You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Norbert Reilly (JIRA)" <di...@incubator.apache.org> on 2005/09/20 08:00:31 UTC
[jira] Created: (DIREVE-265) delegating binds to custom partitions
delegating binds to custom partitions
-------------------------------------
Key: DIREVE-265
URL: http://issues.apache.org/jira/browse/DIREVE-265
Project: Directory Server
Type: New Feature
Components: server main
Environment: jdk1.4.2
Reporter: Norbert Reilly
Assigned to: Alex Karasulu
I have created a patch which permits SimpleAuthenticator to optionally delegate bind calls to the custom partition matching the DN provided to a bind call. This seems like the right general approach to take, but there were some points I wasn't completely certain about (being a noob):
1) I pass the credentials in as a Object (rather then byte[]) to allow for future flexibility when SASL support is added to DS.
2) The bind() call returns an InitialContext which SimpleAuthenticator immediately closes, rather then say returning a boolean. This seems sensible though.
3) Given the new bind() call is only optionally implemented by a ContextPartition, the default bases classes return null when it is called. A NotImplementedException type approach would work just as well, but I am unsure how the relative pros and cons are preceived by the core DS developers (runtime cost versus cleanliness).
I also realise that the bind call is only one of a number of delegations that will eventually need to be supported to custom partitions, but hope that this patch isn't heading in the wrong direction and thus compromising any future work that may be required.
If the patch is deemed useful, but further work is required due to any/all of the reasons above (or some I haven't considered) then let me know.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
Re: [jira] Commented: (DIREVE-265) delegating binds to custom partitions
Posted by Trustin Lee <tr...@gmail.com>.
So all LDAP operations are required to Interceptors and ContextPartitions to
make ApacheDS fully function as an LDAP proxy server, right? WDYT, other
guys? It looks like a good reason.
Trustin
2005/9/22, Norbet Reilly <nr...@gmail.com>:
>
> Hi Trustin,
> My interest in creating the patch is a custom partition that proxies to
> an external LDAP server. Hence I want to use the proxied server's
> authentication if the DN presented to the bind() matches the proxy
> partition's suffix and otherwise authenticate against ApacheDS's user store.
>
> Note that the custom proxy partition additionally has some credentials
> stored locally, which it uses to discover the remote LDAP schema and add
> matching entries to the GlobalRegistries at server start-up time. Hence the
> intention behind the patch is to allow access to the remote proxy partition
> without having to duplicate all of its users inside ApacheDS.
> Having said that, the only reason that I touched the interceptor code was
> by necessity as ContextPartition was impacted by the addition of the bind()
> method (and wanted to dispatch to it using the ContextPartitionNexus). I'm
> not that familiar with the code yet, so please let me know if I changed more
> then I needed to.
> As I've mentioned to Alex in a previous posting; I'd imagine that
> ultimately the core server might delegate a number of services to custom
> partitions (authentication, schema (rather then a single top-level static
> schema have one under each partition that has its own) etc). Hence although
> I know this patch is only a small isolated step in that direction, it may be
> useful to anyone else implementing a proxying custom partition.
> Thanks
>
--
what we call human nature is actually human habit
--
http://gleamynode.net/
Re: [jira] Commented: (DIREVE-265) delegating binds to custom partitions
Posted by Norbet Reilly <nr...@gmail.com>.
Hi Trustin,
My interest in creating the patch is a custom partition that proxies to an
external LDAP server. Hence I want to use the proxied server's
authentication if the DN presented to the bind() matches the proxy
partition's suffix and otherwise authenticate against ApacheDS's user store.
Note that the custom proxy partition additionally has some credentials
stored locally, which it uses to discover the remote LDAP schema and add
matching entries to the GlobalRegistries at server start-up time. Hence the
intention behind the patch is to allow access to the remote proxy partition
without having to duplicate all of its users inside ApacheDS.
Having said that, the only reason that I touched the interceptor code was
by necessity as ContextPartition was impacted by the addition of the bind()
method (and wanted to dispatch to it using the ContextPartitionNexus). I'm
not that familiar with the code yet, so please let me know if I changed more
then I needed to.
