > > > > You want to look at implementing a custom partition, which is > > > > > > covered > > > > > > in the wikis. > > > > > > > > > > > > You are correct in your assertion that you do not need to worry > > > > > > about > > > > > > schema (for the most part) when proxying a remote directory. > > > > > > > > > > > > Marc > > > > > > > > > > > > On 8/16/05, Jérôme Baumgarten <[EMAIL PROTECTED]> wrote: > > > > > > > On 8/12/05, Trustin Lee <[EMAIL PROTECTED]> wrote: > > > > > > > > Hello, > > > > > > > > > > > > > > > > 2005/8/11, Jérôme Baumgarten <[EMAIL PROTECTED]>: > > > > > > > > > In this PowerPoint presentation > > > > > > > > > ( > > > > > > > > http://www.google.com/url?sa=t&ct=res&cd=1&url=https%3A//karasulu.homeip.net/svn/akarasulu/apachecon/eve-presentation/eve-intro-long.ppt&ei=DTb7QuLIE8emQeOnwNMB), > > > > > > > > > I've read that it is possible to use Eve as a proxy to an > > > > > > > > > existing > > > > > > > > > LDAP server. > > > > > > > > > > > > > > > > Yes, you can. There is an interface called 'ContextPartition' > > > > > > > > that you can > > > > > > > > implement. You could implement it to work as a proxy to other > > > > > > > > LDAP server. > > > > > > > > > > > > > > > > > > > > > > > > > The second step is a bit more complicated but it seems that > > > > > > > > > with some > > > > > > > > > coding that should be possible. To make that off-the-shelf > > > > > > > > > application > > > > > > > > > work my own LDAP using custom model and schema, I would need > > > > > > > > > to be > > > > > > > > > able to "catch" incoming requests and under some conditions > > > > > > > > > re-evaluate search to return the correct results. According > > > > > > > > > to that > > > > > > > > > same presentation, I believe that I should go for the > > > > > > > > > Interceptor. Is > > > > > > > > > there any information available out there to help me deal > > > > > > > > > with it ? > > > > > > > > > > > > > > > > You can generate ApacheDS schema classes from LDAP schema file > > > > > > > > using a > > > > > > > > Maven plugin we've created. And of course you can configure > > > > > > > > ApacheDS to > > > > > > > > load them when it starts up. > > > > > > > > > > > > > > Thanks, But is this mandatory ? In the first step, all I want it > > > > > > > to do > > > > > > > is to proxy (relay) incoming LDAP requests to another LDAP > > > > > > > server. To > > > > > > > what extend ApacheDS needs to know the schema to just relay the > > > > > > > requests ? > > > > > > > > > > > > > > Also, is there any publicly available documentation on the > > > > > > > interceptors ? It looks like that is the way to go to fulfill myu > > > > > > > second step. > > > > > > > > > > > > > > > Trustin-- > > > > > > > > what we call human nature is actually human habit > > > > > > > > -- > > > > > > > > http://gleamynode.net/ > > > > > > > > > > > > > > Regards, > > > > > > > Jérôme > > > > > > > > > > > > > > > > > > > > > > > > > > > >
