Penrose allows you to associate each particular part of virtual directory tree with a particular adapter. For example an LDAP Proxy Adapter might be configured to represent users in "cn=Users, dc=penrose, dc=safehaus, dc=org" to be represented as "ou=People,o=safehaus.org". From this point on, the virtual directory will select this adapter whenever an LDAP operation involves "ou=People, o=safehaus.org" or any of its children.

But what if the situation is more complex? What if we need to represent multiple groups of people under the same branch? As an example, consider mapping an OpenLDAP Directory whose people entries are under "ou=People,o=Safehaus Penrose" to the same "ou=People, o=safehaus.org" node? Now there are 2 adapters responsible for the same namespace or directory tree. To solve this problem, the Penrose Router system provides several other mechanisms to solve the problem:

• DN Pattern Matching: if the user entries from one adapter have an RDN of uid=jdoe vs. cn=jdoe from the other adapter, then Penrose can distinguish different users by performing a regular expression pattern match. This same technique can also be applied when breaking up extremely large directories (e.g. greater than 50 million entries) into sub-sets. Each set might contain only a portion of the directory. One way might be to break by using ranges. UIDs beginning a-j to one directory, k-r to another directory, and s-z to the final directory portion.

• Query Filter Matching: each adapter is able to indicate which queries are acceptable or unacceptable. For example, if one directory holds users with emails such as jdoe@penrose.safehaus.org, and another holds users with emails such as jdoe@triplesec.safehaus.org, then filter matching can be used. For the first adapter, the routing filter might say only queries where (mail=*@penrose.safehaus.org) are acceptable. This means that the email address of any query against the mail attribute must end in "@penrose.safehaus.org".

• Attribute Retrieve/Store Restriction: the router can determine whether a particular adapter can be used based on the attributes it is allowed to retrieve or store.

• Views: depending on the client, the Penrose router can select a sub-set of adapters which are available for a particular LDAP client.