SQL-to-LDAP backend? (was Re: [OT?] user list)

[Kristian Rink <kr...@pm-planc.de>]

Hello Ersin, list;

... and at first thanks for the reply.

Ersin Er schrieb:

> We do not yet have a users list so any question is fine here.


Okay, here's my "problem": I'm in the process of evaluating several
LDAP-based directory servers in order to get our user management
unified. Most of our user data currently is stored within a relational
database (more exactly, within a database structure created by some
document management system), and until I managed building a wholly new
infrastructure including tools and everything, I'd like to expose those
information (at least read-only) using LDAP.

Recently I looked at OpenLDAP and discovered that there is a solution
named slapd-sql which allows for making arbitrary data out of an SQL
capable relational database available as LDAP objects, given that there
is a meaningful configuration of SQL queries to fetch the actual data
when needed.

For several reasons I dislike OpenLDAP, and since I'm more a Java person
anyhow, I wonder if there's a way to do something similar using Apache
DS? Can I make the server connect to some database, say, using a JDBC
driver, to then "map" an LDAP hierarchy to a relational database? Has
anyone tried something like that before? Any hints on that?


Thanks in advance and bye,
Kris

Re: SQL-to-LDAP backend? (was Re: [OT?] user list)

[Marc Boorshtein <mb...@gmail.com>]

> Yeah, I assume that would do. By now it looks like pam_ldap will have to
> do the job of connecting the Unix-based servers to the LDAP directory to
> fetch user accounts, Maybe it will be extended later to also provide
> group information but right now that's not that much important.
>

Thats a whole lot more fun :-)  So at least initally i would think the
penrose product can do everything you need pretty easily.  When you
get into pam_ldap you'll have to decide where you want to store the
unix specific attributes.

> Yes, I'm currently playing around with certain encryption mechanisms the
> DMS provides for the password stored there. Basically, it's really just
> about making a single table (two if talking about groups, too) in a
> relational database accessible via LDAP...

Ok, so from the sound of it you are storing the password in the
database, but it isn't there yet  One thing i've done before is just
use SSHA to do a 1 way hash of the password when it's stored in the
db.  How are you planning on getting the passwords into the db?

Marc

Re: SQL-to-LDAP backend? (was Re: [OT?] user list)

[Kristian Rink <kr...@pm-planc.de>]

Hello Marc, all;

Marc Boorshtein schrieb:
> if all you care about is users the task should be fairly straight
> forward with a flat DIT with all the users under a single ou or dc or
> something like that. 

Yeah, I assume that would do. By now it looks like pam_ldap will have to
do the job of connecting the Unix-based servers to the LDAP directory to
fetch user accounts, Maybe it will be extended later to also provide
group information but right now that's not that much important.


> Is the password already in the directory?

Yes, I'm currently playing around with certain encryption mechanisms the
DMS provides for the password stored there. Basically, it's really just
about making a single table (two if talking about groups, too) in a
relational database accessible via LDAP...

Cheers & thanks,
Kris


-- 
Kristian Rink   -- Programmierung/Systembetreuung
planConnect GmbH * Strehlener Str. 12 - 14 * 01069 Dresden
0176 24472771 * krink@pm-planc.de

Re: SQL-to-LDAP backend? (was Re: [OT?] user list)

[Marc Boorshtein <mb...@gmail.com>]

if all you care about is users the task should be fairly straight
forward with a flat DIT with all the users under a single ou or dc or
something like that.  Is the password already in the directory?

On 6/15/06, Kristian Rink <kr...@pm-planc.de> wrote:
>
> Hello Jim, Marc, all;
>
> at first, thanks loads for your hints, much appreciated! :) Right now, I
> am getting my feet wet playing around with Penrose - good thing about it
> as I have seen so far is that it's both Open-Source _and_ easy to handle
> (which is good since I'm not the only one who will have to maintain the
> final solution).
>
> On the other side, I don't think that the DIT will be _that_ complex in
> the end. LDAP is thought to export the users stored inside the DMS
> software since we need to have external services (FTP, HTTP/WebDAV, ...)
> doing authentication against those user information and the DMS itself
> doesn't provide any interface of doing that directly (so I have to
> follow the way of somehow manually messing around with its database).
> So, the directory itself will not really need to have a complex
> structure, all that is required is to make our FTP and HTTP server find
> the user account informations. What sort of approach would I have to
> choose in order to make up a custom backend doing that (forgive me if
> this is asking for something obvious - I'm just slowly getting into the
> depths of apacheds ...).
>
>
> Anyhow, thanks loads for your help!
> Cheers,
> Kris
>
>
>
> Marc Boorshtein schrieb:
> > In addition to penrose there are other commercial solutions from
> > Oracle, Radiant Logic and MaxWare.  How complex is your DIT?  If you
> > have just a flat DIT and a fairly good mindset you could probably
> > cobble something together with just apacheds and a custom backend.
> >
> > Marc
>
>

Re: SQL-to-LDAP backend? (was Re: [OT?] user list)

[Kristian Rink <kr...@pm-planc.de>]

Hello Jim, Marc, all;

at first, thanks loads for your hints, much appreciated! :) Right now, I
am getting my feet wet playing around with Penrose - good thing about it
as I have seen so far is that it's both Open-Source _and_ easy to handle
(which is good since I'm not the only one who will have to maintain the
final solution).

