> Fra: Shawn McKinney [mailto:[email protected]] > Sendt: 4. november 2015 04:03 > > > > > On Nov 3, 2015, at 3:01 PM, Jan Sindberg <[email protected]> wrote: > > > > I am new to Apache Fortress (and LDAP), and very hooked! Great work! > > Welcome Jan! > > > > > On Nov 3, 2015, at 3:01 PM, Jan Sindberg <[email protected]> wrote: > > > > I am experimenting with > > <addcontext> > > <context name="Client123"/> > > </addcontext> > > > > I try to understand the different ways to do multi-tenancy. > > One for apps could be simply to create a new partition in the LDAP - I have > some success with that. > > Yes, create a new container using the ant load script with xml that looks like > this: > > <addcontainer> > <container name="Client123" description="Client 123 test > context"/> > </addcontainer> > > And yes underneath the new org unit node (ou=Client123,dc=suffix,dc=com) > there will be an entire DIT dedicated to that tenant. The only node shared > across tenants is ou=Config underneath the suffix. What does this mean? > That means each tenant must have defined their own A/RBAC policies > wholly. There is not an all encompassing ARBAC tree that manages all of the > tenants below although I believe it is necessary and must be added - one > day.
It could make sence that the "top" level under that suffix was holding all users and basic permissions for accessing the application at all. This could be where the realm works. Then maybe by using ApacheDS view, the People for a specific org-unit could be available and limited to the single client. Maybe? Probably not possible since the DN will be wrong. > > It also means that all tenants share a single configuration context. All > tenants > also share the same schema (as in ldap schema) although each may define > their own tree structure and the dn’s/rdn’s beneath it. > > > > > On Nov 3, 2015, at 3:01 PM, Jan Sindberg <[email protected]> wrote: > > > > I am having trouble with getting the realm and/or the web-admin to > behave nicely. How should they be configured? It seems that for instance > web-admin have hardcoded "HOME" in applicationContext and that > J2eePolicyMgrImpl in the real is hardcoded to GlobalIds.HOME. > > Is there a right way to handle multiple tentants and contexts? > > How do I make the web-admin avare of contexts? - Will I have to deploy an > instance for each context and LDAP-partition? > > Yes, the HOME context is hardcoded in the application context and policy > manager (good eye). What that means is neither will work in a multitenant > context out of box. Yes, we could make a single instance scoped to a single > tenant, with some judicious code/config changes to the apps. Not a big deal, > you’re the first who’s even asked. > > No, this design will not support a single instance of an app using fortress > realm, or fortress web to work with a multitenant context. There is simply no > way to pass a tenant id down through the tomcat container realm SPI w/out > doing some kind of hack on how the basic auth token gets forwarded. Open > to ideas here. > > Great questions, hope this makes sense, > > Shawn Still thinking :-)
