You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Ned Twigg <ne...@diffplug.com> on 2014/12/03 20:17:52 UTC
ApacheDS as a front for Google Apps
I have a small company that's moving from cloud services to internal
services, so we're getting our first-ever LDAP server up to manage these
accounts.
We're using ApacheDS, but I really wish we could use Google Apps to manage
our internal authentication requests. We're an Eclipse/OSGi/Java dev shop,
so I figure we could probably hack around a little to make a plugin for
ApacheDS to set it up as a front for our Google Apps domain.
I've got a couple questions:
1) Do you think this is possible?
2) If so, any recommendations on where we should start? Which extension
points we should learn about?
3) Is anybody interested in doing this project under sponsorship from us?
We're very small, but we do have some revenue, and it'd be worth $500 or so
to us for it to just be done. Googling around there are other people who
have the same request:
https://productforums.google.com/forum/#!topic/apps/6rOyXD5g1aA
http://superuser.com/questions/438629/using-apacheds-for-single-sign-on-for-google-apps
https://www.jfrog.com/jira/browse/RTFACT-5491
If it's possible, it seems that ApacheDS is a good candidate to bridge the
gap for companies that don't want to maintain their own LDAP database.
Thanks for your time!
Ned Twigg
Lead Software Architect, DiffPlug LLC
949-264-3433
340 S Lemon Ave #3433, Walnut, CA 91789
Re: ApacheDS as a front for Google Apps
Posted by Kiran Ayyagari <ka...@apache.org>.
On Thu, Dec 4, 2014 at 3:17 AM, Ned Twigg <ne...@diffplug.com> wrote:
> I have a small company that's moving from cloud services to internal
> services, so we're getting our first-ever LDAP server up to manage these
> accounts.
>
> We're using ApacheDS, but I really wish we could use Google Apps to manage
> our internal authentication requests. We're an Eclipse/OSGi/Java dev shop,
> so I figure we could probably hack around a little to make a plugin for
> ApacheDS to set it up as a front for our Google Apps domain.
>
> I've got a couple questions:
> 1) Do you think this is possible?
>
what kind of authentication mechanism you are planning to use OAuth?, SAML?
you can use the embedded http service component of ApacheDS
> 2) If so, any recommendations on where we should start? Which extension
> points we should learn about?
>
there are no extension points to http service of ApacheDS right now, I am
no OSGi expert
but feel free to shoot any questions you have about the http service, I
will answer them
> 3) Is anybody interested in doing this project under sponsorship from us?
> We're very small, but we do have some revenue, and it'd be worth $500 or so
> to us for it to just be done. Googling around there are other people who
> have the same request:
>
> https://productforums.google.com/forum/#!topic/apps/6rOyXD5g1aA
>
> http://superuser.com/questions/438629/using-apacheds-for-single-sign-on-for-google-apps
> https://www.jfrog.com/jira/browse/RTFACT-5491
>
> If it's possible, it seems that ApacheDS is a good candidate to bridge the
> gap for companies that don't want to maintain their own LDAP database.
>
> looks like a cool thing to have
> Thanks for your time!
>
> Ned Twigg
> Lead Software Architect, DiffPlug LLC
> 949-264-3433
> 340 S Lemon Ave #3433, Walnut, CA 91789
>
--
Kiran Ayyagari
http://keydap.com
Re: ApacheDS as a front for Google Apps
Posted by Howard Chu <hy...@symas.com>.
Marc Boorshtein wrote:
>
>
> On Wed, Dec 3, 2014 at 2:17 PM, Ned Twigg <ned.twigg@diffplug.com
> <ma...@diffplug.com>> wrote:
>
> I have a small company that's moving from cloud services to internal
> services, so we're getting our first-ever LDAP server up to manage
> these accounts.
>
> We're using ApacheDS, but I really wish we could use Google Apps to
> manage our internal authentication requests. We're an
> Eclipse/OSGi/Java dev shop, so I figure we could probably hack
> around a little to make a plugin for ApacheDS to set it up as a
> front for our Google Apps domain.
>
>
> Why not use ApacheDS to store the passwords and use SAML2 to
> authenticate to gmail? Doesn't work for heavy gui apps or mobile but it
> does for webapps.
>
>
> I've got a couple questions:
> 1) Do you think this is possible?
>
>
> It would be very hard with just ApacheDS. Most of the authentication in
> ApacheDS assumes the password is local. If you wanted to go down this
> route I would suggest using a virtual directory in front of your
> ApacheDS, using ApacheDS for data and the virtual directory (as a
> reverse proxy) to delegate authentication to Google but pull data from
> ApacheDS over LDAP. No one I know of does this OOTB
OpenLDAP does this, no problem. Using any of a number of approaches,
full proxy with back-ldap, authenticate-only proxy using pbind, SASL
passthru, remoteauth overlay, etc. etc.
but it should be a
> pretty easy plugin. shameless plug - MyVirtualDirectory
> (http://myvd.sourceforge.net), which I'm the author, could do this
> pretty easily. I know the folks at ForgeRock have virtual capabilities
> in their directory as well you could look at.
> Marc
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: ApacheDS as a front for Google Apps
Posted by Marc Boorshtein <mb...@gmail.com>.
On Wed, Dec 3, 2014 at 2:17 PM, Ned Twigg <ne...@diffplug.com> wrote:
> I have a small company that's moving from cloud services to internal
> services, so we're getting our first-ever LDAP server up to manage these
> accounts.
>
> We're using ApacheDS, but I really wish we could use Google Apps to manage
> our internal authentication requests. We're an Eclipse/OSGi/Java dev shop,
> so I figure we could probably hack around a little to make a plugin for
> ApacheDS to set it up as a front for our Google Apps domain.
>
Why not use ApacheDS to store the passwords and use SAML2 to authenticate
to gmail? Doesn't work for heavy gui apps or mobile but it does for
webapps.
>
> I've got a couple questions:
> 1) Do you think this is possible?
>
It would be very hard with just ApacheDS. Most of the authentication in
ApacheDS assumes the password is local. If you wanted to go down this
route I would suggest using a virtual directory in front of your ApacheDS,
using ApacheDS for data and the virtual directory (as a reverse proxy) to
delegate authentication to Google but pull data from ApacheDS over LDAP.
No one I know of does this OOTB but it should be a pretty easy plugin.
shameless plug - MyVirtualDirectory (http://myvd.sourceforge.net), which
I'm the author, could do this pretty easily. I know the folks at ForgeRock
have virtual capabilities in their directory as well you could look at.
> 2) If so, any recommendations on where we should start? Which extension
> points we should learn about?
>
See my previous comment. Google does have a Java SDK that could perform
the authentication and if you really want to get fancy could be used to
reset the password as well.
> 3) Is anybody interested in doing this project under sponsorship from us?
> We're very small, but we do have some revenue, and it'd be worth $500 or so
> to us for it to just be done. Googling around there are other people who
> have the same request:
>
> https://productforums.google.com/forum/#!topic/apps/6rOyXD5g1aA
>
> http://superuser.com/questions/438629/using-apacheds-for-single-sign-on-for-google-apps
> https://www.jfrog.com/jira/browse/RTFACT-5491
>
>
I don't have the cycles to code it right now, but would be happy to help
out if you want to ping me out-of-band or on the MyVD list. It sounds like
an interesting idea that would make a good addition to a virtual
directory. No $$$$ needed.
Thanks
Marc