You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Emmanuel Lecharny <el...@gmail.com> on 2010/11/19 10:41:40 UTC
Writing a specific Authenticator, and add some configuration for
iy
Hi guys,
yesterday, we had an interesting convo with Antoine, about the
definition of a dedicated Authenticator, and how to configure it.
First, the Authenticator interface can be implemented but it's probably
a better idea to extend the AbstractAuthenticator, as it brings some
references to teh underlying DirectoryService for free, plus some
default implementations to init and dispose the Authenticator. One thing
to take care of is the PasswordPolicy which can be enabled or disabled.
We have to determinate the best way to deal with this service.
Another aspect is the Authenticator configuration : how to inject it and
have it available when the server is stopped and restarted? The solution
is probably to extend the existing configuration, which is based on the
DIT. That means defining a specific Bean, plus the associated OC and AT.
We have to think about it, and I would suggest we try to write a
prototype that demonstrates the way to extend the configuration. It has
to be documented, as the Authenticator is an extension point.
I'm pretty sure it's not such a big deal, but we need time, and we have
littel :) I would suggest we follow closely Antoine's effort and try to
leverage what he is doing to improve the server *and* the documentation...
Thanks !
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: Writing a specific Authenticator, and add some configuration for iy
Posted by Alex Karasulu <ak...@apache.org>.
On Fri, Nov 19, 2010 at 12:43 PM, Kiran Ayyagari <ka...@apache.org>wrote:
> On Fri, Nov 19, 2010 at 12:37 PM, Alex Karasulu <ak...@apache.org>
> wrote:
> >
> >
> > On Fri, Nov 19, 2010 at 12:29 PM, Kiran Ayyagari <ka...@apache.org>
> > wrote:
> >>
> >> On Fri, Nov 19, 2010 at 12:14 PM, Alex Karasulu <ak...@apache.org>
> >> wrote:
> >> > Hi Emmanuel, Antione,
> >> >
> >> > On Fri, Nov 19, 2010 at 11:41 AM, Emmanuel Lecharny
> >> > <el...@gmail.com>
> >> > wrote:
> >> >>
> >> >> Hi guys,
> >> >>
> >> >> yesterday, we had an interesting convo with Antoine, about the
> >> >> definition
> >> >> of a dedicated Authenticator, and how to configure it.
> >> >>
> >> >
> >> > Excellent. Thanks for posting to the ML about it.
> >> >
> >> >>
> >> >> First, the Authenticator interface can be implemented but it's
> probably
> >> >> a
> >> >> better idea to extend the AbstractAuthenticator, as it brings some
> >> >> references to teh underlying DirectoryService for free, plus some
> >> >> default
> >> >> implementations to init and dispose the Authenticator. One thing to
> >> >> take
> >> >> care of is the PasswordPolicy which can be enabled or disabled. We
> have
> >> >> to
> >> >> determinate the best way to deal with this service.
> >> >>
> >> >
> >> > PasswordPolicy AFAICT is something that kicks in when updating or
> >> > creating a
> >> > new password. This mechanism of delegating authentication to some
> >> > external
> >> > authentication service in this case AD does not change the password.
> >> > Hence
> >> > why I'm thinking we don't need to worry about PP.
> >> > Or am I missing something here?
> >> >
> >> PP also comes into picture while performing a bind and compare(of
> >> password) operations
> >> an e.x to determine the number of failed authentication attempts
> >> but all this makes sense only if the user entries are stored in the
> >> local server (ApacheDS in this case).
> >
> > Are we tracking login results (successes/failures) per user in their
> profile
> > (LDAP entry)?
> yes we do and these details are stored in the user entry itself
> > Are we tracking login attempts when the bind principal is non-existant
> and
> > if so where we doing that?
> we cannot, if we don't have the user entry locally on the server
> > We should also perhaps track the last IP where
> > the login occurred to prevent those trying to dictionary attack via some
> > account but this is not so much related to PP.
> >>
> yeah
We probably need to be logging all this stuff centrally as well as on a per
user basis. Per user basis for PP to correlate with the bind principal but
overall we need to be tracking what's going on when authentication is being
done in all it's forms especially now that we're opening the door wider
with this delegation thing.
Opening door wider => More security concerns.
--
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu
Re: Writing a specific Authenticator, and add some configuration for iy
Posted by Kiran Ayyagari <ka...@apache.org>.
On Fri, Nov 19, 2010 at 12:37 PM, Alex Karasulu <ak...@apache.org> wrote:
>
>
> On Fri, Nov 19, 2010 at 12:29 PM, Kiran Ayyagari <ka...@apache.org>
> wrote:
>>
>> On Fri, Nov 19, 2010 at 12:14 PM, Alex Karasulu <ak...@apache.org>
>> wrote:
>> > Hi Emmanuel, Antione,
>> >
>> > On Fri, Nov 19, 2010 at 11:41 AM, Emmanuel Lecharny
>> > <el...@gmail.com>
>> > wrote:
>> >>
>> >> Hi guys,
>> >>
>> >> yesterday, we had an interesting convo with Antoine, about the
>> >> definition
>> >> of a dedicated Authenticator, and how to configure it.
>> >>
>> >
>> > Excellent. Thanks for posting to the ML about it.
>> >
>> >>
>> >> First, the Authenticator interface can be implemented but it's probably
>> >> a
>> >> better idea to extend the AbstractAuthenticator, as it brings some
>> >> references to teh underlying DirectoryService for free, plus some
>> >> default
>> >> implementations to init and dispose the Authenticator. One thing to
>> >> take
>> >> care of is the PasswordPolicy which can be enabled or disabled. We have
>> >> to
>> >> determinate the best way to deal with this service.
>> >>
>> >
>> > PasswordPolicy AFAICT is something that kicks in when updating or
>> > creating a
>> > new password. This mechanism of delegating authentication to some
>> > external
>> > authentication service in this case AD does not change the password.
>> > Hence
>> > why I'm thinking we don't need to worry about PP.
>> > Or am I missing something here?
>> >
>> PP also comes into picture while performing a bind and compare(of
>> password) operations
>> an e.x to determine the number of failed authentication attempts
>> but all this makes sense only if the user entries are stored in the
>> local server (ApacheDS in this case).
>
> Are we tracking login results (successes/failures) per user in their profile
> (LDAP entry)?
yes we do and these details are stored in the user entry itself
> Are we tracking login attempts when the bind principal is non-existant and
> if so where we doing that?
we cannot, if we don't have the user entry locally on the server
> We should also perhaps track the last IP where
> the login occurred to prevent those trying to dictionary attack via some
> account but this is not so much related to PP.
>>
yeah
>> >>
>> >> Another aspect is the Authenticator configuration : how to inject it
>> >> and
>> >> have it available when the server is stopped and restarted? The
>> >> solution is
>> >> probably to extend the existing configuration, which is based on the
>> >> DIT.
>> >> That means defining a specific Bean, plus the associated OC and AT. We
>> >> have
>> >> to think about it, and I would suggest we try to write a prototype that
>> >> demonstrates the way to extend the configuration. It has to be
>> >> documented,
>> >> as the Authenticator is an extension point.
>> >>
>> >
>> > Yes some configuration will be needed to activate and leverage this
>> > Authenticator.
