Any doc about how to use ApacheDS as a proxy

["Zhang, Wayne" <wz...@visa.com>]

I would like to use ApacheDS as a proxy so that I can intercept lookup and make some changes. Then I would like to forward it to another LDAP server. How can I configure it that way? I could not find any hints on separating the frontend from the backend and use another LDAP server as the backend.

Thanks.

Wayne

Re: Any doc about how to use ApacheDS as a proxy

[Emmanuel Lécharny <el...@gmail.com>]

Le 12/10/12 11:02 PM, Zhang, Wayne a écrit :
> Thank you.
>
> About the version, we might need to stay with 1.5.8 since it is sometime just mentality. But not me, it is my above. We need to take very stable one rather than "largely stable". 
The numbering scheme we have used in the past is totally broken.

Let me give you some insights about why 1.5.x is not more stable than
ApacheDS 2.0.


First of all, you have to kow that when the project was started, we were
depending on Java 1.4. It was back in 2003. Since then, many Java
version were released. At sme pointback in 2007, we decided that we
should move to Java 5, as Java 4 was hitting EOL. We discussed about the
numering scheme, and decided to go for 1.5, which meant it was only
supporting Java 5 (as Tomcat 5.5 was released, the second '5' was
supposed to mean Tomcat 5 for Java 5).

A bad, bad move, if you want my opinion (and I know what I'm talking, I
was the one who suggested to use this numbering schema ...)

So we released 1.5.0 in 2007, expecting it to be an intermediary version
before 2.0.

We released a few more version since then, from 1.5.1 to 1.5.7, and at
some point, it became obvious that we were targeting a 2.0, stable. In
our words, 'Stable' does not mean bug free, but API stable. 1.5.7 was
never considered as 'stable', as we were deeply changing the API from
versio to version.

This was obviously not the message the numbering scheme was convoying,
so we decided that we should release Milestone instead. This is the
reason we switched from 1.5.7 to 2.0.0-M1, with no version in the middle.
As of end of 2012, 2.0.0-M8 is certainly the best possible version.
Whatever previous version youw ant to use is order of magnitude worse.
More important : there will never ever be something like 1.5.8. Ever. So
by sticking to 1.5.7, you are already 8 versions behind...

I guess you have to tell your manager or customer about those facts.

We are currently doing our best to get a 2.0.0-RC1 out, and we are close
to do it. The documentation is totally lacking, too, and we are also
working at the same time to get it updated. It will take a few weeks.

I strongly suggest you follow Kira advices here. If you need help, we
can provide some...

-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com 

RE: Any doc about how to use ApacheDS as a proxy

["Zhang, Wayne" <wz...@visa.com>]

I am following your  advice to use 2.0M8. But it seems that you do not have one for Solaris platform. Is that really the case? 

I will have to get all the source and build it on Solaris? Has anyone done that before? I know it is in Java but sometime, depending on the internal, we still need to do some porting before it can be fully compatible with a new platform, right?

Thanks.

Wayne

-----Original Message-----
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Tuesday, December 11, 2012 1:27 AM
To: users@directory.apache.org
Subject: Re: Any doc about how to use ApacheDS as a proxy

On Tue, Dec 11, 2012 at 3:32 AM, Zhang, Wayne <wz...@visa.com> wrote:

> Thank you.
>
> About the version, we might need to stay with 1.5.8 since it is 
> sometime just mentality. But not me, it is my above. We need to take 
> very stable one rather than "largely stable".
>
> AFAIU you are not going to store any data in the ApacheDS so it 
> actually
doesn't matter much about the version you use.
and using the new version actually makes it easier to implement your proxy interceptor with the client API [1]

> So, for 1.5.8, do you think you can give me any hints of example code 
> or document to show me how to configure it so that the backend is a 
> 3rd party LDAP server rather than ApacheDS?
>
> the only way is to write a custom interceptor to delegate all the
operations to be performed on the other server.
You can use the client API to connect to the other server from the new interceptor

> I guess the trick might be the
> "<directoryService>#directoryService</directoryService>" configured 
> for a "ldapServer" in the server.xml. It looks like that is the 
> "backend". But I cannot find any guide on how to configure a 
> "directoryService" for a 3rd party LDAP server.
>
> no, this is an essential part of the server and as mentioned above you
need to write a custom interceptor

