Hi!
This is possible, all it needs is an implementation of a new Authenticator.
We already have a DelegatingAuthenticator class that delehgates
authenticatio to a remote LDAP server, so for your need, you have to
implement a similar class delagating authentication to a Oauth2 or
OpenID provider.
Here are the references to the interface and class :
https://nightlies.apache.org/directory/apacheds/2.0.0.AM26/apidocs/org/apache/directory/shared/kerberos/messages/Authenticator.html
and the DelegatingAuthenticator:
https://nightlies.apache.org/directory/apacheds/2.0.0.AM26/apidocs/org/apache/directory/server/core/authn/DelegatingAuthenticator.html
(code :
https://nightlies.apache.org/directory/apacheds/2.0.0.AM26/apidocs/src-html/org/apache/directory/server/core/authn/DelegatingAuthenticator.html#line.45)
In order to have it to work, you will need to add some configurtaion
element, like what has been done for the DelegatingAuthenticator:
dn:
ads-authenticatorid=delegatingauthenticator,ou=authenticators,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
ads-authenticatorid: delegatingauthenticator
objectclass: top
objectclass: ads-base
objectClass: ads-authenticator
objectClass: ads-authenticatorImpl
ads-authenticatorClass:
org.apache.directory.server.core.authn.DelegatingAuthenticator
ads-baseDn:
ads-enabled: FALSE
(this is in the config.ldif file).
Let me know if you need more direction...
On 02/01/2022 23:30, Eugen Stan wrote:
Hi,
I would like to know if this is doable with Apache DS or a ldap library.
I would like to build an application that can offer basic set of
functionality to perform LDAP authentication (and maybe password reset)
and delegate this to an existing auth service (Keycloak, a user and
password database, a simple file, Google Auth, whatever ).
The use case is that some applications work with LDAP auth for unified
authentication and don't provide Oauth2 / OpenID connect support.
I would like to deploy keycloak or another IDM server to manage users
and offer those applications an ldaps endpoint for which they authenticate.
To my knowledge I would need some sort of **SIMPLE** embedded ldap
server that I can map the auth structure to my existing data stored in a
DB or a rest service.
User will configure legacy app to sue my ldap Auth server.
The auth server will receive auth requests and read data from my real
auth service (Keycloak, plain user + pass file, etc ).
This is kind of the reverse of what people are doing (putting OpenID
Connect on top of LDAP servers).
The use case is pretty small and I think I could get away with a simple
ldap protocol parsing library.
I would like to avoid any unnecessary complexity: ldap schemas, etc.
Would this be possible?
What should I try ?
Thanks,
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
[email protected] https://www.busit.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
