views:

907

answers:

5

I'm working on a Java web application that integrates with a few other external applications that are deployed along with it. Authentication information must be synchronized across everything and the other applications want to authenticate against LDAP. The application will be deployed in environments where there will be no other LDAP server for everything to use; I have to provide it. My solution so far has been to use Penrose Server as a standalone app, which I set up to examine tables in the main application's database and publish LDAP based on that. It works well, but it would be nice to have something that can be embedded into the main application itself to simplify deployment.

It looks like Penrose can be embedded, but the documentation can be a bit spotty or out-of-date (though it seems to be actively developed). It could be an acceptable solution, but if there is another out there that is known to work well in an embedded configuration I might want to check it out.

I'm also concerned about GPL issues with Penrose. I'm not at liberty to GPL the source code for the application. I don't believe it was an issue running it standalone, but embedding it may be no-no... anybody know for sure? A permissive license would be good in order to avoid these issues.

Requirements:

  1. LDAP v3
  2. Must be able to be have the directory contents updated while running, either programmatically or by another means like syncing with the database as Penrose does
  3. Easy to configure (no additional configuration for the app at deployment time would be ideal)

So far I've briefly looked at ApacheDS and OpenDS which seem to be embeddable.

Does anyone have experience with this kind of thing?

+2  A: 

As this question has been unanswered for quite some time, I'd like to suggest that you also take the commercial license of Penrose into account - it's got a dual license for people just like you, when the GPL implications are prohibitive. I don't know their prices and model, but it might be easier and cheaper to go with a solution that you already know than to get used to another solution that you need to get used to. You can either pay with your money or with your time...

Also - for the records, not applying in this case: When projects use the GPL and you'd like to embed them in a non-GPL way, it might pay to ask the developers for a more permissive license. Some people publish under GPL not thinking about the implications. You might get them to changing the license if this means broader usage of the project. Others specifically want the GPL-implications, but it's always good to ask. Penrose has already thought about this and offers a commercial license.

Olaf
A: 

I've just spent a couple of days looking into exposing our internal application user db as an LDAP service. I looked initially at apache-ds, while it seems to be a very powerful directory service extending it to expose a relational db is mind numbingly complex.

Have settled on penrose as it seems to offer a pretty good solution, managed to prototype a solution in about 2 hours.

Gareth Davis
A: 

You should take a look at Apache DS. I just started using it as an embedded server to setup a JUnit test. It's working good so far, the only thing stopping me right now is my limited LDAP knowledge. ApacheDS looks like a decent project and I think it's worth the effort.

cringe
A: 

Hi- Iwould like to get the commercial version of the penroseLDAP. Can some one let me know the details?

Thanks, Sudhakar

Sudhakar
Perhaps consider asking the people licensing it?
Steven Schlansker
A: 

I've never done it myself, but you can use Spring Security to easily set up an embedded Apache Directory server, with minimal Spring XML config required.

Andrew Swan