Marc Boorshtein wrote:
On Wed, Dec 3, 2014 at 2:17 PM, Ned Twigg <[email protected] <mailto:[email protected]>> wrote: I have a small company that's moving from cloud services to internal services, so we're getting our first-ever LDAP server up to manage these accounts. We're using ApacheDS, but I really wish we could use Google Apps to manage our internal authentication requests. We're an Eclipse/OSGi/Java dev shop, so I figure we could probably hack around a little to make a plugin for ApacheDS to set it up as a front for our Google Apps domain. Why not use ApacheDS to store the passwords and use SAML2 to authenticate to gmail? Doesn't work for heavy gui apps or mobile but it does for webapps. I've got a couple questions: 1) Do you think this is possible? It would be very hard with just ApacheDS. Most of the authentication in ApacheDS assumes the password is local. If you wanted to go down this route I would suggest using a virtual directory in front of your ApacheDS, using ApacheDS for data and the virtual directory (as a reverse proxy) to delegate authentication to Google but pull data from ApacheDS over LDAP. No one I know of does this OOTB
OpenLDAP does this, no problem. Using any of a number of approaches, full proxy with back-ldap, authenticate-only proxy using pbind, SASL passthru, remoteauth overlay, etc. etc.
but it should be a
pretty easy plugin. shameless plug - MyVirtualDirectory (http://myvd.sourceforge.net), which I'm the author, could do this pretty easily. I know the folks at ForgeRock have virtual capabilities in their directory as well you could look at. Marc
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