As I've mentioned to Alex in a previous posting; I'd imagine that
ultimately the core server might delegate a number of services to custom
partitions (authentication, schema (rather then a single top-level static
schema have one under each partition that has its own) etc). Hence although
I know this patch is only a small isolated step in that direction, it may be
useful to anyone else implementing a proxying custom partition.
Thanks
Re: [jira] Commented: (DIREVE-265) delegating binds to custom partitions
Posted by Norbet Reilly <nr...@gmail.com>.
I have attached all of my DS changes (includes the patch submitted to
DIREVE-265) motivated by writing my proxy, and additionally the
dynamic schema conversion code. The latter may need a bit of sprucing
up for prime time, as the job itself is a bit hacky (given the
somewhat loose nature of LDAP schema).
Re: [jira] Commented: (DIREVE-265) delegating binds to custom partitions
Posted by Alex Karasulu <ao...@bellsouth.net>.
Norbet Reilly wrote:
>If it helps in your thinking on the issue...
>
>I think in the long term proxies will have a big impact on the
>ApacheDS stack. A proxy would prefer that most of the services
>(normalization, exception, etc) configured in server.xml be
>inactivated (as they would duplicate functions already being performed
>by the remote server accessed by the proxy), or best optionally
>activated for some proxies to make up for functions lacking on the
>remote server.
>
>
Very good points here Norbet. I agree.
>Also most of the sub-tree type operations would be delegated for the
>proxy's entire sub-tree to the remote server. And finally schema
>retrieval would need to be delegated as well.
>
>
Ok I see that.
>Because most of this stuff is not there at the moment I made the
>following implemental choices from my proxy:
> 1. implement delegation of binds as described in the patch
>attached to this issue. I thought this change was less hacky then 2.
>and of value by itself.
> 2. implement logic to dynamically discover the remote server's
>schema and add it to the ApacheDS GlobalRegistries (which required
>some changes to GlobalRegistries.java as in some places only the
>BootStrapRegistries information was used, and hence my additions were
>ignored). I can share the full patch (including a dynamic equivalent
>to the current Maven schema plugin) if anyone is interested.
>
>
>
Sure that sounds great ... re: dynamic equivalent.
>I think this subset of functionality is a useful starting point for
>many proxy implementors, but fully understand if you feel that such a
>partial solution should not be integrated into the core server (in
>which case I'll maintain my diffs until such time as they are replaced
>by a more comprehensive solution)
>
Let me look at your patch again. Stuff goes in the nogin but does not
stay for long so I wanna review it again and see what we can you for
folks like yourself interested in proxing partitions. I just want to
make sure we do you right while keeping the core simple. Please bear
with us too its a hectic time to get this release out.
Alex
Re: [jira] Commented: (DIREVE-265) delegating binds to custom partitions
Posted by Norbet Reilly <nr...@gmail.com>.
If it helps in your thinking on the issue...
I think in the long term proxies will have a big impact on the
ApacheDS stack. A proxy would prefer that most of the services
(normalization, exception, etc) configured in server.xml be
inactivated (as they would duplicate functions already being performed
by the remote server accessed by the proxy), or best optionally
activated for some proxies to make up for functions lacking on the
remote server.
Also most of the sub-tree type operations would be delegated for the
proxy's entire sub-tree to the remote server. And finally schema
retrieval would need to be delegated as well.
Because most of this stuff is not there at the moment I made the
following implemental choices from my proxy:
1. implement delegation of binds as described in the patch
attached to this issue. I thought this change was less hacky then 2.
and of value by itself.
2. implement logic to dynamically discover the remote server's
schema and add it to the ApacheDS GlobalRegistries (which required
some changes to GlobalRegistries.java as in some places only the
BootStrapRegistries information was used, and hence my additions were
ignored). I can share the full patch (including a dynamic equivalent
to the current Maven schema plugin) if anyone is interested.
I think this subset of functionality is a useful starting point for
many proxy implementors, but fully understand if you feel that such a
partial solution should not be integrated into the core server (in
which case I'll maintain my diffs until such time as they are replaced
by a more comprehensive solution).
Thanks
[jira] Updated: (DIREVE-265) delegating binds to custom partitions
Posted by "Norbert Reilly (JIRA)" <di...@incubator.apache.org>.
