> > On Nov 3, 2015, at 3:01 PM, Jan Sindberg <[email protected]> wrote: > > I am new to Apache Fortress (and LDAP), and very hooked! Great work!
Welcome Jan! > > On Nov 3, 2015, at 3:01 PM, Jan Sindberg <[email protected]> wrote: > > I am experimenting with > <addcontext> > <context name="Client123"/> > </addcontext> > > I try to understand the different ways to do multi-tenancy. > One for apps could be simply to create a new partition in the LDAP - I have > some success with that. Yes, create a new container using the ant load script with xml that looks like this: <addcontainer> <container name="Client123" description="Client 123 test context"/> </addcontainer> And yes underneath the new org unit node (ou=Client123,dc=suffix,dc=com) there will be an entire DIT dedicated to that tenant. The only node shared across tenants is ou=Config underneath the suffix. What does this mean? That means each tenant must have defined their own A/RBAC policies wholly. There is not an all encompassing ARBAC tree that manages all of the tenants below although I believe it is necessary and must be added - one day. It also means that all tenants share a single configuration context. All tenants also share the same schema (as in ldap schema) although each may define their own tree structure and the dn’s/rdn’s beneath it. > > On Nov 3, 2015, at 3:01 PM, Jan Sindberg <[email protected]> wrote: > > I am having trouble with getting the realm and/or the web-admin to behave > nicely. How should they be configured? It seems that for instance web-admin > have hardcoded "HOME" in applicationContext and that J2eePolicyMgrImpl in the > real is hardcoded to GlobalIds.HOME. > Is there a right way to handle multiple tentants and contexts? > How do I make the web-admin avare of contexts? - Will I have to deploy an > instance for each context and LDAP-partition? Yes, the HOME context is hardcoded in the application context and policy manager (good eye). What that means is neither will work in a multitenant context out of box. Yes, we could make a single instance scoped to a single tenant, with some judicious code/config changes to the apps. Not a big deal, you’re the first who’s even asked. No, this design will not support a single instance of an app using fortress realm, or fortress web to work with a multitenant context. There is simply no way to pass a tenant id down through the tomcat container realm SPI w/out doing some kind of hack on how the basic auth token gets forwarded. Open to ideas here. Great questions, hope this makes sense, Shawn