On the other side, I don't think that the DIT will be _that_ complex in
the end. LDAP is thought to export the users stored inside the DMS
software since we need to have external services (FTP, HTTP/WebDAV, ...)
doing authentication against those user information and the DMS itself
doesn't provide any interface of doing that directly (so I have to
follow the way of somehow manually messing around with its database).
So, the directory itself will not really need to have a complex
structure, all that is required is to make our FTP and HTTP server find
the user account informations. What sort of approach would I have to
choose in order to make up a custom backend doing that (forgive me if
this is asking for something obvious - I'm just slowly getting into the
depths of apacheds ...).


Anyhow, thanks loads for your help!
Cheers,
Kris



Marc Boorshtein schrieb:
> In addition to penrose there are other commercial solutions from
> Oracle, Radiant Logic and MaxWare.  How complex is your DIT?  If you
> have just a flat DIT and a fairly good mindset you could probably
> cobble something together with just apacheds and a custom backend.
> 
> Marc

Re: SQL-to-LDAP backend? (was Re: [OT?] user list)

[Marc Boorshtein <mb...@gmail.com>]

In addition to penrose there are other commercial solutions from
Oracle, Radiant Logic and MaxWare.  How complex is your DIT?  If you
have just a flat DIT and a fairly good mindset you could probably
cobble something together with just apacheds and a custom backend.

Marc

On 6/15/06, Jim Yang <ji...@safehaus.org> wrote:
> Hi Kristin,
>
> Check out http://penrose.safehaus.org. Penrose lets you "map" any
> JDBC source and present it as an LDAP server.
>
> yy
>
> On Jun 15, 2006, at 7:22 AM, Kristian Rink wrote:
>
> >
> > Hello Ersin, list;
> >
> > ... and at first thanks for the reply.
> >
> > Ersin Er schrieb:
> >
> >> We do not yet have a users list so any question is fine here.
> >
> >
> > Okay, here's my "problem": I'm in the process of evaluating several
> > LDAP-based directory servers in order to get our user management
> > unified. Most of our user data currently is stored within a relational
> > database (more exactly, within a database structure created by some
> > document management system), and until I managed building a wholly new
> > infrastructure including tools and everything, I'd like to expose
> > those
> > information (at least read-only) using LDAP.
> >
> > Recently I looked at OpenLDAP and discovered that there is a solution
> > named slapd-sql which allows for making arbitrary data out of an SQL
> > capable relational database available as LDAP objects, given that
> > there
> > is a meaningful configuration of SQL queries to fetch the actual data
> > when needed.
> >
> > For several reasons I dislike OpenLDAP, and since I'm more a Java
> > person
> > anyhow, I wonder if there's a way to do something similar using Apache
> > DS? Can I make the server connect to some database, say, using a JDBC
> > driver, to then "map" an LDAP hierarchy to a relational database? Has
> > anyone tried something like that before? Any hints on that?
> >
> >
> > Thanks in advance and bye,
> > Kris
>
>

Re: SQL-to-LDAP backend? (was Re: [OT?] user list)

[Jim Yang <ji...@safehaus.org>]

Hi Kristin,

Check out http://penrose.safehaus.org. Penrose lets you "map" any  
JDBC source and present it as an LDAP server.

yy

On Jun 15, 2006, at 7:22 AM, Kristian Rink wrote:

>
> Hello Ersin, list;
>
> ... and at first thanks for the reply.
>
> Ersin Er schrieb:
>
>> We do not yet have a users list so any question is fine here.
>
>
> Okay, here's my "problem": I'm in the process of evaluating several
> LDAP-based directory servers in order to get our user management
> unified. Most of our user data currently is stored within a relational
> database (more exactly, within a database structure created by some
> document management system), and until I managed building a wholly new
> infrastructure including tools and everything, I'd like to expose  
> those
> information (at least read-only) using LDAP.
>
> Recently I looked at OpenLDAP and discovered that there is a solution
> named slapd-sql which allows for making arbitrary data out of an SQL
> capable relational database available as LDAP objects, given that  
> there
> is a meaningful configuration of SQL queries to fetch the actual data
> when needed.
>
> For several reasons I dislike OpenLDAP, and since I'm more a Java  
> person
> anyhow, I wonder if there's a way to do something similar using Apache
> DS? Can I make the server connect to some database, say, using a JDBC
> driver, to then "map" an LDAP hierarchy to a relational database? Has
> anyone tried something like that before? Any hints on that?
>
>
> Thanks in advance and bye,
> Kris

RE: SQL-to-LDAP backend? (was Re: [OT?] user list)

["Noel J. Bergman" <no...@devtech.com>]

Kristian Rink wrote:

> ... in order to get our user management unified.
> Most of our user data currently is stored within
> a relational database

> I'd like to expose those information (at least
> read-only) using LDAP.

Years and years ago, when Alex and I were first talking about LDAPd, designs
were put in place to handle virtualizing non-local data into the DIT.  At
some point, those should come to fruition within ApacheDS, itself.  Requests
for entries and attributes can be passed downstream.

To represent entire subtrees in the DIT would be rather more work, as you
would have to deal with contexts.

In the meantime, although it would not be quite as transparent, you can
store Java objects in the DIT, and those can be your connector to downstream
data.  By clever use of attributes and generic connectors, you can store the
connector's parameters in the entry as parameters, rather than embedded in
the serialized object.  Lots of options.  Your call.

	--- Noel