directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <>
Subject Re: ApacheDS as LDAP proxy / custom interceptors
Date Wed, 06 May 2020 06:23:32 GMT
Hi !

On 05/05/2020 08:31, Christopher Cudennec wrote:
> Hello everyone!
> Since this is my first post on this list, I want to say thank you for 
> your great project!
> We want to use ApacheDS as a proxy to another LDAP server and try to 
> adapt the examples for writing custom interceptors. Can you help us 
> with the following questions?
> (1) Is there a preferred way of registering the new interceptor?
> There seems to be some kind of lifecycle management, someone needs to 
> call the “init” method of the interceptor.
This is done by the DefaultDirectoryServer.initInterceptors() method 
which is called when the DS is initialized.

Of course, your interceptor must be in the list of interceptors. We set 
a list of default interceptors in setDefaultInterceptorConfigurations() 
(if no list is defined), or the addLast() method is called for each 
interceptor defined in the config, in the order they are defined.

> When adding the new interceptor the the directory service’s 
> interceptors list by “setInterceptors” the init method is not invoked.
Yes. The interceptors must have been defined before the DS is started. 
If you add interceptors after the DS is initialized, then you must call 
the interceptor init() function explicitely.

> We also tried “addAfter” but that method does something slightly 
> different. I think it would be nice to have one main entry point for 
> adding new interceptors.
> BTW: “addAfter” of “DefaultDirectoryService” contains a bug. It adds 
> the new interceptor /before/ and not after another interceptor.
Can you fill a JIRA for that ?
> (2) Why does AuthenticationInterceptor not pass “bind” to the next 
> interceptor?
Because once the authentication is done, there is no reason to do 
anything else. But we can change that, because at the end, it does not 
matter if  no other interceptors are handling the bind event.
> Is there a minimum set of interceptors that are absolutely needed for 
> the LDAP server to work correctly? As AuthenticationInterceptor also 
> deals with creating a session I would like to reuse the code. But when 
> I add my proxy interceptor after AuthenticationInterceptor it will not 
> be invoked for “bind”.

The default list is enough :

         list.add( new NormalizationInterceptor() );
         list.add( new AuthenticationInterceptor() );
         list.add( new ReferralInterceptor() ); // can be disabled if 
yiou don't have any referral
         list.add( new AciAuthorizationInterceptor() );        // can be 
         list.add( new DefaultAuthorizationInterceptor() );
         list.add( new AdministrativePointInterceptor() );
         list.add( new ExceptionInterceptor() );
         list.add( new SchemaInterceptor() );
         list.add( new OperationalAttributeInterceptor() );
         list.add( new CollectiveAttributeInterceptor() ); // can be 
disablled if you don't have collective attributes
         list.add( new SubentryInterceptor() );
         list.add( new EventInterceptor() );        // Can be disabled 
if you don't have any listener
         list.add( new TriggerInterceptor() );        // can be disabled
         list.add( new ChangeLogInterceptor() );    // can be disabled
         list.add( new JournalInterceptor() );    // can be disabled

> (3) What class of ApacheDS is responsible for creating the messageId 
> and at which point is it created?
The messageID is created by the client, not the server.
> (4) Can we also use Github for contributions?


> We already have Github accounts so that would be much easier for us. 😊
> Thank you very much and best regards,
> Christopher

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message