Page Operations
Browse Space
Overview
Penrose can be used to proxy another LDAP server. As a proxy Penrose can expose certain parts of the original LDAP tree, perform DN and attribute transformation. Authentication requests will be passed to the original LDAP server. Penrose can also enforce additional ACL on top of the original LDAP server's ACL.
Configuration
Connection
The connection to the original LDAP server should be defined in connections.xml.
<connections>
<connection name="...">
<adapter-name>LDAP</adapter-name>
<parameter>
<param-name>java.naming.provider.url</param-name>
<param-value>...</param-value>
</parameter>
<parameter>
<param-name>java.naming.security.principal</param-name>
<param-value>...</param-value>
</parameter>
<parameter>
<param-name>java.naming.security.credentials</param-name>
<param-value>...</param-value>
</parameter>
</connection>
</connections>
The adapter name must be LDAP.
Source
The part of the original LDAP tree will be exposed by the proxy should be defined in the sources.xml.
<sources>
<source name="...">
<connection-name>...</connection-name>
<parameter>
<param-name>baseDn</param-name>
<param-value>...</param-value>
</parameter>
<parameter>
<param-name>scope</param-name>
<param-value>...</param-value>
</parameter>
<parameter>
<param-name>filter</param-name>
<param-value>...</param-value>
</parameter>
</source>
</sources>
The connection name must point to the connection defined above.
Directory
The DN and attribute transformation and the ACL should be defined in the directory.xml.
<directory>
<entry dn="...">
<entry-class>org.safehaus.penrose.directory.ProxyEntry</entry-class>
<source>
<source-name>...</source-name>
</source>
<parameter>
<param-name>...</param-name>
<param-value>...</param-value>
</parameter>
<aci>
...
</aci>
</entry>
</directory>
The DN of this entry will be used to transform the DN's in the original LDAP tree. For instance, suppose the entry DN is dc=Example,dc=com and the original LDAP tree is dc=my-domain,dc=com, entries like ou=Users,dc=my-domain,dc=com in the original tree will be renamed to ou=Users,dc=Example,dc=com in the virtual tree.
The source name must point to the source defined above.
The attributes parameter contains a list of attributes that contain DN values that will be renamed. For example, the uniqueMember attribute contains DN values like uid=test,ou=Users,dc=my-domain,dc=com, it will be transformed into uid=test,ou=Users,dc=Example,dc=com.
See also Access Control.
Example
The following connections.xml defines a connection to an LDAP server on the local machine.
<connections> <connection name="LDAP"> <adapter-name>LDAP</adapter-name> <parameter> <param-name>java.naming.provider.url</param-name> <param-value>ldap://localhost/</param-value> </parameter> <parameter> <param-name>java.naming.security.principal</param-name> <param-value>cn=Manager,dc=my-domain,dc=com</param-value> </parameter> <parameter> <param-name>java.naming.security.credentials</param-name> <param-value>secret</param-value> </parameter> </connection> </connections>
The following sources.xml defines a "users" source which points to the subtree ou=Users,dc=my-domain,dc=com in the original LDAP server.
<sources>
<source name="users">
<connection-name>LDAP</connection-name>
<parameter>
<param-name>baseDn</param-name>
<param-value>ou=Users,dc=my-domain,dc=com</param-value>
</parameter>
</source>
</sources>
The following directory.xml indicates the "users" source will be exposed as ou=Users,dc=Example,dc=com in Penrose.
<directory> <entry dn="dc=Example,dc=com"> <oc>dcObject</oc> <oc>organization</oc> <at name="dc" rdn="true"> <constant>Example</constant> </at> <at name="o"> <constant>Example</constant> </at> <aci> <permission>rs</permission> </aci> </entry> <entry dn="ou=Users,dc=Example,dc=com"> <entry-class>org.safehaus.penrose.directory.ProxyEntry</entry-class> <source> <source-name>users</source-name> </source> </entry> </directory>