>> > I do understand that there is some limited time and we need a simple
>> > implementation specifically for AD (most users will use this external
>> > authentication service) which is a great starting point. However let me
>> > post
>> > some ideas that I had very early on about this matter that several
>> > perspective clients years ago expressed they needed.
>> > First though before going on I want to mention that this is getting
>> > really
>> > close in nature to what SASL was designed for but I think this mechanism
>> > might be much more flexible. With that let me continue ...
>> > Prescriptive Delegation
>> > ---------------------------------
>> > Not every principal or user in ApacheDS will need to be delegated.
>> > Essentially this comes down to selective delegation. Whether to use
>> > ApacheDS
>> > authentication directly, or delegate and to which external
>> > authentication
>> > mechanism to delegate to is something that users mentioned they would
>> > like
>> > with this capability. Theirs even a more acute case where sometimes the
>> > binding principal might not even exist in ApacheDS yet you want
>> > delegation
>> > to occur.
>> > The holistic means to solve this problem is by using the administrative
>> > model to specify regions of the DIT you can dice and slice to have fine
>> > grained control over authentication delegation. With the administrative
>> > model you can specify subtree specifications and refinements that will
>> > select specific entries in the DIT. When a bind occurs against selected
>> > areas different delegation mechanisms can be associated with those
>> > selections using subentries associated with them. This prescriptive
>> > specification of selected entries allows you to specify bind principals
>> > and
>> > DIT regions that do not even exist and still enable delegated
>> > authentication. This might be good especially if you don't want to deal
>> > with
>> > recreating entries for all users in AD for example.
>> > Multiple External Authentication Mechanisms
>> > ----------------------------------------------------------------
>> > Now you might not just be delegating to AD but to for example OpenID. So
>> > it
>> > would be nice to be able to allow for any kind of delegated
>> > authentication
>> > to occur. The delegation machinery leveraging the administration model
>> > for
>> > selection can be generic yet the subentries that map the selection to an
>> > external authentication mechanism can use pluggable mechanisms like AD
>> > or
>> > OpenID. Even PAM like behavior can be enabled in a stack.
>> >
>> > LDAP Principle to External Mechanism Mapping
>> > --------------------------------------------------------------------
>> > Whether or not the bind principal exists inside ApacheDS or not, we may
>> > have
>> > to transform or rather map that principal into the namespace of the
>> > external
>> > authentication mechanism. The way this is done will be mechanism
>> > dependent
>> > obviously.
>> > If prescriptive delegation occurs leveraging the administrative model
>> > then
>> > it's possible to have 1:1 mapping between ApacheDS principals to
>> > ActiveDirectory principals without the need to have mirrored entries in
>> > ApacheDS for ActiveDirectory users.
>> > If prescriptive delegation is not used and AD users are mirrored in
>> > ApacheDS
>> > with a 1:1 mapping of distinguishedNames then there's no need for
>> > mapping.
>> > Users will have to set out to design their DIT in this manner to reflect
>> > their AD layout of users. This might be tedious and cause other
>> > problems.
>> > Anyways without the 1:1 mapping even when the external authentication
>> > mechanism is another LDAP server like AD, we're going to have to manage
>> > principle name transformations/mappings.
>> > Just wanted to transfer these thoughts to the group but please don't
>> > presume
>> > I am expecting these approaches to be implemented in the first
>> > incarnation
>> > or at all even. This is knowledge gathered over years from enterprise
>> > user
>> > feedback and we should have them at least in mind.
>> >>
>> >> I'm pretty sure it's not such a big deal, but we need time, and we have
>> >> littel :) I would suggest we follow closely Antoine's effort and try to
>> >> leverage what he is doing to improve the server *and* the
>> >> documentation...
>> >>
>> >
>> > +1
>> > --
>> > Alex Karasulu
>> > My Blog :: http://www.jroller.com/akarasulu/
>> > Apache Directory Server :: http://directory.apache.org
>> > Apache MINA :: http://mina.apache.org
>> > To set up a meeting with me: http://tungle.me/AlexKarasulu
>> >
>>
>>
>>
>> --
>> Kiran Ayyagari
>
>
>
> --
> Alex Karasulu
> My Blog :: http://www.jroller.com/akarasulu/
> Apache Directory Server :: http://directory.apache.org
> Apache MINA :: http://mina.apache.org
> To set up a meeting with me: http://tungle.me/AlexKarasulu
>
--
Kiran Ayyagari
Re: Writing a specific Authenticator, and add some configuration for iy
Posted by Alex Karasulu <ak...@apache.org>.
On Fri, Nov 19, 2010 at 12:29 PM, Kiran Ayyagari <ka...@apache.org>wrote:
> On Fri, Nov 19, 2010 at 12:14 PM, Alex Karasulu <ak...@apache.org>
> wrote:
> > Hi Emmanuel, Antione,
> >
> > On Fri, Nov 19, 2010 at 11:41 AM, Emmanuel Lecharny <elecharny@gmail.com
> >
> > wrote:
> >>
> >> Hi guys,
> >>
> >> yesterday, we had an interesting convo with Antoine, about the
> definition
> >> of a dedicated Authenticator, and how to configure it.
> >>
> >
> > Excellent. Thanks for posting to the ML about it.
> >
> >>
> >> First, the Authenticator interface can be implemented but it's probably
> a
> >> better idea to extend the AbstractAuthenticator, as it brings some
> >> references to teh underlying DirectoryService for free, plus some
> default
> >> implementations to init and dispose the Authenticator. One thing to take
> >> care of is the PasswordPolicy which can be enabled or disabled. We have
> to
> >> determinate the best way to deal with this service.
> >>
> >
> > PasswordPolicy AFAICT is something that kicks in when updating or
> creating a
> > new password. This mechanism of delegating authentication to some
> external
> > authentication service in this case AD does not change the password.
> Hence
> > why I'm thinking we don't need to worry about PP.
> > Or am I missing something here?
> >
> PP also comes into picture while performing a bind and compare(of
> password) operations
> an e.x to determine the number of failed authentication attempts
> but all this makes sense only if the user entries are stored in the
> local server (ApacheDS in this case).
>
Are we tracking login results (successes/failures) per user in their profile
(LDAP entry)?
Are we tracking login attempts when the bind principal is non-existant and
if so where we doing that? We should also perhaps track the last IP where
the login occurred to prevent those trying to dictionary attack via some
account but this is not so much related to PP.
>>
> >> Another aspect is the Authenticator configuration : how to inject it and
> >> have it available when the server is stopped and restarted? The solution
> is
> >> probably to extend the existing configuration, which is based on the
> DIT.
> >> That means defining a specific Bean, plus the associated OC and AT. We
> have
> >> to think about it, and I would suggest we try to write a prototype that
> >> demonstrates the way to extend the configuration. It has to be
> documented,
> >> as the Authenticator is an extension point.
> >>
> >
> > Yes some configuration will be needed to activate and leverage this
> > Authenticator.
> > I do understand that there is some limited time and we need a simple
> > implementation specifically for AD (most users will use this external
> > authentication service) which is a great starting point. However let me
> post
> > some ideas that I had very early on about this matter that several
> > perspective clients years ago expressed they needed.
