Ryan created DIRSERVER-2336:
-------------------------------
Summary: Decoupling DN between host and Apache Directory for
DelegatingAuthenticator
Key: DIRSERVER-2336
URL: https://issues.apache.org/jira/browse/DIRSERVER-2336
Project: Directory ApacheDS
Issue Type: New Feature
Components: authn
Affects Versions: 2.0.0.AM26
Reporter: Ryan
I have been looking at the
org.apache.directory.server.core.authn.DelegatingAuthenticator implementation.
This strikes me as the start of a great feature. The documentation seems pretty
minimal though. The best usage example I could find was a forum discussion:
[https://users.directory.apache.narkive.com/AoOAtMlb/apacheds-and-other-backends]
Still, setting the host does not seem clear from the ldap attributes and I am
puzzled over 'ads-enabled' and also what the 'ads-' prefix is about?
Anyway, to my point, this feature strikes me as a means by which to implement
'proxied users,' where my definition of a 'proxied user' is one whose
credentials are stored in an 'upstream' source DB and a lightweight copy 'proxy
user' is stored in a 'downstream' DB and authentication attempts are forwarded
to the 'upstream'. AD LDS has a similar capability that is implemented via the
objectSid.
Using the objectSid in Apache Directory seems challenging because of the nature
of the binary objectSid property and transforming this id through the LDAP
string based query API.
Instead of using this objectSid, as in AD LDS, or recycling the existing DN
attribute which forces the same CN/OU hierarchy, as is currently done in
DelegatingAuthenticator, could a 'proxiedDn' attribute be added and used to
perform the bind?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
