[ApacheDS] Internal directory operations

[Martin Alderson <Ma...@salfordsoftware.co.uk>]

Hi all,

I'm looking for some advice on how to interact with an embedded ApacheDS server from a Quartz scheduled job.  This job will periodically add/modify an entry.

I had been using something like DirectoryService.getInstance().getConfiguration().getPartitionNexus().modify(...) but I need this operation to go through the interceptor chain.

I think I need to get a JNDI context using (new InitialDirContext(env)) where env contains some credentials.  I guess I need the credentials of the admin user for this.  Is there any way for the server to know the operation is coming from the same process so it can automatically use the admin users credentials as stored in the directory?  If not how should I get the admin credentials?

Thinking about it, I guess this is tied in to having the admin user credentials specified in the configuration file which also seems bad to me.  Couldn't this be scrapped and have a way to authenticate as the admin user automatically from within the same process?

Thanks for any comments,

Martin

Re: [ApacheDS] Internal directory operations

[Alex Karasulu <ak...@apache.org>]

Hi Martin,

Sorry for not getting to this sooner...

On 7/23/07, Martin Alderson <Ma...@salfordsoftware.co.uk> wrote:
>
> Hi all,
>
> I'm looking for some advice on how to interact with an embedded ApacheDS
> server from a Quartz scheduled job.  This job will periodically add/modify
> an entry.
>
> I had been using something like DirectoryService.getInstance().getConfiguration().getPartitionNexus().modify(...)
> but I need this operation to go through the interceptor chain.


Aye.  The best way to interact would be to actually get a JNDI context from
inside the job
using the JNDI InitialContextFactory for the server's CoreContextFactory.
It's the proxy
objects that pipe calls in from the JNDI contexts into the InterceptorChain.

I think I need to get a JNDI context using (new InitialDirContext(env))
> where env contains some credentials.  I guess I need the credentials of the
> admin user for this.  Is there any way for the server to know the operation
> is coming from the same process so it can automatically use the admin users
> credentials as stored in the directory?  If not how should I get the admin
> credentials?


Good question.  I don't think there is a way that the moment.  There has
been some past
discussions about this but nothing conclusive.  Other services have the
admin credentials
provided in their configuration which is bad bad and more bad.  We need to
figure something
out here.  I'd be glad to help out on it but these next few days are going
to be really hard
for me.

Thinking about it, I guess this is tied in to having the admin user
> credentials specified in the configuration file which also seems bad to
> me.


Heh thinking the same here.

Couldn't this be scrapped and have a way to authenticate as the admin user
> automatically from within the same process?


Yeah this is something we need to do. I have not figured out any good means
to do
this at the present moment.  I guess if we had the security manager stuff in
place we could
find a way to determine if certain code can just run as admin.  The problem
is that any
user can add a SP and execute it to gain admin access without using a
security manager.

We have to figure something out here.  Sorry for not having a clear solution
in mind.

Alex