> > First though before going on I want to mention that this is getting
> really
> > close in nature to what SASL was designed for but I think this mechanism
> > might be much more flexible. With that let me continue ...
> > Prescriptive Delegation
> > ---------------------------------
> > Not every principal or user in ApacheDS will need to be delegated.
> > Essentially this comes down to selective delegation. Whether to use
> ApacheDS
> > authentication directly, or delegate and to which external authentication
> > mechanism to delegate to is something that users mentioned they would
> like
> > with this capability. Theirs even a more acute case where sometimes the
> > binding principal might not even exist in ApacheDS yet you want
> delegation
> > to occur.
> > The holistic means to solve this problem is by using the administrative
> > model to specify regions of the DIT you can dice and slice to have fine
> > grained control over authentication delegation. With the administrative
> > model you can specify subtree specifications and refinements that will
> > select specific entries in the DIT. When a bind occurs against selected
> > areas different delegation mechanisms can be associated with those
> > selections using subentries associated with them. This prescriptive
> > specification of selected entries allows you to specify bind principals
> and
> > DIT regions that do not even exist and still enable delegated
> > authentication. This might be good especially if you don't want to deal
> with
> > recreating entries for all users in AD for example.
> > Multiple External Authentication Mechanisms
> > ----------------------------------------------------------------
> > Now you might not just be delegating to AD but to for example OpenID. So
> it
> > would be nice to be able to allow for any kind of delegated
> authentication
> > to occur. The delegation machinery leveraging the administration model
> for
> > selection can be generic yet the subentries that map the selection to an
> > external authentication mechanism can use pluggable mechanisms like AD or
> > OpenID. Even PAM like behavior can be enabled in a stack.
> >
> > LDAP Principle to External Mechanism Mapping
> > --------------------------------------------------------------------
> > Whether or not the bind principal exists inside ApacheDS or not, we may
> have
> > to transform or rather map that principal into the namespace of the
> external
> > authentication mechanism. The way this is done will be mechanism
> dependent
> > obviously.
> > If prescriptive delegation occurs leveraging the administrative model
> then
> > it's possible to have 1:1 mapping between ApacheDS principals to
> > ActiveDirectory principals without the need to have mirrored entries in
> > ApacheDS for ActiveDirectory users.
> > If prescriptive delegation is not used and AD users are mirrored in
> ApacheDS
> > with a 1:1 mapping of distinguishedNames then there's no need for
> mapping.
> > Users will have to set out to design their DIT in this manner to reflect
> > their AD layout of users. This might be tedious and cause other problems.
> > Anyways without the 1:1 mapping even when the external authentication
> > mechanism is another LDAP server like AD, we're going to have to manage
> > principle name transformations/mappings.
> > Just wanted to transfer these thoughts to the group but please don't
> presume
> > I am expecting these approaches to be implemented in the first
> incarnation
> > or at all even. This is knowledge gathered over years from enterprise
> user
> > feedback and we should have them at least in mind.
> >>
> >> I'm pretty sure it's not such a big deal, but we need time, and we have
> >> littel :) I would suggest we follow closely Antoine's effort and try to
> >> leverage what he is doing to improve the server *and* the
> documentation...
> >>
> >
> > +1
> > --
> > Alex Karasulu
> > My Blog :: http://www.jroller.com/akarasulu/
> > Apache Directory Server :: http://directory.apache.org
> > Apache MINA :: http://mina.apache.org
> > To set up a meeting with me: http://tungle.me/AlexKarasulu
> >
>
>
>
> --
> Kiran Ayyagari
>
--
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu
Re: Writing a specific Authenticator, and add some configuration for iy
Posted by Kiran Ayyagari <ka...@apache.org>.
On Fri, Nov 19, 2010 at 12:14 PM, Alex Karasulu <ak...@apache.org> wrote:
> Hi Emmanuel, Antione,
>
> On Fri, Nov 19, 2010 at 11:41 AM, Emmanuel Lecharny <el...@gmail.com>
> wrote:
>>
>> Hi guys,
>>
>> yesterday, we had an interesting convo with Antoine, about the definition
>> of a dedicated Authenticator, and how to configure it.
>>
>
> Excellent. Thanks for posting to the ML about it.
>
>>
>> First, the Authenticator interface can be implemented but it's probably a
>> better idea to extend the AbstractAuthenticator, as it brings some
>> references to teh underlying DirectoryService for free, plus some default
>> implementations to init and dispose the Authenticator. One thing to take
>> care of is the PasswordPolicy which can be enabled or disabled. We have to
>> determinate the best way to deal with this service.
>>
>
> PasswordPolicy AFAICT is something that kicks in when updating or creating a
> new password. This mechanism of delegating authentication to some external
> authentication service in this case AD does not change the password. Hence
> why I'm thinking we don't need to worry about PP.
> Or am I missing something here?
>
PP also comes into picture while performing a bind and compare(of
password) operations
an e.x to determine the number of failed authentication attempts
but all this makes sense only if the user entries are stored in the
local server (ApacheDS in this case).
>>
>> Another aspect is the Authenticator configuration : how to inject it and
>> have it available when the server is stopped and restarted? The solution is
>> probably to extend the existing configuration, which is based on the DIT.
>> That means defining a specific Bean, plus the associated OC and AT. We have
>> to think about it, and I would suggest we try to write a prototype that
>> demonstrates the way to extend the configuration. It has to be documented,
>> as the Authenticator is an extension point.
>>
>
> Yes some configuration will be needed to activate and leverage this
> Authenticator.
> I do understand that there is some limited time and we need a simple
> implementation specifically for AD (most users will use this external
> authentication service) which is a great starting point. However let me post
> some ideas that I had very early on about this matter that several
> perspective clients years ago expressed they needed.
> First though before going on I want to mention that this is getting really
> close in nature to what SASL was designed for but I think this mechanism
> might be much more flexible. With that let me continue ...
> Prescriptive Delegation
> ---------------------------------
> Not every principal or user in ApacheDS will need to be delegated.
> Essentially this comes down to selective delegation. Whether to use ApacheDS
> authentication directly, or delegate and to which external authentication
> mechanism to delegate to is something that users mentioned they would like
> with this capability. Theirs even a more acute case where sometimes the
> binding principal might not even exist in ApacheDS yet you want delegation
> to occur.
> The holistic means to solve this problem is by using the administrative
> model to specify regions of the DIT you can dice and slice to have fine
> grained control over authentication delegation. With the administrative
> model you can specify subtree specifications and refinements that will
> select specific entries in the DIT. When a bind occurs against selected
> areas different delegation mechanisms can be associated with those
> selections using subentries associated with them. This prescriptive
> specification of selected entries allows you to specify bind principals and
> DIT regions that do not even exist and still enable delegated
> authentication. This might be good especially if you don't want to deal with
> recreating entries for all users in AD for example.
> Multiple External Authentication Mechanisms
> ----------------------------------------------------------------
> Now you might not just be delegating to AD but to for example OpenID. So it
> would be nice to be able to allow for any kind of delegated authentication
> to occur. The delegation machinery leveraging the administration model for
> selection can be generic yet the subentries that map the selection to an
> external authentication mechanism can use pluggable mechanisms like AD or
> OpenID. Even PAM like behavior can be enabled in a stack.
