The Penrose Project

• Overview
  • News
  • FAQ
  • Features
  • Licenses
  • Download
  • Demo
• Documentation
  • Quick Start
  • Version 1.2 (in development)
    • Complete
    • Server User Guide
    • Studio User Guide
    • Developer Guide
    • Embedding Penrose
    • Javadoc
  • Version 1.1 (stable)
    • Complete
    • Server User Guide
    • Studio User Guide
    • Developer Guide
    • Embedding Penrose
    • Javadoc
  • Use Cases
  • Community Wiki
• Developer
  • Nightly Builds
  • Code Repository
  • Road Map
  • Change Log
  • Project Management
• Support
  • WebChat
  • Forum & List
  • Bug/Feature Tracker
  • Team
  • Contact

Proxy Mapping

Introduction

Penrose can be configured to work as a proxy to another LDAP server. This way Penrose can control the access to the LDAP server.

Basic Proxy

Suppose you have the following directory and you want to create a proxy that exposes only certain parts of the directory (e.g. ou=Users):

dc=my-domain,dc=com
+ ou=Users
  + uid=admin
  + ...
+ ou=Groups
  + cn=Administrators
  + ...

In Penrose you can configure the following mapping:

dc=Example,dc=com
+ ou=Users (proxy of ou=Users,dc=my-domain,dc=com)

This means when you perform an LDAP operation on Penrose's ou=Users,dc=Example,dc=com subtree, the same operation will be performed on the original ou=Users,dc=my-domain,dc=com subtree.

There are some additional operations that Penrose does:

• The DN in the LDAP request will be translated into the original name space.
• The DNs of the search results will be renamed into the proxy name space.

For example, a search based on ou=Users,dc=Example,dc=com will be translated into a search on ou=Users,dc=my-domain,dc=com. Then the search result uid=admin,ou=Users,dc=my-domain,dc=com will be translated into uid=admin,ou=Users,dc=Example,dc=com.

Aggregating Multiple Proxies

Suppose you want to combine the ou=Users subtrees from the following directories:

Server1:

dc=domain1,dc=com
+ ou=Users
+ ou=Groups

Server2:

dc=domain2,dc=com
+ ou=Users
+ ou=Groups

You can create the following tree in Penrose:

dc=Example,dc=com
+ ou=domain1
  + ou=Users (proxy of server1)
+ ou=domain2
  + ou=Users (proxy of server2)

With this configuration, when you search Penrose using dc=Example,dc=com as the base of the search, Penrose will automatically search both directories and return the results as if they were coming from one directory server.

Authentication

There are 3 different authentication modes that you can select for each proxy mapping:

• default
• full
• disabled

In the default mode, Penrose allows a pass-through authentication (PTA), meaning that you can bind to Penrose as a user in the proxy subtree, then Penrose will bind as the equivalent user on the target server. For all other operations (e.g. search, modify), Penrose will execute them using a proxy account specified in connections.xml.

In the full mode, you can also perform the pass-through authentication. However, in this mode the same credentials you supplied during bind will continue to be used when you perform the subsequent operations.

In the disabled mode, all bind operations against the target server are rejected. Any other operations will be executed using the proxy account specified in connections.xml.

Configuration

In the connections.xml you need to define the connection properties of the target server:

<connections>

  <connection name="Proxy">
    <adapter-name>JNDI</adapter-name>
    <parameter>
      <param-name>java.naming.factory.initial</param-name>
      <param-value>com.sun.jndi.ldap.LdapCtxFactory</param-value>
    </parameter>
    <parameter>
      <param-name>java.naming.provider.url</param-name>
      <param-value>...</param-value>
    </parameter>
    <parameter>
      <param-name>java.naming.security.principal</param-name>
      <param-value>...</param-value>
    </parameter>
    <parameter>
      <param-name>java.naming.security.credentials</param-name>
      <param-value>...</param-value>
    </parameter>
  </connection>

</connections>

In the java.naming.provider.url parameter you need to specify the URL of the target server, e.g. ldap://localhost/.

In the java.naming.security.principal and java.naming.security.credentials you can optionally specify the credentials of the proxy account, e.g. cn=Manager,dc=my-domain,dc=com.

In sources.xml you need to define a source which describe a subtree in the target server that you want to proxy:

<sources>

  <source name="users">
    <connection-name>Proxy</connection-name>
    <parameter>
      <param-name>baseDn</param-name>
      <param-value>...</param-value>
    </parameter>
    <parameter>
      <param-name>authentication</param-name>
      <param-value>...</param-value>
    </parameter>
  </source>

</sources>

In the baseDn parameter you need to specify the DN of the original subtree, e.g. ou=Users,dc=my-domain,dc=com.

In the authentication parameter you can optionally specify the authentication mode, e.g. full.

In the mapping.xml you need to specify the proxy subtree:

<mapping>

  <entry dn="...">
    <source name="users">
      <source-name>users</source-name>
    </source>
    <handler>PROXY</handler>
  </entry>

</mapping>

In the dn="..." you can specify the proxy DN, e.g. ou=Users,dc=Example,dc=com.

Example

A sample proxy configuration is available in PENROSE_SERVER_HOME/samples/proxy directory.

Create a new partition by copying the files in PENROSE_SERVER_HOME/samples/proxy/partition into PERNOSE_SERVER_HOME/partitions/proxy. You might need to adjust the configuration in connections.xml.

Then edit PENROSE_SERVER_HOME/conf/server.xml:

<server>
  <partition name="proxy" path="partitions/proxy"/>
</server>

Restart Penrose then point your LDAP browser to dc=Proxy,dc=Example,dc=com.

References

• Penrose Studio Proxy Wizard