You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Adison Wongkar <ad...@vergenet.com> on 2005/02/07 06:08:50 UTC
Virtual Directory (or LDAP Proxy)
Hi everyone,
I just joined this mailing list. I'm Adison Wongkar from Verge Archemedia in
Austin, TX. Me and a co-worker from the same company (Endi Dewata) has been
working on a Virtual Directory piece of software. Currently we have
developed it as a backend to OpenLDAP (writing back-java on our own). We
have an interest to see if we could integrate our java code into the
ApacheDS project. Perhaps as a backend to ApacheDS. I want to see if there's
any interest from you all in having a virtual directory module for ApacheDS.
Btw, I just checked out and played with the ApacheDS. Great work! Just by
looking at the website, I got the impression that the project has just
started. But when I played and looked at the code, I am quite thrilled.
Regards,
Adison
Re: Virtual Directory (or LDAP Proxy)
Posted by Alex Karasulu <ao...@bellsouth.net>.
Adison Wongkar wrote:
>Hi Alex,
>
>
>
>>Well a combination of approaches can be used. You can wrap backends
>>around disparate data sources to access them in a standard mannar.
>>
>>I think you may need to do both but time will tell. With other LDAP
>>servers you never had
>>a choice: a backend was the only option. With ApacheDS you
>>have an added
>>degree of
>>freedom that may allow you to do even more.
>>
>>
>>
>
>We're thinking at least initially we would implement the virtual directory
>component as a backend. Ie. implementing the
>org.apache.ldap.server.BackingStore or
>org.apache.ldap.server.ContextPartition 's methods
>(add/delete/modify/search/lookup etc.).
>
>
Hmmmm you could certainly do that but I recommend against this
approach. It's probably the easiest thing to do for you though.
However we would like to parameterize the virtual directory
specification as part of view management.
>The virtual directory component:
>- has mapping configuration (in XML)
>- has working join & cache db (in memory or persistent)
>- currently has adapters to databases and directories (we call these our
>data sources)
>- can map & combine attributes from the data sources
>
>Feel free to let me know what you think of this.
>
>
Is this related to the stuff yall are doing at http://openvd.org?
>NB: I also like the interceptor chain piece of the architecture. Perhaps we
>can do something like ACL rules mapping, instead of just DIT & attributes
>mapping.
>
>
Could you explain this? I'm interested. I suspect by ACL you are
refering to Access Control Lists. One thing we can definately use is an
authorization mechanism in the server. Please tell me more.
Alex
RE: Virtual Directory (or LDAP Proxy)
Posted by Adison Wongkar <ad...@vergenet.com>.
Hi Alex,
> Well a combination of approaches can be used. You can wrap backends
> around disparate data sources to access them in a standard mannar.
>
> I think you may need to do both but time will tell. With other LDAP
> servers you never had
> a choice: a backend was the only option. With ApacheDS you
> have an added
> degree of
> freedom that may allow you to do even more.
>
We're thinking at least initially we would implement the virtual directory
component as a backend. Ie. implementing the
org.apache.ldap.server.BackingStore or
org.apache.ldap.server.ContextPartition 's methods
(add/delete/modify/search/lookup etc.).
The virtual directory component:
- has mapping configuration (in XML)
- has working join & cache db (in memory or persistent)
- currently has adapters to databases and directories (we call these our
data sources)
- can map & combine attributes from the data sources
Feel free to let me know what you think of this.
NB: I also like the interceptor chain piece of the architecture. Perhaps we
can do something like ACL rules mapping, instead of just DIT & attributes
mapping.
Cheers,
Adison
Re: Virtual Directory (or LDAP Proxy)
Posted by Alex Karasulu <ao...@bellsouth.net>.
Adison Wongkar wrote:
>Hi Alex,
>
>I see you have the "interceptor chain". I've actually been wondering whether
>it would be most efficient to implement the virtual directory as "backend"
>or as "interceptor".
>
>
Well a combination of approaches can be used. You can wrap backends
around disparate data sources to access them in a standard mannar.