[ http://issues.apache.org/jira/browse/DIREVE-265?page=all ]
Norbert Reilly updated DIREVE-265:
----------------------------------
Attachment: delegate_bind.patch
> delegating binds to custom partitions
> -------------------------------------
>
> Key: DIREVE-265
> URL: http://issues.apache.org/jira/browse/DIREVE-265
> Project: Directory Server
> Type: New Feature
> Components: server main
> Environment: jdk1.4.2
> Reporter: Norbert Reilly
> Assignee: Alex Karasulu
> Attachments: delegate_bind.patch
>
> I have created a patch which permits SimpleAuthenticator to optionally delegate bind calls to the custom partition matching the DN provided to a bind call. This seems like the right general approach to take, but there were some points I wasn't completely certain about (being a noob):
> 1) I pass the credentials in as a Object (rather then byte[]) to allow for future flexibility when SASL support is added to DS.
> 2) The bind() call returns an InitialContext which SimpleAuthenticator immediately closes, rather then say returning a boolean. This seems sensible though.
> 3) Given the new bind() call is only optionally implemented by a ContextPartition, the default bases classes return null when it is called. A NotImplementedException type approach would work just as well, but I am unsure how the relative pros and cons are preceived by the core DS developers (runtime cost versus cleanliness).
> I also realise that the bind call is only one of a number of delegations that will eventually need to be supported to custom partitions, but hope that this patch isn't heading in the wrong direction and thus compromising any future work that may be required.
> If the patch is deemed useful, but further work is required due to any/all of the reasons above (or some I haven't considered) then let me know.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (DIREVE-265) delegating binds to custom partitions
Posted by "Trustin Lee (JIRA)" <di...@incubator.apache.org>.
[ http://issues.apache.org/jira/browse/DIREVE-265?page=comments#action_12355723 ]
Trustin Lee commented on DIREVE-265:
------------------------------------
In the long run, we'll have to change the interceptor interface to filter all LDAP operations. It will help users implement LDAP proxy very easily. WDYT?
> delegating binds to custom partitions
> -------------------------------------
>
> Key: DIREVE-265
> URL: http://issues.apache.org/jira/browse/DIREVE-265
> Project: Directory Server
> Type: New Feature
> Components: server main
> Environment: jdk1.4.2
> Reporter: Norbert Reilly
> Assignee: Alex Karasulu
> Attachments: delegate_bind.patch
>
> I have created a patch which permits SimpleAuthenticator to optionally delegate bind calls to the custom partition matching the DN provided to a bind call. This seems like the right general approach to take, but there were some points I wasn't completely certain about (being a noob):
> 1) I pass the credentials in as a Object (rather then byte[]) to allow for future flexibility when SASL support is added to DS.
> 2) The bind() call returns an InitialContext which SimpleAuthenticator immediately closes, rather then say returning a boolean. This seems sensible though.
> 3) Given the new bind() call is only optionally implemented by a ContextPartition, the default bases classes return null when it is called. A NotImplementedException type approach would work just as well, but I am unsure how the relative pros and cons are preceived by the core DS developers (runtime cost versus cleanliness).
> I also realise that the bind call is only one of a number of delegations that will eventually need to be supported to custom partitions, but hope that this patch isn't heading in the wrong direction and thus compromising any future work that may be required.
> If the patch is deemed useful, but further work is required due to any/all of the reasons above (or some I haven't considered) then let me know.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (DIREVE-265) delegating binds to custom partitions
Posted by "Trustin Lee (JIRA)" <di...@incubator.apache.org>.
[ http://issues.apache.org/jira/browse/DIREVE-265?page=comments#action_12330156 ]
Trustin Lee commented on DIREVE-265:
------------------------------------
Thank you for your patch first of all, Norbert. But can I know the use case of this patch? BIND operation is used only for authentication and AuthenticationService performs it already. Is there any reason to delegate bind operation to interceptors and context partitions? Any ideas are appreciated.