>
> LDAP Principle to External Mechanism Mapping
> --------------------------------------------------------------------
> Whether or not the bind principal exists inside ApacheDS or not, we may have
> to transform or rather map that principal into the namespace of the external
> authentication mechanism. The way this is done will be mechanism dependent
> obviously.
> If prescriptive delegation occurs leveraging the administrative model then
> it's possible to have 1:1 mapping between ApacheDS principals to
> ActiveDirectory principals without the need to have mirrored entries in
> ApacheDS for ActiveDirectory users.
> If prescriptive delegation is not used and AD users are mirrored in ApacheDS
> with a 1:1 mapping of distinguishedNames then there's no need for mapping.
> Users will have to set out to design their DIT in this manner to reflect
> their AD layout of users. This might be tedious and cause other problems.
> Anyways without the 1:1 mapping even when the external authentication
> mechanism is another LDAP server like AD, we're going to have to manage
> principle name transformations/mappings.
> Just wanted to transfer these thoughts to the group but please don't presume
> I am expecting these approaches to be implemented in the first incarnation
> or at all even. This is knowledge gathered over years from enterprise user
> feedback and we should have them at least in mind.
>>
>> I'm pretty sure it's not such a big deal, but we need time, and we have
>> littel :) I would suggest we follow closely Antoine's effort and try to
>> leverage what he is doing to improve the server *and* the documentation...
>>
>
> +1
> --
> Alex Karasulu
> My Blog :: http://www.jroller.com/akarasulu/
> Apache Directory Server :: http://directory.apache.org
> Apache MINA :: http://mina.apache.org
> To set up a meeting with me: http://tungle.me/AlexKarasulu
>
--
Kiran Ayyagari
Re: Writing a specific Authenticator, and add some configuration for iy
Posted by Alex Karasulu <ak...@apache.org>.
Hi Emmanuel, Antione,
On Fri, Nov 19, 2010 at 11:41 AM, Emmanuel Lecharny <el...@gmail.com>wrote:
> Hi guys,
>
> yesterday, we had an interesting convo with Antoine, about the definition
> of a dedicated Authenticator, and how to configure it.
>
>
Excellent. Thanks for posting to the ML about it.
> First, the Authenticator interface can be implemented but it's probably a
> better idea to extend the AbstractAuthenticator, as it brings some
> references to teh underlying DirectoryService for free, plus some default
> implementations to init and dispose the Authenticator. One thing to take
> care of is the PasswordPolicy which can be enabled or disabled. We have to
> determinate the best way to deal with this service.
>
>
PasswordPolicy AFAICT is something that kicks in when updating or creating a
new password. This mechanism of delegating authentication to some external
authentication service in this case AD does not change the password. Hence
why I'm thinking we don't need to worry about PP.
Or am I missing something here?
> Another aspect is the Authenticator configuration : how to inject it and
> have it available when the server is stopped and restarted? The solution is
> probably to extend the existing configuration, which is based on the DIT.
> That means defining a specific Bean, plus the associated OC and AT. We have
> to think about it, and I would suggest we try to write a prototype that
> demonstrates the way to extend the configuration. It has to be documented,
> as the Authenticator is an extension point.
>
>
Yes some configuration will be needed to activate and leverage this
Authenticator.
I do understand that there is some limited time and we need a simple
implementation specifically for AD (most users will use this external
authentication service) which is a great starting point. However let me post
some ideas that I had very early on about this matter that several
perspective clients years ago expressed they needed.
First though before going on I want to mention that this is getting really
close in nature to what SASL was designed for but I think this mechanism
might be much more flexible. With that let me continue ...
Prescriptive Delegation
---------------------------------
Not every principal or user in ApacheDS will need to be delegated.
Essentially this comes down to selective delegation. Whether to use ApacheDS
authentication directly, or delegate and to which external authentication
mechanism to delegate to is something that users mentioned they would like
with this capability. Theirs even a more acute case where sometimes the
binding principal might not even exist in ApacheDS yet you want delegation
to occur.
The holistic means to solve this problem is by using the administrative
model to specify regions of the DIT you can dice and slice to have fine
grained control over authentication delegation. With the administrative
model you can specify subtree specifications and refinements that will
select specific entries in the DIT. When a bind occurs against selected
areas different delegation mechanisms can be associated with those
selections using subentries associated with them. This prescriptive
specification of selected entries allows you to specify bind principals and
DIT regions that do not even exist and still enable delegated
authentication. This might be good especially if you don't want to deal with
recreating entries for all users in AD for example.
Multiple External Authentication Mechanisms
----------------------------------------------------------------
Now you might not just be delegating to AD but to for example OpenID. So it
would be nice to be able to allow for any kind of delegated authentication
to occur. The delegation machinery leveraging the administration model for
selection can be generic yet the subentries that map the selection to an
external authentication mechanism can use pluggable mechanisms like AD or
OpenID. Even PAM like behavior can be enabled in a stack.
LDAP Principle to External Mechanism Mapping
--------------------------------------------------------------------
Whether or not the bind principal exists inside ApacheDS or not, we may have
to transform or rather map that principal into the namespace of the external
authentication mechanism. The way this is done will be mechanism dependent
obviously.
If prescriptive delegation occurs leveraging the administrative model then
it's possible to have 1:1 mapping between ApacheDS principals to
ActiveDirectory principals without the need to have mirrored entries in
ApacheDS for ActiveDirectory users.
If prescriptive delegation is not used and AD users are mirrored in ApacheDS
with a 1:1 mapping of distinguishedNames then there's no need for mapping.
Users will have to set out to design their DIT in this manner to reflect
their AD layout of users. This might be tedious and cause other problems.
Anyways without the 1:1 mapping even when the external authentication
mechanism is another LDAP server like AD, we're going to have to manage
principle name transformations/mappings.
Just wanted to transfer these thoughts to the group but please don't presume
I am expecting these approaches to be implemented in the first incarnation
or at all even. This is knowledge gathered over years from enterprise user
feedback and we should have them at least in mind.
I'm pretty sure it's not such a big deal, but we need time, and we have
> littel :) I would suggest we follow closely Antoine's effort and try to
> leverage what he is doing to improve the server *and* the documentation...
>
>
+1
--
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu
Re: Writing a specific Authenticator, and add some configuration for iy
Posted by Alex Karasulu <ak...@apache.org>.
On Mon, Dec 6, 2010 at 9:32 PM, Antoine Levy-Lambert <an...@gmx.de> wrote:
> Hello Alex,
>
> nothing hangs
>
> [INFO]
> ------------------------------------------------------------------------
> [INFO]
> ------------------------------------------------------------------------
> [INFO] BUILD SUCCESSFUL
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Total time: 18 minutes 41 seconds
> [INFO] Finished at: Mon Dec 06 14:17:26 EST 2010
> [INFO] Final Memory: 122M/370M
> [INFO]
> ------------------------------------------------------------------------
>
>
Woooooh ~19 minutes.
>
> All tests pass.
>
> Maybe it is something specific to linux which makes
> org.apache.directory.server.core.partition.SingleFileLdifPartitionTest hang.
>
> On my PC this test runs in 55 seconds.