[1] http://directory.apache.org/api/java-api.html

> Any hints?
>
> Thanks.
>
> Wayne
>
> -----Original Message-----
> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On 
> Behalf Of Kiran Ayyagari
> Sent: Monday, December 10, 2012 1:49 PM
> To: users@directory.apache.org
> Subject: Re: Any doc about how to use ApacheDS as a proxy
>
> On Tue, Dec 11, 2012 at 3:13 AM, Zhang, Wayne <wz...@visa.com> wrote:
>
> > I really appreciate your response.
> >
> > you are welcome, anytime
>
> > I did add a new interceptor and I was able to intercept (actually "bind"
> > was the one fitting my need since I need the passwd) it. I could get 
> > all the information and change information.
> >
> > But what I need is to make it flow through and eventually goes to 
> > another LDAP server for the final processing.
> >
> > I am using 1.5.8 version and could not see the "
> > DelegatingAuthenticator.java" you mentioned. It seems that is in 2.0.
> > But I want to use a stable version and did not go 2.0. Will this 
> > still be doable in 1.5.8?
> >
> >  yes, it is still doable, however I would suggest you use the latest
> version, note that things are largely stabilized in 2.0  so not much 
> disruption and the latest is much much better than earlier versions. 
> Feel free to ping us anytime  And otoh, with Studio's new capabilities 
> configuring the 2.0 server is going to be a very very smooth.
>
> In either case just contact us if you need anything with version >= 
> 1.5.7
>
> > Thanks.
> >
> > Wayne
> >
> >
> > -----Original Message-----
> > From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On 
> > Behalf Of Kiran Ayyagari
> > Sent: Monday, December 10, 2012 1:17 PM
> > To: users@directory.apache.org
> > Subject: Re: Any doc about how to use ApacheDS as a proxy
> >
> > you can add a new intereceptor
> > take a look at the existing intereceptors and the 
> > DelegatingAuthenticator.java class in apacheds/interceptors/authn 
> > module to see how to perform delegated authentication
> >
> > On Tue, Dec 11, 2012 at 12:26 AM, Zhang, Wayne <wz...@visa.com> wrote:
> >
> > > I would like to use ApacheDS as a proxy so that I can intercept 
> > > lookup and make some changes. Then I would like to forward it to 
> > > another LDAP
> > server.
> > > How can I configure it that way? I could not find any hints on 
> > > separating the frontend from the backend and use another LDAP 
> > > server as
> > the backend.
> > >
> > > Thanks.
> > >
> > > Wayne
> > >
> >
> >
> >
> > --
> > Kiran Ayyagari
> > http://keydap.com
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>



--
Kiran Ayyagari
http://keydap.com

Re: Any doc about how to use ApacheDS as a proxy

[Kiran Ayyagari <ka...@apache.org>]

On Tue, Dec 11, 2012 at 3:32 AM, Zhang, Wayne <wz...@visa.com> wrote:

> Thank you.
>
> About the version, we might need to stay with 1.5.8 since it is sometime
> just mentality. But not me, it is my above. We need to take very stable one
> rather than "largely stable".
>
> AFAIU you are not going to store any data in the ApacheDS so it actually
doesn't matter much about the version you use.
and using the new version actually makes it easier to implement your proxy
interceptor with the client API [1]

> So, for 1.5.8, do you think you can give me any hints of example code or
> document to show me how to configure it so that the backend is a 3rd party
> LDAP server rather than ApacheDS?
>
> the only way is to write a custom interceptor to delegate all the
operations to be performed on the other server.
You can use the client API to connect to the other server from the new
interceptor

> I guess the trick might be the
> "<directoryService>#directoryService</directoryService>" configured for a
> "ldapServer" in the server.xml. It looks like that is the "backend". But I
> cannot find any guide on how to configure a "directoryService" for a 3rd
> party LDAP server.
>
> no, this is an essential part of the server and as mentioned above you
need to write a custom interceptor

