You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Alex Karasulu <ak...@apache.org> on 2007/09/21 03:02:08 UTC
[ApacheDS] Delegated authenticator ideas
Hi all,
I started working on the concept of a delegated authenticator. The concept
is simple: if a principal matches
certain criteria, the bind operation delegates authenticating the user to
some external system.
At first I wanted this feature to delegate authentication to AD. ApacheDS
while used for many applications
often needs to point to AD as the primary credential store. You just can't
expect companies to drop AD for
us just yet :). So the aim driving this is to delegate authentication to
AD.
In doing this I realized that I could just make it work with any LDAP server
since the mechanism would
essentially be the same. The solution could however be generalized even
farther by enabling delegated
authentication to any external system but at this point I don't think I'm
going to bother with this.
Now I am thinking how to enable delegation to multiple LDAP servers and how
to map users to these
servers. Then how do you make users in ApacheDS to another principalDn in
the external server?
Any thoughts on this?
Alex
Re: [ApacheDS] Delegated authenticator ideas
Posted by Alex Karasulu <ak...@apache.org>.
Here's what I'm thinking about doing to start enabling this feature:
Define a class to encapsulate the connection settings (minus principal and
credentials) for
various external servers.
Define a principal mapper interface that has a method that looks something
like this:
LdapDN map( LdapDN principalDn, Attributes entry, LdapServer target );
Add a subtree selector construct to the server which was in my previous
emails. This way
we can construct dynamic groups based on subtree specifications. Extend
this to represent
a mapping for delegating authentication to external servers.
Specify a means to configure mappers in the delegated authenticator. Have
the delegated
authenticator lookup the external servers to try for a specific principal
and use that with the
associated mapper[s] to determine the principal DN to use.
One of my motives for doing it like this is to decouple the mapping
technique from the external
server and the grouping of users which triggers the delegated
authentication.
Thoughts?
Alex
On 9/21/07, Alex Karasulu <ak...@apache.org> wrote:
>
> Thanks for the feedback.
>
> Alex
>
> On 9/20/07, Marc Boorshtein <mb...@gmail.com> wrote:
> >
> > > Now I am thinking how to enable delegation to multiple LDAP servers
> > and how
> > > to map users to these
> > > servers. Then how do you make users in ApacheDS to another
> > principalDn in
> > > the external server?
> > >
> >
> > MyVirtualDirectory handles this as part of the joiner system. When a
> > user binds to the virtual directory the joiner system loads the entry
> > and determines all of the 'DN's the user is joined with and attempts a
> > bind on each one. If any succeed the overall bind succeeds. If all
> > the attempts fail the overall bind fails.
> >
> > For instance a user binds with the DN
> >
> > uid=tuser,ou=users,dc=domain,dc=com
> >
> > This user maps to the remote directory entry
> >
> > uid=tuser,ou=users,c=mycompany,c=us
> >
> > and is joined to the AD entry
> >
> > cn=Test User,cn=Users,dc=domain,dc=com
> >
> > The joiner will attempt an internal bind for both
> >
> > uid=tuser,ou=users,c=mycompany,c=us
> > cn=Test User,cn=Users,dc=domain,dc=com
> >
> > internally returning success if either succeeds.
> >
> > I don't know if you want to implement a full joiner subsystem but
> > there's one way to implement it.
> >
> > Marc
> >
>
>
Re: [ApacheDS] Delegated authenticator ideas
Posted by Alex Karasulu <ak...@apache.org>.
Thanks for the feedback.
Alex
On 9/20/07, Marc Boorshtein <mb...@gmail.com> wrote:
>
> > Now I am thinking how to enable delegation to multiple LDAP servers and
> how
> > to map users to these
> > servers. Then how do you make users in ApacheDS to another principalDn
> in
> > the external server?
> >
>
> MyVirtualDirectory handles this as part of the joiner system. When a
> user binds to the virtual directory the joiner system loads the entry
> and determines all of the 'DN's the user is joined with and attempts a
> bind on each one. If any succeed the overall bind succeeds. If all
> the attempts fail the overall bind fails.
>
> For instance a user binds with the DN
>
> uid=tuser,ou=users,dc=domain,dc=com
>
> This user maps to the remote directory entry
>
> uid=tuser,ou=users,c=mycompany,c=us
>
> and is joined to the AD entry
>
> cn=Test User,cn=Users,dc=domain,dc=com
>
> The joiner will attempt an internal bind for both
>
> uid=tuser,ou=users,c=mycompany,c=us
> cn=Test User,cn=Users,dc=domain,dc=com
>
> internally returning success if either succeeds.
>
> I don't know if you want to implement a full joiner subsystem but
> there's one way to implement it.
>
> Marc
>
Re: [ApacheDS] Delegated authenticator ideas
Posted by Marc Boorshtein <mb...@gmail.com>.
> Now I am thinking how to enable delegation to multiple LDAP servers and how
> to map users to these
> servers. Then how do you make users in ApacheDS to another principalDn in
> the external server?
>
MyVirtualDirectory handles this as part of the joiner system. When a
user binds to the virtual directory the joiner system loads the entry
and determines all of the 'DN's the user is joined with and attempts a
bind on each one. If any succeed the overall bind succeeds. If all
the attempts fail the overall bind fails.
For instance a user binds with the DN
uid=tuser,ou=users,dc=domain,dc=com
This user maps to the remote directory entry
uid=tuser,ou=users,c=mycompany,c=us
and is joined to the AD entry
cn=Test User,cn=Users,dc=domain,dc=com
The joiner will attempt an internal bind for both
uid=tuser,ou=users,c=mycompany,c=us
cn=Test User,cn=Users,dc=domain,dc=com
internally returning success if either succeeds.
I don't know if you want to implement a full joiner subsystem but
there's one way to implement it.
Marc