|
Home > Archive > Apache Directory Project > October 2005 > [jira] Commented: (DIREVE-265) delegating binds to custom partitions
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[jira] Commented: (DIREVE-265) delegating binds to custom partitions
|
|
| Alex Karasulu (JIRA) 2005-10-25, 5:45 pm |
| [ http://issues.apache.org/jira/brows...action_12355866 ]
Alex Karasulu commented on DIREVE-265:
--------------------------------------
You mean just adding bind() to what we have? I guess that's the only missing operation. However I think this is a wrong turn in our architectural vision.
First because a partitions are for storage. Using them for proxying is tangential to our aims.
A proxy can be implemented in other ways via views. Using a partition to do is effective but a hack. When we implement views proxies can easily be written.
Still there may be some benefit to intercepting a bind operation. Let me think more about this. Bind interception might be good for views too. Thanks T.
> delegating binds to custom partitions
> -------------------------------------
>
> Key: DIREVE-265
> URL: http://issues.apache.org/jira/browse/DIREVE-265
> Project: Directory Server
> Type: New Feature
> Components: server main
> Environment: jdk1.4.2
> Reporter: Norbert Reilly
> Assignee: Alex Karasulu
> Attachments: delegate_bind.patch
>
> I have created a patch which permits SimpleAuthenticator to optionally delegate bind calls to the custom partition matching the DN provided to a bind call. This seems like the right general approach to take, but there were some points I wasn't completel
y certain about (being a noob):
> 1) I pass the credentials in as a Object (rather then byte[]) to allow for future flexibility when SASL support is added to DS.
> 2) The bind() call returns an InitialContext which SimpleAuthenticator immediately closes, rather then say returning a boolean. This seems sensible though.
> 3) Given the new bind() call is only optionally implemented by a ContextPartition, the default bases classes return null when it is called. A NotImplementedException type approach would work just as well, but I am unsure how the relative pros and co
ns are preceived by the core DS developers (runtime cost versus cleanliness).
> I also realise that the bind call is only one of a number of delegations that will eventually need to be supported to custom partitions, but hope that this patch isn't heading in the wrong direction and thus compromising any future work that may be requ
ired.
> If the patch is deemed useful, but further work is required due to any/all of the reasons above (or some I haven't considered) then let me know.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secur...nistrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
| |
| Norbet Reilly 2005-10-26, 2:45 am |
| If it helps in your thinking on the issue...
I think in the long term proxies will have a big impact on the
ApacheDS stack. A proxy would prefer that most of the services
(normalization, exception, etc) configured in server.xml be
inactivated (as they would duplicate functions already being performed
by the remote server accessed by the proxy), or best optionally
activated for some proxies to make up for functions lacking on the
remote server.
Also most of the sub-tree type operations would be delegated for the
proxy's entire sub-tree to the remote server. And finally schema
retrieval would need to be delegated as well.
Because most of this stuff is not there at the moment I made the
following implemental choices from my proxy:
1. implement delegation of binds as described in the patch
attached to this issue. I thought this change was less hacky then 2.
and of value by itself.
2. implement logic to dynamically discover the remote server's
schema and add it to the ApacheDS GlobalRegistries (which required
some changes to GlobalRegistries.java as in some places only the
BootStrapRegistries information was used, and hence my additions were
ignored). I can share the full patch (including a dynamic equivalent
to the current Maven schema plugin) if anyone is interested.
I think this subset of functionality is a useful starting point for
many proxy implementors, but fully understand if you feel that such a
partial solution should not be integrated into the core server (in
which case I'll maintain my diffs until such time as they are replaced
by a more comprehensive solution).
Thanks
| |
| Alex Karasulu 2005-10-26, 7:45 am |
| Norbet Reilly wrote:
>If it helps in your thinking on the issue...
>
>I think in the long term proxies will have a big impact on the
>ApacheDS stack. A proxy would prefer that most of the services
>(normalization, exception, etc) configured in server.xml be
>inactivated (as they would duplicate functions already being performed
>by the remote server accessed by the proxy), or best optionally
>activated for some proxies to make up for functions lacking on the
>remote server.
>
>
Very good points here Norbet. I agree.
>Also most of the sub-tree type operations would be delegated for the
>proxy's entire sub-tree to the remote server. And finally schema
>retrieval would need to be delegated as well.
>
>
Ok I see that.
>Because most of this stuff is not there at the moment I made the
>following implemental choices from my proxy:
> 1. implement delegation of binds as described in the patch
>attached to this issue. I thought this change was less hacky then 2.
>and of value by itself.
> 2. implement logic to dynamically discover the remote server's
>schema and add it to the ApacheDS GlobalRegistries (which required
>some changes to GlobalRegistries.java as in some places only the
>BootStrapRegistries information was used, and hence my additions were
>ignored). I can share the full patch (including a dynamic equivalent
>to the current Maven schema plugin) if anyone is interested.
>
>
>
Sure that sounds great ... re: dynamic equivalent.
>I think this subset of functionality is a useful starting point for
>many proxy implementors, but fully understand if you feel that such a
>partial solution should not be integrated into the core server (in
>which case I'll maintain my diffs until such time as they are replaced
>by a more comprehensive solution)
>
Let me look at your patch again. Stuff goes in the nogin but does not
stay for long so I wanna review it again and see what we can you for
folks like yourself interested in proxing partitions. I just want to
make sure we do you right while keeping the core simple. Please bear
with us too its a hectic time to get this release out.
Alex
| |
| Norbet Reilly 2005-10-27, 2:45 am |
| I have attached all of my DS changes (includes the patch submitted to
DIREVE-265) motivated by writing my proxy, and additionally the
dynamic schema conversion code. The latter may need a bit of sprucing
up for prime time, as the job itself is a bit hacky (given the
somewhat loose nature of LDAP schema).
|
|
|
|
|