> On Nov 10, 2015, at 2:00 AM, Jan Sindberg <[email protected]> wrote: > >> Fra: Shawn McKinney [mailto:[email protected]] >> Sendt: 4. november 2015 04:03 >> >>> >>> On Nov 3, 2015, at 3:01 PM, Jan Sindberg <[email protected]> wrote: >>> >>> I am new to Apache Fortress (and LDAP), and very hooked! Great work! >> >> Welcome Jan! >> >>> >>> On Nov 3, 2015, at 3:01 PM, Jan Sindberg <[email protected]> wrote: >>> >>> I am experimenting with >>> <addcontext> >>> <context name="Client123"/> >>> </addcontext> >>> >>> I try to understand the different ways to do multi-tenancy. >>> One for apps could be simply to create a new partition in the LDAP - I have >> some success with that. >> >> Yes, create a new container using the ant load script with xml that looks >> like >> this: >> >> <addcontainer> >> <container name="Client123" description="Client 123 test >> context"/> >> </addcontainer> >> >> And yes underneath the new org unit node (ou=Client123,dc=suffix,dc=com) >> there will be an entire DIT dedicated to that tenant. The only node shared >> across tenants is ou=Config underneath the suffix. What does this mean? >> That means each tenant must have defined their own A/RBAC policies >> wholly. There is not an all encompassing ARBAC tree that manages all of the >> tenants below although I believe it is necessary and must be added - one >> day. > > It could make sence that the "top" level under that suffix was holding all > users and basic permissions for accessing the application at all. This could > be where the realm works. Then maybe by using ApacheDS view, the People for a > specific org-unit could be available and limited to the single client. Maybe? > Probably not possible since the DN will be wrong.
The problem with that (if I am understanding you correctly) is that the same user would have to be listed twice in the DIT. Once directly under the suffix (default) for the realm, and a second time under the tenant specific organization unit. Shawn
