Proxy Mapping
Introduction
Penrose can be configured to work as a proxy to another LDAP server. This way Penrose can control the access to the LDAP server.
For instance, suppose you have the following proxy mapping:
| Penrose | OpenLDAP |
|---|---|
| ou=Users,dc=Proxy,dc=Example,dc=com | ou=Users,dc=MyCompany,dc=com |
This means when you perform an LDAP operation on Penrose's ou=Users,dc=Proxy,dc=Example,dc=com subtree, Penrose will perform the same operation on OpenLDAP's ou=Users,dc=MyCompany,dc=com subtree.
The only requirement is that the RDN of the proxy subtree and the target subtree has to be the same (e.g. ou=Users).
All entries in the proxy subtree will have the equivalent entries in the target subtree, for instance:
| Penrose | OpenLDAP |
|---|---|
| uid=admin,ou=Users,dc=Proxy,dc=Example,dc=com | uid=admin,ou=Users,dc=MyCompany,dc=com |
Authentication
There are 3 different authentication modes that you can select for each proxy mapping:
- default
- full
- disabled
In the default mode, Penrose allows a pass-through authentication (PTA), meaning that you can bind to Penrose as a user in the proxy subtree, then Penrose will bind as the equivalent user on the target server. For all other operations (e.g. search, modify), Penrose will execute them using a proxy account specified in connections.xml.
In the full mode, you can also perform the pass-trhough authentication. However, in this mode the same credentials you supplied during bind will continue to be used when you perform the subsequent operations.
In the disabled mode, all bind operations against the target server are rejected. Any other operations will be executed using the proxy account specified in connections.xml.
Configuration
In the connections.xml you need to define the connection properties of the target server:
<connections>
<connection name="OpenLDAP">
<adapter-name>JNDI</adapter-name>
<parameter>
<param-name>java.naming.factory.initial</param-name>
<param-value>com.sun.jndi.ldap.LdapCtxFactory</param-value>
</parameter>
<parameter>
<param-name>java.naming.provider.url</param-name>
<param-value>...</param-value>
</parameter>
<parameter>
<param-name>java.naming.security.principal</param-name>
<param-value>...</param-value>
</parameter>
<parameter>
<param-name>java.naming.security.credentials</param-name>
<param-value>...</param-value>
</parameter>
</connection>
</connections>
In the java.naming.provider.url parameter you need to specify the URL of the target server, e.g. ldap://localhost/.
In the java.naming.security.principal and java.naming.security.credentials you can optionally specify the credentials of the proxy account, e.g. cn=Manager,dc=MyCompany,dc=com.
In sources.xml you need to define a source which describe a subtree in the target server that you want to proxy:
<sources>
<source name="users">
<connection-name>OpenLDAP</connection-name>
<parameter>
<param-name>baseDn</param-name>
<param-value>...</param-value>
</parameter>
<parameter>
<param-name>authentication</param-name>
<param-value>...</param-value>
</parameter>
</source>
</sources>
In the baseDn parameter you need to specify the target DN, e.g. ou=Users,dc=MyCompany,dc=com.
In the authentication parameter you can optionally specify the authentication mode, e.g. full.
In the mapping.xml you need to specify the proxy subtree:
<mapping> <entry dn="ou=Users,dc=Proxy,dc=Example,dc=com"> <source name="users" proxy="true"> <source-name>users</source-name> </source> </entry> </mapping>
Example
A sample proxy configuration is available in PENROSE_SERVER_HOME/samples/proxy directory.
Create a new partition by copying the files in PENROSE_SERVER_HOME/samples/proxy/partition into PERNOSE_SERVER_HOME/partitions/proxy. You might need to adjust the configuration in connections.xml.
Then edit PENROSE_SERVER_HOME/conf/server.xml:
<server> <partition name="proxy" path="partitions/proxy"/> </server>
Restart Penrose then point your LDAP browser to dc=Proxy,dc=Example,dc=com.