Entries Tagged 'Penrose' ↓

Here is a high-level overview of Pass-through Authentication.

Stephen Lombardo from Identicentric wrote:

” +1 for virtual directory pass-through authentication.

It’s definitely technically feasible and works very well to drive consolidation of authentication services. From past experience it’s one of the most powerful benefits of virtual directory technology. In fact, this feature was key to the value proposition and purchasing decision for several of the prominent deployments I’ve worked on. ”

UPDATED: We added wizards in Penrose Studio to automatically configure Penrose server to allow pass authentication requests back to Active Directory.

UPDATED: We currently support three different modes of PTA, namely:

• Default mode: Penrose initially binds to the target directory to check the credentials, then to switch to a proxy account for all further operations on the connection. This is by far the most common scenario.
• Full mode: Penrose binds to the target directory check credentials and then holds the connection open to process all directory operations for that connection. In this mode the same credentials you supplied during bind will continue to be used when you perform the subsequent operations. This mode is the most valuable in a security conscious directory environment that makes heavy use of ACLs. In that kind of environment the use of default mode might be undesirable.
• Disabled mode: In this mode, Penrose doesn’t allow passthrough at all. It always operates on the back end directory with a proxy account. All bind operations against the target server are rejected. Any other operations will be executed using the proxy account specified in its xml config.

Good news! We’ve launched our final release version of Penrose Virtual Directory Server. This release is a direct result of the awesome support from the Safehaus and Apache Directory communities… so thanks again to all of our 50+ beta testers. Download Penrose 1.0 now.

One of the goals of federation is to provide a global sign-sign on for the end users. Identities from multiple organizations must be shared. As a consequence, federation projects must now work together with other companies while dealing with internal federation issues (involving the integration of internal identities). A Virtual Directory Server solves these common barriers when it:

Acts as an Authentication Server:
In federation, a user can sign on to a trusted server to get a security token (identifier). This Authentication server has to aggregate multiple identities from possibly many external sources.

Acts as an Attribute Server:
Federation, involves the association of your various accounts from site to site. A small identifier containing a minimal set of information about you maintains the associations. Exposing this minimal attribute, requires an attribute server to allow sites to obtain more information about the user based on the token held by the attribute. The challenge of building an attribute server rests in the ability to search all attributes from external databases/directories quickly. Virtual directories dynamically access and store entries within a cache engine to aggregate user attributes from various places.

Acts as an Authentication Authority Server:
Virtual directory can bring in various policies from different data sources.

UPDATED 5/9/06: We just announced partnership with Ping Identity. PingFederate can use identity information within Penrose through its LDAP attribute selection and mapping feature.

Aside manageability and robustness, companies are buying an LDAP server for its performance. A directory server traditionally is used as a centralized lookup service, or an identity backbone. With the recent release, we are now marrying the performance of commercial LDAP server with the versatility of a virtual directory by way of persistent cache feature. The basic concept of persistent cache is quite simple. By storing the cached entries in a disk-based mechanism, those entries will survive a sudden-loss of power (recycle). Since we can store those entries on any LDAP or database servers, it also gains an unlimited storage capacity.

(Illustration diagrams)

UPDATED: A complete documentation and etrust module JAR file is now online.

Penrose can leverage Sun Java Directory Server to store its persistent cache. Here is the HOW-TO.

Penrose supports Mult-target Writeback where a single LDAP operation against Penrose server would be translated to many write operations to the backend stores (multitarget). If all back-end stores are XA-aware, Penrose can execute XA-write back (for example, System 1 and System 2 must update, or the entire transaction rolls back). This feature is quite useful for provisioning multiple accounts.

You can now run Penrose inside Jboss. While we’re at this topic, I want to discuss the licensing compatibility. As you know GPL and LGPL licensed software don’t mix. In Penrose case, we made an exception for LGPL-based software, including Jboss.

see our FAQ

Can my BSD/LGPL licensed software includes Penrose without violating your GPL license?
Yes, you CAN. We created a FLOSS exception to address this concern. Jboss (LGPL License) can embed Penrose without worrying about license compatibility.
However, It would be illegal for a commercial vendor to re-distribute/re-sell Jboss with Penrose inside.

It is easy to create a mapping from a database column to an LDAP entry and conversely from LDAP entry to a database column using Penrose Studio point-and-click mapping UI. The process can be broken down into three steps:
1. connect your desired data source, this could be a directory or a database,
2. create a virtual schema for your desired LDAP views.
3. Publish and deploy your virtual schema into Penrose server.

It is based on Eclipse RCP PDE (Plugin Development Environment).

We just released Penrose 0.9.8 which now supports a persistence cache mechanism. Persistent cache allows a faster recovery from hardware failure by storing all the cached entries into a persistent store. A persistent store can be a database or an LDAP server. We tested our persistent cache implementation against both OpenLDAP and Sun One DS.

Dave Kearns wrote an article about Penrose Project and Safehaus. For those individuals who has an existing open source project that needs a personalized technical services, Safehaus.org can help you.