[1] http://directory.apache.org/api/java-api.html

> Any hints?
>
> Thanks.
>
> Wayne
>
> -----Original Message-----
> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf
> Of Kiran Ayyagari
> Sent: Monday, December 10, 2012 1:49 PM
> To: users@directory.apache.org
> Subject: Re: Any doc about how to use ApacheDS as a proxy
>
> On Tue, Dec 11, 2012 at 3:13 AM, Zhang, Wayne <wz...@visa.com> wrote:
>
> > I really appreciate your response.
> >
> > you are welcome, anytime
>
> > I did add a new interceptor and I was able to intercept (actually "bind"
> > was the one fitting my need since I need the passwd) it. I could get
> > all the information and change information.
> >
> > But what I need is to make it flow through and eventually goes to
> > another LDAP server for the final processing.
> >
> > I am using 1.5.8 version and could not see the "
> > DelegatingAuthenticator.java" you mentioned. It seems that is in 2.0.
> > But I want to use a stable version and did not go 2.0. Will this still
> > be doable in 1.5.8?
> >
> >  yes, it is still doable, however I would suggest you use the latest
> version, note that things are largely stabilized in 2.0  so not much
> disruption and the latest is much much better than earlier versions. Feel
> free to ping us anytime  And otoh, with Studio's new capabilities
> configuring the 2.0 server is going to be a very very smooth.
>
> In either case just contact us if you need anything with version >= 1.5.7
>
> > Thanks.
> >
> > Wayne
> >
> >
> > -----Original Message-----
> > From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On
> > Behalf Of Kiran Ayyagari
> > Sent: Monday, December 10, 2012 1:17 PM
> > To: users@directory.apache.org
> > Subject: Re: Any doc about how to use ApacheDS as a proxy
> >
> > you can add a new intereceptor
> > take a look at the existing intereceptors and the
> > DelegatingAuthenticator.java class in apacheds/interceptors/authn
> > module to see how to perform delegated authentication
> >
> > On Tue, Dec 11, 2012 at 12:26 AM, Zhang, Wayne <wz...@visa.com> wrote:
> >
> > > I would like to use ApacheDS as a proxy so that I can intercept
> > > lookup and make some changes. Then I would like to forward it to
> > > another LDAP
> > server.
> > > How can I configure it that way? I could not find any hints on
> > > separating the frontend from the backend and use another LDAP server
> > > as
> > the backend.
> > >
> > > Thanks.
> > >
> > > Wayne
> > >
> >
> >
> >
> > --
> > Kiran Ayyagari
> > http://keydap.com
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>



-- 
Kiran Ayyagari
http://keydap.com

RE: Any doc about how to use ApacheDS as a proxy

["Zhang, Wayne" <wz...@visa.com>]

Thank you.

About the version, we might need to stay with 1.5.8 since it is sometime just mentality. But not me, it is my above. We need to take very stable one rather than "largely stable". 

So, for 1.5.8, do you think you can give me any hints of example code or document to show me how to configure it so that the backend is a 3rd party LDAP server rather than ApacheDS?

I guess the trick might be the "<directoryService>#directoryService</directoryService>" configured for a "ldapServer" in the server.xml. It looks like that is the "backend". But I cannot find any guide on how to configure a "directoryService" for a 3rd party LDAP server.

Any hints?

Thanks.

Wayne

-----Original Message-----
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Monday, December 10, 2012 1:49 PM
To: users@directory.apache.org
Subject: Re: Any doc about how to use ApacheDS as a proxy

On Tue, Dec 11, 2012 at 3:13 AM, Zhang, Wayne <wz...@visa.com> wrote:

> I really appreciate your response.
>
> you are welcome, anytime

> I did add a new interceptor and I was able to intercept (actually "bind"
> was the one fitting my need since I need the passwd) it. I could get 
> all the information and change information.
>
> But what I need is to make it flow through and eventually goes to 
> another LDAP server for the final processing.
>
> I am using 1.5.8 version and could not see the "
> DelegatingAuthenticator.java" you mentioned. It seems that is in 2.0. 
> But I want to use a stable version and did not go 2.0. Will this still 
> be doable in 1.5.8?
>
>  yes, it is still doable, however I would suggest you use the latest
version, note that things are largely stabilized in 2.0  so not much disruption and the latest is much much better than earlier versions. Feel free to ping us anytime  And otoh, with Studio's new capabilities configuring the 2.0 server is going to be a very very smooth.

In either case just contact us if you need anything with version >= 1.5.7

> Thanks.
>
> Wayne
>
>
> -----Original Message-----
> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On 
> Behalf Of Kiran Ayyagari
> Sent: Monday, December 10, 2012 1:17 PM
> To: users@directory.apache.org
> Subject: Re: Any doc about how to use ApacheDS as a proxy
>
> you can add a new intereceptor
> take a look at the existing intereceptors and the 
> DelegatingAuthenticator.java class in apacheds/interceptors/authn 
> module to see how to perform delegated authentication
>
> On Tue, Dec 11, 2012 at 12:26 AM, Zhang, Wayne <wz...@visa.com> wrote:
>
> > I would like to use ApacheDS as a proxy so that I can intercept 
> > lookup and make some changes. Then I would like to forward it to 
> > another LDAP
> server.
> > How can I configure it that way? I could not find any hints on 
> > separating the frontend from the backend and use another LDAP server 
> > as
> the backend.
> >
> > Thanks.
> >
> > Wayne
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>