> delegating binds to custom partitions
> -------------------------------------
>
> Key: DIREVE-265
> URL: http://issues.apache.org/jira/browse/DIREVE-265
> Project: Directory Server
> Type: New Feature
> Components: server main
> Environment: jdk1.4.2
> Reporter: Norbert Reilly
> Assignee: Alex Karasulu
> Attachments: delegate_bind.patch
>
> I have created a patch which permits SimpleAuthenticator to optionally delegate bind calls to the custom partition matching the DN provided to a bind call. This seems like the right general approach to take, but there were some points I wasn't completely certain about (being a noob):
> 1) I pass the credentials in as a Object (rather then byte[]) to allow for future flexibility when SASL support is added to DS.
> 2) The bind() call returns an InitialContext which SimpleAuthenticator immediately closes, rather then say returning a boolean. This seems sensible though.
> 3) Given the new bind() call is only optionally implemented by a ContextPartition, the default bases classes return null when it is called. A NotImplementedException type approach would work just as well, but I am unsure how the relative pros and cons are preceived by the core DS developers (runtime cost versus cleanliness).
> I also realise that the bind call is only one of a number of delegations that will eventually need to be supported to custom partitions, but hope that this patch isn't heading in the wrong direction and thus compromising any future work that may be required.
> If the patch is deemed useful, but further work is required due to any/all of the reasons above (or some I haven't considered) then let me know.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Resolved: (DIRSERVER-435) delegating binds to custom
partitions
Posted by "Alex Karasulu (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/DIRSERVER-435?page=all ]
Alex Karasulu resolved DIRSERVER-435:
-------------------------------------
Fix Version: 1.0-RC1
Resolution: Fixed
unbind and bind operations have been added to partitions and piplined. They are now called when there are no authenticators registered to handle the authmeth.
> delegating binds to custom partitions
> -------------------------------------
>
> Key: DIRSERVER-435
> URL: http://issues.apache.org/jira/browse/DIRSERVER-435
> Project: Directory ApacheDS
> Type: New Feature
> Environment: jdk1.4.2
> Reporter: Norbert Reilly
> Assignee: Alex Karasulu
> Fix For: 1.0-RC1
> Attachments: delegate_bind.patch
>
> I have created a patch which permits SimpleAuthenticator to optionally delegate bind calls to the custom partition matching the DN provided to a bind call. This seems like the right general approach to take, but there were some points I wasn't completely certain about (being a noob):
> 1) I pass the credentials in as a Object (rather then byte[]) to allow for future flexibility when SASL support is added to DS.
> 2) The bind() call returns an InitialContext which SimpleAuthenticator immediately closes, rather then say returning a boolean. This seems sensible though.
> 3) Given the new bind() call is only optionally implemented by a ContextPartition, the default bases classes return null when it is called. A NotImplementedException type approach would work just as well, but I am unsure how the relative pros and cons are preceived by the core DS developers (runtime cost versus cleanliness).
> I also realise that the bind call is only one of a number of delegations that will eventually need to be supported to custom partitions, but hope that this patch isn't heading in the wrong direction and thus compromising any future work that may be required.
> If the patch is deemed useful, but further work is required due to any/all of the reasons above (or some I haven't considered) then let me know.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Closed: (DIRSERVER-435) delegating binds to custom
partitions
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-435?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny closed DIRSERVER-435.
---------------------------------------
Closing all issues created in 2005 and before which are marked resolved
> delegating binds to custom partitions
> -------------------------------------
>
> Key: DIRSERVER-435
> URL: https://issues.apache.org/jira/browse/DIRSERVER-435
> Project: Directory ApacheDS
> Issue Type: New Feature
> Environment: jdk1.4.2
> Reporter: Norval Hope
> Assigned To: Alex Karasulu
> Fix For: 1.0-RC1
>
> Attachments: delegate_bind.patch
>
>
> I have created a patch which permits SimpleAuthenticator to optionally delegate bind calls to the custom partition matching the DN provided to a bind call. This seems like the right general approach to take, but there were some points I wasn't completely certain about (being a noob):
> 1) I pass the credentials in as a Object (rather then byte[]) to allow for future flexibility when SASL support is added to DS.
> 2) The bind() call returns an InitialContext which SimpleAuthenticator immediately closes, rather then say returning a boolean. This seems sensible though.
> 3) Given the new bind() call is only optionally implemented by a ContextPartition, the default bases classes return null when it is called. A NotImplementedException type approach would work just as well, but I am unsure how the relative pros and cons are preceived by the core DS developers (runtime cost versus cleanliness).