>
>
OK that's good news - glad it's my problem here. Will run again on Linux and
Mac being a little more patient this time. Let me get back to you after
doing that and reviewing the code some more.
Thanks again,
--
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu
Re: Writing a specific Authenticator, and add some configuration
for iy
Posted by Antoine Levy-Lambert <an...@gmx.de>.
Hello Alex,
nothing hangs
[INFO]
------------------------------------------------------------------------
[INFO]
------------------------------------------------------------------------
[INFO] BUILD SUCCESSFUL
[INFO]
------------------------------------------------------------------------
[INFO] Total time: 18 minutes 41 seconds
[INFO] Finished at: Mon Dec 06 14:17:26 EST 2010
[INFO] Final Memory: 122M/370M
[INFO]
------------------------------------------------------------------------
All tests pass.
Maybe it is something specific to linux which makes
org.apache.directory.server.core.partition.SingleFileLdifPartitionTest hang.
On my PC this test runs in 55 seconds.
Regards,
Antoine
On 12/6/2010 11:12 AM, Alex Karasulu wrote:
> Thanks Antoine.
>
>>
>> http://svn.apache.org/viewvc?view=revision&revision=1042669
>> <http://svn.apache.org/viewvc?view=revision&revision=1042669>
> Thanks
>>
>> But this worried me a little that you might not have checked in
>> this fix since it's rather simple. Maybe you did not have a
>> chance to run all the test cases and integr
>> org.apache.directory.server.core.suites.StockCoreISuiteation tests.
> I ran StockServerISuite, but not StockCoreISuite. Will do it.
>
>>
>> After this fix though other tests started to fail down stream.
>> One of the integration tests just seems to hang for example:
>>
>>
>> org.apache.directory.server.core.partition.SingleFileLdifPartitionTest
> I will look into that.
>
>>
>>
>> Wondering if you successfully ran the integration tests on your
>> machine or if this is something due to my very own environment.
>> Note that this was not the case when I created the branch. I ran
>> all tests to make sure you had a clean setup. However this test
>> was done on a mac and now I'm on a Linux box so it can still be
>> me. But regardless the tests with failed schema entity counts
>> should have failed for you when you ran the tests.
> No, it is not due to your environment. Because some of the tests
> were failing for me in the previous days I did not run all the
> tests. I will do it.
>
>>
>> BTW my environment:
>>
>> akarasulu@stein:~$ mvn -version
>> Apache Maven 3.0.1 (r1038046; 2010-11-23 12:58:32+0200)
>> Java version: 1.6.0_22
>> Java home: /usr/lib/jvm/java-6-sun-1.6.0.22/jre
>> Default locale: en_US, platform encoding: UTF-8
>> OS name: "linux" version: "2.6.35-23-generic" arch: "amd64"
>> Family: "unix"
>>
>>
> Regards,
>
> Antoine
>
> I guess you added some more schema entities and some tests which count
> schema entities like OCs and ATs bombed. Not a big deal and I fixed
> there here in this commit:
>
>
>
> --
> Alex Karasulu
> My Blog :: http://www.jroller.com/akarasulu/
> Apache Directory Server :: http://directory.apache.org
> Apache MINA :: http://mina.apache.org
> To set up a meeting with me: http://tungle.me/AlexKarasulu
Re: Writing a specific Authenticator, and add some configuration for iy
Posted by Alex Karasulu <ak...@apache.org>.
Thanks Antoine.
On Mon, Dec 6, 2010 at 6:03 PM, Antoine Levy-Lambert <an...@gmx.de> wrote:
> Hello Alex,
>
>
> On 12/6/2010 10:26 AM, Alex Karasulu wrote:
>
>
>
> On Mon, Dec 6, 2010 at 3:54 PM, Antoine Levy-Lambert <an...@gmx.de>wrote:
>
>> On 12/5/2010 12:03 AM, Alex Karasulu wrote:
>>
>> Antoine,
>>
>> On Fri, Dec 3, 2010 at 12:42 AM, Alex Karasulu <ak...@apache.org>wrote:
>>
>>> On Thu, Dec 2, 2010 at 4:31 PM, Antoine Levy-Lambert <an...@gmx.de>wrote:
>>>
>>>> At this stage I would like to merge the branch antoine back to trunk.
>>>>
>>>>
>>> OK I'll try to take a look at this tomorrow.
>>>
>>>
>>
>> OK I tried to build your branch but there we some failures in some
>> tests. Have you committed everything into your branch and tried building
>> without -DskipTests=true ?
>>
>> Hello Alex,
>>
>> yes, I committed everything in my branch. No, I did not rebuild everything
>> with -DskipTests=true. Which tests were failing ? Is the breakage caused by
>> my changes ?
>>
>
> I guess you added some more schema entities and some tests which count
> schema entities like OCs and ATs bombed. Not a big deal and I fixed there
> here in this commit:
>
> http://svn.apache.org/viewvc?view=revision&revision=1042669
>
> Thanks
>
>
> But this worried me a little that you might not have checked in this fix
> since it's rather simple. Maybe you did not have a chance to run all the
> test cases and integr
> org.apache.directory.server.core.suites.StockCoreISuiteation tests.
>
> I ran StockServerISuite, but not StockCoreISuite. Will do it.
>
>
> After this fix though other tests started to fail down stream. One of the
> integration tests just seems to hang for example:
>
>
> org.apache.directory.server.core.partition.SingleFileLdifPartitionTest
>
> I will look into that.
>
>
>
> Wondering if you successfully ran the integration tests on your machine
> or if this is something due to my very own environment. Note that this was
> not the case when I created the branch. I ran all tests to make sure you had
> a clean setup. However this test was done on a mac and now I'm on a Linux
> box so it can still be me. But regardless the tests with failed schema
> entity counts should have failed for you when you ran the tests.
>
> No, it is not due to your environment. Because some of the tests were
> failing for me in the previous days I did not run all the tests. I will do
> it.
>
>
> BTW my environment:
>
> akarasulu@stein:~$ mvn -version
> Apache Maven 3.0.1 (r1038046; 2010-11-23 12:58:32+0200)
> Java version: 1.6.0_22
> Java home: /usr/lib/jvm/java-6-sun-1.6.0.22/jre
> Default locale: en_US, platform encoding: UTF-8
> OS name: "linux" version: "2.6.35-23-generic" arch: "amd64" Family: "unix"
>
> Best,
> --
> Alex Karasulu
> My Blog :: http://www.jroller.com/akarasulu/
> Apache Directory Server :: http://directory.apache.org
> Apache MINA :: http://mina.apache.org
> To set up a meeting with me: http://tungle.me/AlexKarasulu
>
> Regards,
>
> Antoine
>
--
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu
Re: Writing a specific Authenticator, and add some configuration
for iy
Posted by Antoine Levy-Lambert <an...@gmx.de>.
Hello Alex,
On 12/6/2010 10:26 AM, Alex Karasulu wrote:
>
>
> On Mon, Dec 6, 2010 at 3:54 PM, Antoine Levy-Lambert <antoine@gmx.de
> <ma...@gmx.de>> wrote:
>
> On 12/5/2010 12:03 AM, Alex Karasulu wrote:
>> Antoine,
>>
>> On Fri, Dec 3, 2010 at 12:42 AM, Alex Karasulu
>> <akarasulu@apache.org <ma...@apache.org>> wrote:
>>
>> On Thu, Dec 2, 2010 at 4:31 PM, Antoine Levy-Lambert
>> <antoine@gmx.de <ma...@gmx.de>> wrote:
>>
>> At this stage I would like to merge the branch antoine
>> back to trunk.
>>
>>
>> OK I'll try to take a look at this tomorrow.
>>
>>
>> OK I tried to build your branch but there we some failures in
>> some tests. Have you committed everything into your branch and
>> tried building without -DskipTests=true ?
> Hello Alex,
>
> yes, I committed everything in my branch. No, I did not rebuild
> everything with -DskipTests=true. Which tests were failing ? Is
> the breakage caused by my changes ?
>
>
> I guess you added some more schema entities and some tests which count
> schema entities like OCs and ATs bombed. Not a big deal and I fixed
> there here in this commit:
>
> http://svn.apache.org/viewvc?view=revision&revision=1042669
> <http://svn.apache.org/viewvc?view=revision&revision=1042669>
Thanks
>
> But this worried me a little that you might not have checked in this
> fix since it's rather simple. Maybe you did not have a chance to run
> all the test cases and integr
> org.apache.directory.server.core.suites.StockCoreISuiteation tests.
I ran StockServerISuite, but not StockCoreISuite. Will do it.
>
> After this fix though other tests started to fail down stream. One of
> the integration tests just seems to hang for example:
>
>
> org.apache.directory.server.core.partition.SingleFileLdifPartitionTest
I will look into that.
>
>
> Wondering if you successfully ran the integration tests on your
> machine or if this is something due to my very own environment. Note
> that this was not the case when I created the branch. I ran all tests
> to make sure you had a clean setup. However this test was done on a
> mac and now I'm on a Linux box so it can still be me. But regardless
> the tests with failed schema entity counts should have failed for you
> when you ran the tests.
No, it is not due to your environment. Because some of the tests were
failing for me in the previous days I did not run all the tests. I will
do it.
>
> BTW my environment:
>
> akarasulu@stein:~$ mvn -version
> Apache Maven 3.0.1 (r1038046; 2010-11-23 12:58:32+0200)
> Java version: 1.6.0_22
> Java home: /usr/lib/jvm/java-6-sun-1.6.0.22/jre
> Default locale: en_US, platform encoding: UTF-8
> OS name: "linux" version: "2.6.35-23-generic" arch: "amd64" Family: "unix"
>
> Best,
> --
> Alex Karasulu
> My Blog :: http://www.jroller.com/akarasulu/
> Apache Directory Server :: http://directory.apache.org
> Apache MINA :: http://mina.apache.org
> To set up a meeting with me: http://tungle.me/AlexKarasulu
Regards,
Antoine
Re: Writing a specific Authenticator, and add some configuration for iy
Posted by Alex Karasulu <ak...@apache.org>.
On Mon, Dec 6, 2010 at 3:54 PM, Antoine Levy-Lambert <an...@gmx.de> wrote:
> On 12/5/2010 12:03 AM, Alex Karasulu wrote:
>
> Antoine,
>
> On Fri, Dec 3, 2010 at 12:42 AM, Alex Karasulu <ak...@apache.org>wrote:
>
>> On Thu, Dec 2, 2010 at 4:31 PM, Antoine Levy-Lambert <an...@gmx.de>wrote:
>>
>>> At this stage I would like to merge the branch antoine back to trunk.
>>>
>>>
>> OK I'll try to take a look at this tomorrow.
>>
>>
>
> OK I tried to build your branch but there we some failures in some tests.
> Have you committed everything into your branch and tried building without
> -DskipTests=true ?
>
> Hello Alex,
>
> yes, I committed everything in my branch. No, I did not rebuild everything
> with -DskipTests=true. Which tests were failing ? Is the breakage caused by
> my changes ?
>
I guess you added some more schema entities and some tests which count
schema entities like OCs and ATs bombed. Not a big deal and I fixed there
here in this commit:
http://svn.apache.org/viewvc?view=revision&revision=1042669
But this worried me a little that you might not have checked in this fix
since it's rather simple. Maybe you did not have a chance to run all the
test cases and
integrorg.apache.directory.server.core.suites.StockCoreISuiteation tests.
After this fix though other tests started to fail down stream. One of the
integration tests just seems to hang for example:
org.apache.directory.server.core.partition.SingleFileLdifPartitionTest
Wondering if you successfully ran the integration tests on your machine or
if this is something due to my very own environment. Note that this was not
the case when I created the branch. I ran all tests to make sure you had a
clean setup. However this test was done on a mac and now I'm on a Linux box
so it can still be me. But regardless the tests with failed schema entity
counts should have failed for you when you ran the tests.
BTW my environment:
akarasulu@stein:~$ mvn -version
Apache Maven 3.0.1 (r1038046; 2010-11-23 12:58:32+0200)
Java version: 1.6.0_22
Java home: /usr/lib/jvm/java-6-sun-1.6.0.22/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "linux" version: "2.6.35-23-generic" arch: "amd64" Family: "unix"
Best,
--
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu
Re: Writing a specific Authenticator, and add some configuration
for iy
Posted by Antoine Levy-Lambert <an...@gmx.de>.
On 12/5/2010 12:03 AM, Alex Karasulu wrote:
> Antoine,
>
> On Fri, Dec 3, 2010 at 12:42 AM, Alex Karasulu <akarasulu@apache.org
> <ma...@apache.org>> wrote:
>
> On Thu, Dec 2, 2010 at 4:31 PM, Antoine Levy-Lambert
> <antoine@gmx.de <ma...@gmx.de>> wrote:
>
> At this stage I would like to merge the branch antoine back to
> trunk.
>
>
> OK I'll try to take a look at this tomorrow.
>
>
> OK I tried to build your branch but there we some failures in some
> tests. Have you committed everything into your branch and tried
> building without -DskipTests=true ?
Hello Alex,
yes, I committed everything in my branch. No, I did not rebuild
everything with -DskipTests=true. Which tests were failing ? Is the
breakage caused by my changes ?
Regards,
Antoine
> Best,
> --
> Alex Karasulu
> My Blog :: http://www.jroller.com/akarasulu/
> Apache Directory Server :: http://directory.apache.org
> Apache MINA :: http://mina.apache.org
> To set up a meeting with me: http://tungle.me/AlexKarasulu
Re: Writing a specific Authenticator, and add some configuration for iy
Posted by Alex Karasulu <ak...@apache.org>.
Antoine,
On Fri, Dec 3, 2010 at 12:42 AM, Alex Karasulu <ak...@apache.org> wrote:
> On Thu, Dec 2, 2010 at 4:31 PM, Antoine Levy-Lambert <an...@gmx.de>wrote:
>
>> At this stage I would like to merge the branch antoine back to trunk.
>>
>>
> OK I'll try to take a look at this tomorrow.
>
>
OK I tried to build your branch but there we some failures in some tests.
Have you committed everything into your branch and tried building without
-DskipTests=true ?
Best,
--
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu
Re: Writing a specific Authenticator, and add some configuration for iy
Posted by Alex Karasulu <ak...@apache.org>.
On Thu, Dec 2, 2010 at 4:31 PM, Antoine Levy-Lambert <an...@gmx.de> wrote:
> At this stage I would like to merge the branch antoine back to trunk.
>
>
OK I'll try to take a look at this tomorrow.
> In the branch I created a DelegatingAuthenticator class and made changes so
> that all the authenticators can be configured in the DIT.
>
>
Cool!
> Because of this as seelmann noticed I created some new OIDs.
>
>
Right figured you'd have to do that.
> I also created a test suite for the DelegatingAuthenticator and did a small
> change to the framework test runner to be able to have a method level LDAP
> server.
>
>
Hmmm I guess this means you start an LDAP server for a specific test method
instead of for the test case class?
> Let me know if this is good enough ? Because of the new OIDs and other
> artefacts which can change fast on the trunk I am eager to get this in soon.
>
>
I'll review tomorrow and get in touch with you on IRC.
Thanks,
--
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu
Re: Writing a specific Authenticator, and add some configuration
for iy
Posted by Emmanuel Lecharny <el...@gmail.com>.
On 12/2/10 3:31 PM, Antoine Levy-Lambert wrote:
> At this stage I would like to merge the branch antoine back to trunk.
Great ! Let us review this a couple of days, and we will come back to you.
Don't be scared, we are currently working in a branch, so trunk is
n-unlikely to change in the mean time.
great job !
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: Writing a specific Authenticator, and add some configuration
for iy
Posted by Antoine Levy-Lambert <an...@gmx.de>.
At this stage I would like to merge the branch antoine back to trunk.
In the branch I created a DelegatingAuthenticator class and made changes
so that all the authenticators can be configured in the DIT.
Because of this as seelmann noticed I created some new OIDs.
I also created a test suite for the DelegatingAuthenticator and did a
small change to the framework test runner to be able to have a method
level LDAP server.
Let me know if this is good enough ? Because of the new OIDs and other
artefacts which can change fast on the trunk I am eager to get this in soon.
Regards,
Antoine
On 11/23/10 3:51 PM, Antoine Levy-Lambert wrote:
> On 11/23/10 3:33 PM, Alex Karasulu wrote:
>>
>>
>>
>> OK I added you and created a branch for you to work in here:
>>
>> https://svn.apache.org/repos/asf/directory/apacheds/branches/antoine-with-dependencies/
>>
>> Give it a try.
>>
>> Regards,
>> Alex
> Thanks,
>
> Antoine
Re: Writing a specific Authenticator, and add some configuration
for iy
Posted by Antoine Levy-Lambert <an...@gmx.de>.
On 11/23/10 3:33 PM, Alex Karasulu wrote:
> On Tue, Nov 23, 2010 at 9:56 PM, Antoine Levy-Lambert <antoine@gmx.de
> <ma...@gmx.de>> wrote:
>
> On 11/23/10 2:31 PM, Alex Karasulu wrote:
>>
>> On Tue, Nov 23, 2010 at 8:54 PM, Antoine Levy-Lambert
>> <antoine@gmx.de <ma...@gmx.de>> wrote:
>>
>> On 11/19/10 10:41 AM, Alex Karasulu wrote:
>>>
>>>
>>> Antoine is an Apache Member from what I know so granting him
>>> access to work in SVN is not a problem. He can work in his
>>> own branch if he likes. I don't even think we have to
>>> conduct a vote. Apache Members own all the code anyway.
>>>
>>> If no one has any objects we can just add him to the
>>> asf-authorization file. No need for getting some bitbucket
>>> account.
>>>
>>>
>> Hello Alex,
>>
>> yes, I would like to be added to the asf-authorization. I
>> would like to start checking in my LDIF for the new attribute
>> types and object class for the delegating authentication,
>> plus the bean and the implementation. I am still developing
>> but I see that it is pretty dynamic here :-).
>>
>>
>> I'm going to create a branch for you to work on
>> called antoine and update you with the URL but until then just
>> let me know what your Apache user handle is.
> my Apache user is "antoine"
>
>
> OK I added you and created a branch for you to work in here:
>
> https://svn.apache.org/repos/asf/directory/apacheds/branches/antoine-with-dependencies/
>
> Give it a try.
>
> Regards,
> Alex
Thanks,
Antoine
Re: Writing a specific Authenticator, and add some configuration for iy
Posted by Alex Karasulu <ak...@apache.org>.
On Tue, Nov 23, 2010 at 9:56 PM, Antoine Levy-Lambert <an...@gmx.de>wrote:
> On 11/23/10 2:31 PM, Alex Karasulu wrote:
>
>
> On Tue, Nov 23, 2010 at 8:54 PM, Antoine Levy-Lambert <an...@gmx.de>wrote:
>
>> On 11/19/10 10:41 AM, Alex Karasulu wrote:
>>
>>
>>
>> Antoine is an Apache Member from what I know so granting him access to
>> work in SVN is not a problem. He can work in his own branch if he likes. I
>> don't even think we have to conduct a vote. Apache Members own all the code
>> anyway.
>>
>> If no one has any objects we can just add him to the asf-authorization
>> file. No need for getting some bitbucket account.
>>
>>
>> Hello Alex,
>>
>> yes, I would like to be added to the asf-authorization. I would like to
>> start checking in my LDIF for the new attribute types and object class for
>> the delegating authentication, plus the bean and the implementation. I am
>> still developing but I see that it is pretty dynamic here :-).
>>
>>
> I'm going to create a branch for you to work on called antoine and update
> you with the URL but until then just let me know what your Apache user
> handle is.
>
> my Apache user is "antoine"
>
>
OK I added you and created a branch for you to work in here:
https://svn.apache.org/repos/asf/directory/apacheds/branches/antoine-with-dependencies/
Give it a try.
Regards,
Alex
Re: Writing a specific Authenticator, and add some configuration
for iy
Posted by Antoine Levy-Lambert <an...@gmx.de>.
On 11/23/10 2:31 PM, Alex Karasulu wrote:
>
> On Tue, Nov 23, 2010 at 8:54 PM, Antoine Levy-Lambert <antoine@gmx.de
> <ma...@gmx.de>> wrote:
>
> On 11/19/10 10:41 AM, Alex Karasulu wrote:
>>
>>
>> Antoine is an Apache Member from what I know so granting him
>> access to work in SVN is not a problem. He can work in his own
>> branch if he likes. I don't even think we have to conduct a vote.
>> Apache Members own all the code anyway.
>>
>> If no one has any objects we can just add him to the
>> asf-authorization file. No need for getting some bitbucket account.
>>
>>
> Hello Alex,
>
> yes, I would like to be added to the asf-authorization. I would
> like to start checking in my LDIF for the new attribute types and
> object class for the delegating authentication, plus the bean and
> the implementation. I am still developing but I see that it is
> pretty dynamic here :-).
>
>
> I'm going to create a branch for you to work on called antoine and
> update you with the URL but until then just let me know what your
> Apache user handle is.
my Apache user is "antoine"
Regards,
Antoine
>
> Regards,
> --
> Alex Karasulu
> My Blog :: http://www.jroller.com/akarasulu/
> Apache Directory Server :: http://directory.apache.org
> Apache MINA :: http://mina.apache.org
> To set up a meeting with me: http://tungle.me/AlexKarasulu
Re: Writing a specific Authenticator, and add some configuration for iy
Posted by Alex Karasulu <ak...@apache.org>.