--
Kiran Ayyagari
http://keydap.com

Re: Any doc about how to use ApacheDS as a proxy

[Kiran Ayyagari <ka...@apache.org>]

On Tue, Dec 11, 2012 at 3:13 AM, Zhang, Wayne <wz...@visa.com> wrote:

> I really appreciate your response.
>
> you are welcome, anytime

> I did add a new interceptor and I was able to intercept (actually "bind"
> was the one fitting my need since I need the passwd) it. I could get all
> the information and change information.
>
> But what I need is to make it flow through and eventually goes to another
> LDAP server for the final processing.
>
> I am using 1.5.8 version and could not see the "
> DelegatingAuthenticator.java" you mentioned. It seems that is in 2.0. But I
> want to use a stable version and did not go 2.0. Will this still be doable
> in 1.5.8?
>
>  yes, it is still doable, however I would suggest you use the latest
version, note that things are largely stabilized in 2.0
 so not much disruption and the latest is much much better than earlier
versions. Feel free to ping us anytime
 And otoh, with Studio's new capabilities configuring the 2.0 server is
going to be a very very smooth.

In either case just contact us if you need anything with version >= 1.5.7

> Thanks.
>
> Wayne
>
>
> -----Original Message-----
> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf
> Of Kiran Ayyagari
> Sent: Monday, December 10, 2012 1:17 PM
> To: users@directory.apache.org
> Subject: Re: Any doc about how to use ApacheDS as a proxy
>
> you can add a new intereceptor
> take a look at the existing intereceptors and the
> DelegatingAuthenticator.java class in apacheds/interceptors/authn module to
> see how to perform delegated authentication
>
> On Tue, Dec 11, 2012 at 12:26 AM, Zhang, Wayne <wz...@visa.com> wrote:
>
> > I would like to use ApacheDS as a proxy so that I can intercept lookup
> > and make some changes. Then I would like to forward it to another LDAP
> server.
> > How can I configure it that way? I could not find any hints on
> > separating the frontend from the backend and use another LDAP server as
> the backend.
> >
> > Thanks.
> >
> > Wayne
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>



-- 
Kiran Ayyagari
http://keydap.com

RE: Any doc about how to use ApacheDS as a proxy

["Zhang, Wayne" <wz...@visa.com>]

Actually, the backend will be OpenLDAP.

We like to embed this "proxy" into our java application. We need to intercept what received by the proxy and make some manipulation with the data and then let it through. 

ApacheDS happen to be embeddable, in java, and also allow to intercept. Based on what it claims, it can be separated into frontend and backend. We only need the frontend. So, it happens to meet all what we need. I have made all other parts work but separation of the frontend. 

So, I am trying to replace the backend with our existing LDAP server. I thought about referral. But no doc or example are found so far for the separation and setting up the referral.

Thanks.

Wayne


-----Original Message-----
From: Nick Duan [mailto:nduan@dtechspace.com] 
Sent: Monday, December 10, 2012 2:42 PM
To: users@directory.apache.org
Subject: RE: Any doc about how to use ApacheDS as a proxy

If you are not tied to Apache DS, you may want to consider OpenLDAP.  It has
the proxy function built in.   Is there specific reason/business case for
using ApacheDS as LDAP proxy?

ND

-----Original Message-----
From: Zhang, Wayne [mailto:wzhang@visa.com]
Sent: Monday, December 10, 2012 4:43 PM
To: users@directory.apache.org
Subject: RE: Any doc about how to use ApacheDS as a proxy

I really appreciate your response. 

I did add a new interceptor and I was able to intercept (actually "bind" was the one fitting my need since I need the passwd) it. I could get all the information and change information. 

But what I need is to make it flow through and eventually goes to another LDAP server for the final processing. 

I am using 1.5.8 version and could not see the "
DelegatingAuthenticator.java" you mentioned. It seems that is in 2.0. But I want to use a stable version and did not go 2.0. Will this still be doable in 1.5.8?

Thanks.

