directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adison Wongkar" <>
Subject RE: Virtual Directory (or LDAP Proxy)
Date Mon, 07 Feb 2005 06:54:32 GMT
Hi Alex,

I see you have the "interceptor chain". I've actually been wondering whether
it would be most efficient to implement the virtual directory as "backend"
or as "interceptor".

Currently our implementation works as a backend (we originally designed it
as a backend for openldap). So we have our own join & caching engine. This
component has adapters that can talk with databases (via jdbc) and ldaps
(via jndi) and somehow process them according to the mapping rules into a
join/cache database. LDAP operations (search/add/modify/delete, etc.) are
applied to this cache as well as the original data sources. This join/cache
database can be in-memory db (such as hsql) or persistent db.

Most of ldap servers (including ApacheDS) has a notion of backend. So, I
would imagine our implementation would be more portable if implemented as
backend. However, I'd like to see if implementing virtual directory
component as interceptor would be the optimal way to do it. I'll learn more
to find out. Any pointers would be appreciated.

I see you've been involved with the RFC 3672. It's really cool to have LDAP
view. Do you know how close it is to being ratified?


-----Original Message-----
From: Alex Karasulu [] 
Sent: Monday, February 07, 2005 12:30 AM
To: Apache Directory Developers List
Subject: Re: Virtual Directory (or LDAP Proxy)

Adison Wongkar wrote:

> Hi everyone,
> I just joined this mailing list. I'm Adison Wongkar from Verge 
> Archemedia in Austin, TX. Me and a co-worker from the same company 
> (Endi Dewata) has been working on a Virtual Directory piece of 
> software. Currently we have developed it as a backend to OpenLDAP 
> (writing back-java on our own). We have an interest to see if we could 
> integrate our java code into the ApacheDS project. Perhaps as a 
> backend to ApacheDS. I want to see if there's any interest from you 
> all in having a virtual directory module for ApacheDS.

Absolutely this is a very exciting niche in directory services. 

We were considering LDAP Views (analogous to SQL views in RDBMs world) 
for doing just this.  The view is essentially the fundamental mechanism 
for enabling a directory as a virtual directory.  Obviously the view is 
a hook into a complex subsystem of the directory server: the virtual 
directory part.  The server detects a request and delegates that request 
based on some subtree specification (see here in section 2.1 to this subsystem.  The 
subsystem can do what it wants to compose and return the response.  This 
includes any combination of the operations below and more ...

o assemble one or more entries into a super entry
o transform while assembling
o remap attributes between two schemas
o pull data from disparate (non jndi/ldap) resources to assemble the entry
o ...

This list really is just limited by our imagination isn't it :)?  Also 
note that the interceptor subsystem of the server comes in very handy 
here.  It can be used to trap a request, analyze it to see if it falls 
into a subtree that is associated with a virtual area and delegate the 
response to the virtual directory subsystem.  This is really cool stuff 
- probably because its slick and not so easy to do - challenging.

I think you'll find many people that would be interested in pursuing 
this with you.  I'm very interested myself so count me in.  Another 
fellow named Mark Swanson is also interested in this for his schedule 
world application and his calendar server here:

Also if you would like, you're welcome to work on a draft spec for 
formalizing LDAP views.  I've started work on a draft for submission to 
the ietf to try to standardize views within LDAP.  If we implement this 
then virtual directories can be specified very easily.

> Btw, I just checked out and played with the ApacheDS. Great work! Just 
> by looking at the website, I got the impression that the project has 
> just started. But when I played and looked at the code, I am quite 
> thrilled.

That's really nice to hear.  We've been doing this for the past 30 or so 
months. However we've only been in the Apache Incubator for 16 months. 


View raw message