On Tue, Nov 23, 2010 at 8:54 PM, Antoine Levy-Lambert <an...@gmx.de>wrote:
> On 11/19/10 10:41 AM, Alex Karasulu wrote:
>
>
>
> Antoine is an Apache Member from what I know so granting him access to
> work in SVN is not a problem. He can work in his own branch if he likes. I
> don't even think we have to conduct a vote. Apache Members own all the code
> anyway.
>
> If no one has any objects we can just add him to the asf-authorization
> file. No need for getting some bitbucket account.
>
>
> Hello Alex,
>
> yes, I would like to be added to the asf-authorization. I would like to
> start checking in my LDIF for the new attribute types and object class for
> the delegating authentication, plus the bean and the implementation. I am
> still developing but I see that it is pretty dynamic here :-).
>
>
I'm going to create a branch for you to work on called antoine and update
you with the URL but until then just let me know what your Apache user
handle is.
Regards,
--
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu
Re: Writing a specific Authenticator, and add some configuration
for iy
Posted by Antoine Levy-Lambert <an...@gmx.de>.
On 11/19/10 10:41 AM, Alex Karasulu wrote:
>
>
> Antoine is an Apache Member from what I know so granting him access to
> work in SVN is not a problem. He can work in his own branch if he
> likes. I don't even think we have to conduct a vote. Apache Members
> own all the code anyway.
>
> If no one has any objects we can just add him to the asf-authorization
> file. No need for getting some bitbucket account.
>
>
Hello Alex,
yes, I would like to be added to the asf-authorization. I would like to
start checking in my LDIF for the new attribute types and object class
for the delegating authentication, plus the bean and the implementation.
I am still developing but I see that it is pretty dynamic here :-).
Regards,
Antoine
Re: Writing a specific Authenticator, and add some configuration for iy
Posted by Alex Karasulu <ak...@apache.org>.
On Fri, Nov 19, 2010 at 5:32 PM, Kiran Ayyagari <ka...@apache.org>wrote:
> On Fri, Nov 19, 2010 at 5:01 PM, Emmanuel Lecharny <el...@gmail.com>
> wrote:
> > On 11/19/10 3:46 PM, Antoine Levy-Lambert wrote:
> >>
> >> I need to configure at least the host and the port to which the
> delegation
> >> happens. The class name of the new authenticator will be
> >> org.apache.directory.server.core.authn.DelegatingAuthenticator.My DN
> where I
> >> work is CN=Antoine Lambert, OU=132, OU=Users, OU=NYCSite, DC=nyc,DC=com.
> >> Maybe the DelegatingAuthenticator could work optionally with DN
> patterns.
> >
> > Right now, I would suggest to hard code it , make the authent work and
> then
> > start to think about config. Dirty, but this is a good way to get things
> > done :)
> absolutely.
>
> Antonie,
>
> May be you can setup a private project on bitbucket (or a public
> one) which will allow us
> to take a look and collaborate in the real time (instead of the
> patches based workflow on JIRA)
> till it gets ready to be included in the ApacheDS trunk.
>
>
Antoine is an Apache Member from what I know so granting him access to work
in SVN is not a problem. He can work in his own branch if he likes. I don't
even think we have to conduct a vote. Apache Members own all the code
anyway.
If no one has any objects we can just add him to the asf-authorization file.
No need for getting some bitbucket account.
Regards,
--
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu
Re: Writing a specific Authenticator, and add some configuration for iy
Posted by Kiran Ayyagari <ka...@apache.org>.
On Fri, Nov 19, 2010 at 5:01 PM, Emmanuel Lecharny <el...@gmail.com> wrote:
> On 11/19/10 3:46 PM, Antoine Levy-Lambert wrote:
>>
>> I need to configure at least the host and the port to which the delegation
>> happens. The class name of the new authenticator will be
>> org.apache.directory.server.core.authn.DelegatingAuthenticator.My DN where I
>> work is CN=Antoine Lambert, OU=132, OU=Users, OU=NYCSite, DC=nyc,DC=com.
>> Maybe the DelegatingAuthenticator could work optionally with DN patterns.
>
> Right now, I would suggest to hard code it , make the authent work and then
> start to think about config. Dirty, but this is a good way to get things
> done :)
absolutely.
Antonie,
May be you can setup a private project on bitbucket (or a public
one) which will allow us
to take a look and collaborate in the real time (instead of the
patches based workflow on JIRA)
till it gets ready to be included in the ApacheDS trunk.
--
Kiran Ayyagari
Re: Writing a specific Authenticator, and add some configuration
for iy
Posted by Emmanuel Lecharny <el...@gmail.com>.
On 11/19/10 3:46 PM, Antoine Levy-Lambert wrote:
> I need to configure at least the host and the port to which the
> delegation happens. The class name of the new authenticator will be
> org.apache.directory.server.core.authn.DelegatingAuthenticator.My DN
> where I work is CN=Antoine Lambert, OU=132, OU=Users, OU=NYCSite,
> DC=nyc,DC=com.
> Maybe the DelegatingAuthenticator could work optionally with DN patterns.
Right now, I would suggest to hard code it , make the authent work and
then start to think about config. Dirty, but this is a good way to get
things done :)
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: Writing a specific Authenticator, and add some configuration
for iy
Posted by Antoine Levy-Lambert <an...@gmx.de>.
On 11/19/2010 4:41 AM, Emmanuel Lecharny wrote:
> Hi guys,
>
> yesterday, we had an interesting convo with Antoine, about the
> definition of a dedicated Authenticator, and how to configure it.
>
> First, the Authenticator interface can be implemented but it's
> probably a better idea to extend the AbstractAuthenticator, as it
> brings some references to teh underlying DirectoryService for free,
> plus some default implementations to init and dispose the
> Authenticator. One thing to take care of is the PasswordPolicy which
> can be enabled or disabled. We have to determinate the best way to
> deal with this service.
Thanks, will extend AbstractAuthenticator then.
>
> Another aspect is the Authenticator configuration : how to inject it
> and have it available when the server is stopped and restarted? The
> solution is probably to extend the existing configuration, which is
> based on the DIT. That means defining a specific Bean, plus the
> associated OC and AT. We have to think about it, and I would suggest
> we try to write a prototype that demonstrates the way to extend the
> configuration. It has to be documented, as the Authenticator is an
> extension point.
I need to configure at least the host and the port to which the
delegation happens. The class name of the new authenticator will be
org.apache.directory.server.core.authn.DelegatingAuthenticator.My DN
where I work is CN=Antoine Lambert, OU=132, OU=Users, OU=NYCSite,
DC=nyc,DC=com.
Maybe the DelegatingAuthenticator could work optionally with DN patterns.
>
> I'm pretty sure it's not such a big deal, but we need time, and we
> have littel :) I would suggest we follow closely Antoine's effort and
> try to leverage what he is doing to improve the server *and* the
> documentation...
>
> Thanks !
>
Thanks too,
Antoine