Directory Inserts

Directory inserts relate to the connection to directory and directory-like services and mapping the data from those services.

LDAP Insert

The LDAP insert is one of the core inserts. This insert allows MyVD to communicate with any LDAPv3 compliant directory. In addtion to LDAP directories, this isnert supports DSMLv2 and SPML. In order to take advantage of the SPML feautures you must download the OpenSPML toolkit (http://www.openspml.org/) and it's dependencies.

Class Name net.sourceforge.myvd.inserts.ldap.LDAPInterceptor
Scope Add, Modify, Rename, Delete, Compare, Search, Bind, Extended Operations
Configuration Options host The host of the remote server. If this insert is using DSMLV2 or SPML then this is the URL of the end point.
port The port the remote ldap server is listening on. Ignored for DSMLV2 and SPML
remoteBase The base of the remote LDAP server that the insert would start at
minimumConnections The minimum number of connections to keep in the pool
maximumConnections The maximum number of connections to keep in the pool
proxyDN The DN of the user to connect as
proxyPass The password of the remote directory
type One of "ldap","ldaps","dsmlv2" or "spml"
spmlImpl When using SPML, the class name for the com.novell.ldap.spml.SPMLImpl interface
passBindOnly "true" or "false" if the user's credentials should be utilized for only the "bind" process. "false" if the credentials should be used on all operations.
ignoreRefs "true" if referrals should be ignored.

Kerberos Authenticator

The kerberos authenticator can be used to authenticate users via the Kerberos protocol, such as against Active Directory. Note that all configuration is based on the Java JNDI kerberos authentication file. (need to add a link)

Class Name net.sourceforge.myvd.inserts.kerberos.KerberosInterceptor
Scope Bind
Configuration Options None

NTLM Authenticator

The kerberos authenticator can be used to authenticate users via the NTLM protocol, such as against Active Directory or an NT4 Domain Controller.

Class Name net.sourceforge.myvd.inserts.jcifs.NTLMAuthenticator
Scope Bind
Configuration Options host The host of the NTLM server (AD or an NTLM file share)

Dynamic Groups Insert

The Dynamic Groups Insert allows for a Dyanmic Group (groupOfUrls) to act like a static group in the following ways:

  1. All dynamic members can be listed as static members
  2. You can test if a user is a member of the group by testing if the user is a static member

This all allows for applications that are not capable of using dynamic groups while still providing the maintenance benefits of static groups.

Class Name net.sourceforge.myvd.inserts.ldap.Dynamicgroups
Scope Search
Configuration Options dynamicObjectClass The object class for dynamic groups (typically groupOfUrls)
staticObjectClass The object class for static groups (typically groupOfUniqueNames)
urlAttribute The attribute that stores the LDAP url (typically memberUrl)
staticAttribute The attribute that stores static members (typically uniqueMember)

Embedded Groups

The Embedded Groups insert allows for static groups to contain members that are other groups to be tested with a user's DN. For instance:

dn: cn=Child Group,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: Child Group
uniqueMember: cn=Test User,ou=people,dc=domain,dc=com
.
.
.

dn: cn=Parent Group,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: Parent Group
uniqueMember: cn=Child Group,ou=groups,dc=domain,dc=com
.
.
.

The above example would typically require two searches in order to test 'cn=Test User,ou=people,dc=domain,dc=com':

  1. Retrieve the group
  2. Determine which members are groups, and search each group for the user 'cn=Test User,ou=people,dc=domain,dc=com'

The Embedded Groups does this work for you, tracking which members are groups to determine what groups need to be searched. The insert can track which members are groups either by polling the remote directory periodically or (if the directory supports it) by using persistent search to constantly track the addition or removal of groups.

Class Name net.sourceforge.myvd.inserts.ldap.EmbeddedGroups
Scope Search
Configuration Options groupSearchBase The search base in the remote directory to look for groups
staticObjectClass The object class for static groups (typically groupOfUniqueNames)
staticAttribute The attribute that stores static members (typically uniqueMember)
userDN The DN used to connect to the remote directory
userPwd The password used to connect to the remote directory
useSync true or false / True if MyVD should use persistent search to determine group DNs, false if the directory should be polled

Static Bind DN Map

The Static Bind DN Map insert can perform a static mapping from an external DN to a DN for a remote directory. Typically this insert would be used to map from DNs that are specific for an insert's base to a non-specific base. Such as when using Sun/Fedora Directory the root user is typically cn=Directory Manager which has no base, so this insert could map uid=admin,dc=domain,dc=com->cn=Directory Manager.

Class Name net.sourceforge.myvd.inserts.ldap.StaticDNMap
Scope Add,Modify,Delete,Bind,Search,Extended Operation
Configuration Options dnmap Pipe '|' separated list of carrot '^' separated DNs, external to internal (ie uid=admin,dc=domain,dc=com^cn=Directory Manager)