>Currently our implementation works as a backend (we originally designed it
>as a backend for openldap). So we have our own join & caching engine. This
>component has adapters that can talk with databases (via jdbc) and ldaps
>(via jndi) and somehow process them according to the mapping rules into a
>join/cache database. LDAP operations (search/add/modify/delete, etc.) are
>applied to this cache as well as the original data sources. This join/cache
>database can be in-memory db (such as hsql) or persistent db.
>
>
OK
>Most of ldap servers (including ApacheDS) has a notion of backend. So, I
>would imagine our implementation would be more portable if implemented as
>backend.
>
I think you may need to do both but time will tell. With other LDAP
servers you never had
a choice: a backend was the only option. With ApacheDS you have an added
degree of
freedom that may allow you to do even more.
None of these backends are compatible so you don't gain much by keeping
it as just a backend.
>However, I'd like to see if implementing virtual directory
>component as interceptor would be the optimal way to do it. I'll learn more
>to find out. Any pointers would be appreciated.
>
>I see you've been involved with the RFC 3672. It's really cool to have LDAP
>view. Do you know how close it is to being ratified?
>
>
No actually I have not been involved with 3672 at all. I've been playing
with the idea of submitting a new draft for defining views in a standard
manner.
>Regards,
>Adison
>
>-----Original Message-----
>From: Alex Karasulu [mailto:aok123@bellsouth.net]
>Sent: Monday, February 07, 2005 12:30 AM
>To: Apache Directory Developers List
>Subject: Re: Virtual Directory (or LDAP Proxy)
>
>Adison Wongkar wrote:
>
>
>
>>Hi everyone,
>>
>>I just joined this mailing list. I'm Adison Wongkar from Verge
>>Archemedia in Austin, TX. Me and a co-worker from the same company
>>(Endi Dewata) has been working on a Virtual Directory piece of
>>software. Currently we have developed it as a backend to OpenLDAP
>>(writing back-java on our own). We have an interest to see if we could
>>integrate our java code into the ApacheDS project. Perhaps as a
>>backend to ApacheDS. I want to see if there's any interest from you
>>all in having a virtual directory module for ApacheDS.
>>
>>
>
>Absolutely this is a very exciting niche in directory services.
>
>We were considering LDAP Views (analogous to SQL views in RDBMs world)
>for doing just this. The view is essentially the fundamental mechanism
>for enabling a directory as a virtual directory. Obviously the view is
>a hook into a complex subsystem of the directory server: the virtual
>directory part. The server detects a request and delegates that request
>based on some subtree specification (see here in section 2.1
>http://www.rfc-archive.org/getrfc.php?rfc=3672) to this subsystem. The
>subsystem can do what it wants to compose and return the response. This
>includes any combination of the operations below and more ...
>
>o assemble one or more entries into a super entry
>o transform while assembling
>o remap attributes between two schemas
>o pull data from disparate (non jndi/ldap) resources to assemble the entry
>o ...
>
>This list really is just limited by our imagination isn't it :)? Also
>note that the interceptor subsystem of the server comes in very handy
>here. It can be used to trap a request, analyze it to see if it falls
>into a subtree that is associated with a virtual area and delegate the
>response to the virtual directory subsystem. This is really cool stuff
>- probably because its slick and not so easy to do - challenging.
>
>I think you'll find many people that would be interested in pursuing
>this with you. I'm very interested myself so count me in. Another
>fellow named Mark Swanson is also interested in this for his schedule
>world application and his calendar server here:
>
>http://scheduleworld.com
>
>Also if you would like, you're welcome to work on a draft spec for
>formalizing LDAP views. I've started work on a draft for submission to
>the ietf to try to standardize views within LDAP. If we implement this
>then virtual directories can be specified very easily.
>
>
>
>>Btw, I just checked out and played with the ApacheDS. Great work! Just
>>by looking at the website, I got the impression that the project has
>>just started. But when I played and looked at the code, I am quite
>>thrilled.
>>
>>
>
>That's really nice to hear. We've been doing this for the past 30 or so
>months. However we've only been in the Apache Incubator for 16 months.
>
>Cheers,
>Alex
>
>
>
>
RE: Virtual Directory (or LDAP Proxy)
Posted by Adison Wongkar <ad...@vergenet.com>.
Hi Mark and Enrique,
Thanks for the show of interest. I'm sure we could work out something on the
virtual directory. Looking forward to working with you all.
Adison
> -----Original Message-----
> From: Enrique Rodriguez [mailto:erodriguez@apache.org]
> Sent: Monday, February 07, 2005 1:55 PM
> To: Apache Directory Developers List
> Subject: Re: Virtual Directory (or LDAP Proxy)
>
> I would like to see this, too.
>
> -enrique
>
>
> Mark Swanson wrote:
> > As Alex mentioned, I'm interested in what you are talking
> about. I am
> > available for debugging/testing/discussing whatever you
> come up with on
> > this topic.
> >
> > Cheers.
> >
Re: Virtual Directory (or LDAP Proxy)
Posted by Enrique Rodriguez <er...@apache.org>.
I would like to see this, too.
-enrique
Mark Swanson wrote:
> As Alex mentioned, I'm interested in what you are talking about. I am
> available for debugging/testing/discussing whatever you come up with on
> this topic.
>
> Cheers.
>
Re: Virtual Directory (or LDAP Proxy)
Posted by Mark Swanson <ma...@ScheduleWorld.com>.
As Alex mentioned, I'm interested in what you are talking about. I am
available for debugging/testing/discussing whatever you come up with on
this topic.
Cheers.
--
Free replacement for Exchange and Outlook (Contacts and Calendar)
http://www.ScheduleWorld.com/
WAP: http://www.ScheduleWorld.com/sw/WAPToday?id=4000&tz=EST
WebDAV: http://www.ScheduleWorld.com/sw/webDAVDir/4000.ics
VFREEBUSY: http://www.ScheduleWorld.com/sw/freebusy/4000.ifb
RE: Virtual Directory (or LDAP Proxy)
Posted by Adison Wongkar <ad...@vergenet.com>.
Hi Alex,
I see you have the "interceptor chain". I've actually been wondering whether
it would be most efficient to implement the virtual directory as "backend"
or as "interceptor".
Currently our implementation works as a backend (we originally designed it
as a backend for openldap). So we have our own join & caching engine. This
component has adapters that can talk with databases (via jdbc) and ldaps
(via jndi) and somehow process them according to the mapping rules into a
join/cache database. LDAP operations (search/add/modify/delete, etc.) are
applied to this cache as well as the original data sources. This join/cache
database can be in-memory db (such as hsql) or persistent db.
Most of ldap servers (including ApacheDS) has a notion of backend. So, I
would imagine our implementation would be more portable if implemented as
backend. However, I'd like to see if implementing virtual directory
component as interceptor would be the optimal way to do it. I'll learn more
to find out. Any pointers would be appreciated.
I see you've been involved with the RFC 3672. It's really cool to have LDAP
view. Do you know how close it is to being ratified?
Regards,
Adison
-----Original Message-----
From: Alex Karasulu [mailto:aok123@bellsouth.net]
Sent: Monday, February 07, 2005 12:30 AM
To: Apache Directory Developers List
Subject: Re: Virtual Directory (or LDAP Proxy)
Adison Wongkar wrote:
> Hi everyone,
>
> I just joined this mailing list. I'm Adison Wongkar from Verge
> Archemedia in Austin, TX. Me and a co-worker from the same company
> (Endi Dewata) has been working on a Virtual Directory piece of
> software. Currently we have developed it as a backend to OpenLDAP
> (writing back-java on our own). We have an interest to see if we could
> integrate our java code into the ApacheDS project. Perhaps as a
> backend to ApacheDS. I want to see if there's any interest from you
> all in having a virtual directory module for ApacheDS.
Absolutely this is a very exciting niche in directory services.
We were considering LDAP Views (analogous to SQL views in RDBMs world)
for doing just this. The view is essentially the fundamental mechanism
for enabling a directory as a virtual directory. Obviously the view is
a hook into a complex subsystem of the directory server: the virtual
directory part. The server detects a request and delegates that request
based on some subtree specification (see here in section 2.1
http://www.rfc-archive.org/getrfc.php?rfc=3672) to this subsystem. The
subsystem can do what it wants to compose and return the response. This
includes any combination of the operations below and more ...
o assemble one or more entries into a super entry
o transform while assembling
o remap attributes between two schemas
o pull data from disparate (non jndi/ldap) resources to assemble the entry
o ...
This list really is just limited by our imagination isn't it :)? Also
note that the interceptor subsystem of the server comes in very handy
here. It can be used to trap a request, analyze it to see if it falls
into a subtree that is associated with a virtual area and delegate the
response to the virtual directory subsystem. This is really cool stuff
- probably because its slick and not so easy to do - challenging.
I think you'll find many people that would be interested in pursuing
this with you. I'm very interested myself so count me in. Another
fellow named Mark Swanson is also interested in this for his schedule
world application and his calendar server here:
http://scheduleworld.com
Also if you would like, you're welcome to work on a draft spec for
formalizing LDAP views. I've started work on a draft for submission to
the ietf to try to standardize views within LDAP. If we implement this
then virtual directories can be specified very easily.
> Btw, I just checked out and played with the ApacheDS. Great work! Just
> by looking at the website, I got the impression that the project has
> just started. But when I played and looked at the code, I am quite
> thrilled.
That's really nice to hear. We've been doing this for the past 30 or so
months. However we've only been in the Apache Incubator for 16 months.
Cheers,
Alex
Re: Virtual Directory (or LDAP Proxy)
Posted by Alex Karasulu <ao...@bellsouth.net>.
Adison Wongkar wrote:
> Hi everyone,
>
> I just joined this mailing list. I'm Adison Wongkar from Verge
> Archemedia in Austin, TX. Me and a co-worker from the same company
> (Endi Dewata) has been working on a Virtual Directory piece of
> software. Currently we have developed it as a backend to OpenLDAP
> (writing back-java on our own). We have an interest to see if we could
> integrate our java code into the ApacheDS project. Perhaps as a
> backend to ApacheDS. I want to see if there's any interest from you
> all in having a virtual directory module for ApacheDS.
Absolutely this is a very exciting niche in directory services.
We were considering LDAP Views (analogous to SQL views in RDBMs world)
for doing just this. The view is essentially the fundamental mechanism
for enabling a directory as a virtual directory. Obviously the view is
a hook into a complex subsystem of the directory server: the virtual
directory part. The server detects a request and delegates that request
based on some subtree specification (see here in section 2.1
http://www.rfc-archive.org/getrfc.php?rfc=3672) to this subsystem. The
subsystem can do what it wants to compose and return the response. This
includes any combination of the operations below and more ...
o assemble one or more entries into a super entry
o transform while assembling
o remap attributes between two schemas
o pull data from disparate (non jndi/ldap) resources to assemble the entry
o ...
This list really is just limited by our imagination isn't it :)? Also
note that the interceptor subsystem of the server comes in very handy
here. It can be used to trap a request, analyze it to see if it falls
into a subtree that is associated with a virtual area and delegate the
response to the virtual directory subsystem. This is really cool stuff
- probably because its slick and not so easy to do - challenging.
I think you'll find many people that would be interested in pursuing
this with you. I'm very interested myself so count me in. Another
fellow named Mark Swanson is also interested in this for his schedule
world application and his calendar server here:
http://scheduleworld.com
Also if you would like, you're welcome to work on a draft spec for
formalizing LDAP views. I've started work on a draft for submission to
the ietf to try to standardize views within LDAP. If we implement this
then virtual directories can be specified very easily.
> Btw, I just checked out and played with the ApacheDS. Great work! Just
> by looking at the website, I got the impression that the project has
> just started. But when I played and looked at the code, I am quite
> thrilled.
That's really nice to hear. We've been doing this for the past 30 or so
months. However we've only been in the Apache Incubator for 16 months.
Cheers,
Alex