Wayne


-----Original Message-----
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Monday, December 10, 2012 1:17 PM
To: users@directory.apache.org
Subject: Re: Any doc about how to use ApacheDS as a proxy

you can add a new intereceptor
take a look at the existing intereceptors and the DelegatingAuthenticator.java class in apacheds/interceptors/authn module to see how to perform delegated authentication

On Tue, Dec 11, 2012 at 12:26 AM, Zhang, Wayne <wz...@visa.com> wrote:

> I would like to use ApacheDS as a proxy so that I can intercept lookup 
> and make some changes. Then I would like to forward it to another LDAP
server.
> How can I configure it that way? I could not find any hints on 
> separating the frontend from the backend and use another LDAP server 
> as
the backend.
>
> Thanks.
>
> Wayne
>



--
Kiran Ayyagari
http://keydap.com

RE: Any doc about how to use ApacheDS as a proxy

[Nick Duan <nd...@dtechspace.com>]

If you are not tied to Apache DS, you may want to consider OpenLDAP.  It has
the proxy function built in.   Is there specific reason/business case for
using ApacheDS as LDAP proxy?

ND

-----Original Message-----
From: Zhang, Wayne [mailto:wzhang@visa.com] 
Sent: Monday, December 10, 2012 4:43 PM
To: users@directory.apache.org
Subject: RE: Any doc about how to use ApacheDS as a proxy

I really appreciate your response. 

I did add a new interceptor and I was able to intercept (actually "bind" was
the one fitting my need since I need the passwd) it. I could get all the
information and change information. 

But what I need is to make it flow through and eventually goes to another
LDAP server for the final processing. 

I am using 1.5.8 version and could not see the "
DelegatingAuthenticator.java" you mentioned. It seems that is in 2.0. But I
want to use a stable version and did not go 2.0. Will this still be doable
in 1.5.8?

Thanks.

Wayne


-----Original Message-----
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of
Kiran Ayyagari
Sent: Monday, December 10, 2012 1:17 PM
To: users@directory.apache.org
Subject: Re: Any doc about how to use ApacheDS as a proxy

you can add a new intereceptor
take a look at the existing intereceptors and the
DelegatingAuthenticator.java class in apacheds/interceptors/authn module to
see how to perform delegated authentication

On Tue, Dec 11, 2012 at 12:26 AM, Zhang, Wayne <wz...@visa.com> wrote:

> I would like to use ApacheDS as a proxy so that I can intercept lookup 
> and make some changes. Then I would like to forward it to another LDAP
server.
> How can I configure it that way? I could not find any hints on 
> separating the frontend from the backend and use another LDAP server as
the backend.
>
> Thanks.
>
> Wayne
>



--
Kiran Ayyagari
http://keydap.com

RE: Any doc about how to use ApacheDS as a proxy

["Zhang, Wayne" <wz...@visa.com>]

I really appreciate your response. 

I did add a new interceptor and I was able to intercept (actually "bind" was the one fitting my need since I need the passwd) it. I could get all the information and change information. 

But what I need is to make it flow through and eventually goes to another LDAP server for the final processing. 

I am using 1.5.8 version and could not see the " DelegatingAuthenticator.java" you mentioned. It seems that is in 2.0. But I want to use a stable version and did not go 2.0. Will this still be doable in 1.5.8?

Thanks.

Wayne


-----Original Message-----
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Monday, December 10, 2012 1:17 PM
To: users@directory.apache.org
Subject: Re: Any doc about how to use ApacheDS as a proxy

you can add a new intereceptor
take a look at the existing intereceptors and the DelegatingAuthenticator.java class in apacheds/interceptors/authn module to see how to perform delegated authentication

On Tue, Dec 11, 2012 at 12:26 AM, Zhang, Wayne <wz...@visa.com> wrote:

> I would like to use ApacheDS as a proxy so that I can intercept lookup 
> and make some changes. Then I would like to forward it to another LDAP server.
> How can I configure it that way? I could not find any hints on 
> separating the frontend from the backend and use another LDAP server as the backend.
>
> Thanks.
>
> Wayne
>



--
Kiran Ayyagari
http://keydap.com

Re: Any doc about how to use ApacheDS as a proxy

[Kiran Ayyagari <ka...@apache.org>]

you can add a new intereceptor
take a look at the existing intereceptors and the
DelegatingAuthenticator.java class in apacheds/interceptors/authn module
to see how to perform delegated authentication

On Tue, Dec 11, 2012 at 12:26 AM, Zhang, Wayne <wz...@visa.com> wrote:

> I would like to use ApacheDS as a proxy so that I can intercept lookup and
> make some changes. Then I would like to forward it to another LDAP server.
> How can I configure it that way? I could not find any hints on separating
> the frontend from the backend and use another LDAP server as the backend.
>
> Thanks.
>
> Wayne
>



-- 
Kiran Ayyagari
http://keydap.com