> I also realise that the bind call is only one of a number of delegations that will eventually need to be supported to custom partitions, but hope that this patch isn't heading in the wrong direction and thus compromising any future work that may be required.
> If the patch is deemed useful, but further work is required due to any/all of the reasons above (or some I haven't considered) then let me know.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIREVE-265) delegating binds to custom partitions
Posted by "Alex Karasulu (JIRA)" <di...@incubator.apache.org>.
[ http://issues.apache.org/jira/browse/DIREVE-265?page=comments#action_12355709 ]
Alex Karasulu commented on DIREVE-265:
--------------------------------------
What's the status of this?
> delegating binds to custom partitions
> -------------------------------------
>
> Key: DIREVE-265
> URL: http://issues.apache.org/jira/browse/DIREVE-265
> Project: Directory Server
> Type: New Feature
> Components: server main
> Environment: jdk1.4.2
> Reporter: Norbert Reilly
> Assignee: Alex Karasulu
> Attachments: delegate_bind.patch
>
> I have created a patch which permits SimpleAuthenticator to optionally delegate bind calls to the custom partition matching the DN provided to a bind call. This seems like the right general approach to take, but there were some points I wasn't completely certain about (being a noob):
> 1) I pass the credentials in as a Object (rather then byte[]) to allow for future flexibility when SASL support is added to DS.
> 2) The bind() call returns an InitialContext which SimpleAuthenticator immediately closes, rather then say returning a boolean. This seems sensible though.
> 3) Given the new bind() call is only optionally implemented by a ContextPartition, the default bases classes return null when it is called. A NotImplementedException type approach would work just as well, but I am unsure how the relative pros and cons are preceived by the core DS developers (runtime cost versus cleanliness).
> I also realise that the bind call is only one of a number of delegations that will eventually need to be supported to custom partitions, but hope that this patch isn't heading in the wrong direction and thus compromising any future work that may be required.
> If the patch is deemed useful, but further work is required due to any/all of the reasons above (or some I haven't considered) then let me know.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (DIREVE-265) delegating binds to custom partitions
Posted by "Alex Karasulu (JIRA)" <di...@incubator.apache.org>.
[ http://issues.apache.org/jira/browse/DIREVE-265?page=comments#action_12355866 ]
Alex Karasulu commented on DIREVE-265:
--------------------------------------
You mean just adding bind() to what we have? I guess that's the only missing operation. However I think this is a wrong turn in our architectural vision.
First because a partitions are for storage. Using them for proxying is tangential to our aims.
A proxy can be implemented in other ways via views. Using a partition to do is effective but a hack. When we implement views proxies can easily be written.
Still there may be some benefit to intercepting a bind operation. Let me think more about this. Bind interception might be good for views too. Thanks T.
> delegating binds to custom partitions
> -------------------------------------
>
> Key: DIREVE-265
> URL: http://issues.apache.org/jira/browse/DIREVE-265
> Project: Directory Server
> Type: New Feature
> Components: server main
> Environment: jdk1.4.2
> Reporter: Norbert Reilly
> Assignee: Alex Karasulu
> Attachments: delegate_bind.patch
>
> I have created a patch which permits SimpleAuthenticator to optionally delegate bind calls to the custom partition matching the DN provided to a bind call. This seems like the right general approach to take, but there were some points I wasn't completely certain about (being a noob):
> 1) I pass the credentials in as a Object (rather then byte[]) to allow for future flexibility when SASL support is added to DS.
> 2) The bind() call returns an InitialContext which SimpleAuthenticator immediately closes, rather then say returning a boolean. This seems sensible though.
> 3) Given the new bind() call is only optionally implemented by a ContextPartition, the default bases classes return null when it is called. A NotImplementedException type approach would work just as well, but I am unsure how the relative pros and cons are preceived by the core DS developers (runtime cost versus cleanliness).
> I also realise that the bind call is only one of a number of delegations that will eventually need to be supported to custom partitions, but hope that this patch isn't heading in the wrong direction and thus compromising any future work that may be required.
> If the patch is deemed useful, but further work is required due to any/all of the reasons above (or some I haven't considered) then let me know.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira