Pain-free ldap scenarios

Creative Commons Namensnennung-Keine kommerzielle Nutzung-Keine Bearbeitung 3.0 Österreich Lizenz of 26

Plone Conference 2010Bristol

Pain-free ldap scenarios

Florian Friesdorf <[email protected]>Munich, Germany

2010-10-28


Overview

● What is LDAP and how do users and groups look in there

● The current stack of libraries for LDAP in Plone● Our goal and principles● Our tools● Current status● Outlook


LDAP, a tree

● basically an object database● tree structure● every object has attributes● every object may have children● slow in writing, but fast in searching● indices for selected attributes


LDAP, a tree

● every object has– objectClasses defining possible attributes

– attributes

– children (optional)

● schemas define objectClasses and attributeTypes

● three scopes:– BASE: the entry itself

– ONELEVEL: all children of the entry

– SUBTREE: the entry and everything beneath


Example LDAP user

dn: uid=hagbard,o=LDD

uid: hagbard

objectClass: person

cn: Hagbard Celine

sn: Celine

userPassword: haileris

password normally encrypted


Groups in LDAP

● membership information on the group– OpenLDAP (core.schema)

● membership information on the user● membership information on both, redundant

– ActiveDirectory, OpenLDAP (optional)

● membership information on both, not redundant– POSIX: OpenDirectory, OpenLDAP (nis.schema)


Membership info on group

dn: cn=lieferickson,o=LDD

cn: lieferickson

objectClass: groupOfNames

member: uid=hagbard,o=LDD

member: uid=howard,o=LDD


Membership info on user


uid: hagbard

objectClass: person

cn: Hagbard Celine

sn: Celine

userPassword: haileris

memberOf: cn=lieferickson,o=LDD


Membership info on bothnon-redundant


objectClass: posixAccount

uidNumber: 17

gidNumber: 42

dn: cn=lieferickson,o=LDD

objectClass: posixGroup

gidNumber: 42

memberUID: 91

memberUID: 113


Current LDAP stackand related

● python-ldap, dataflake.ldapconnection, dataflake.cache

● PloneLDAP / LDAPMultiPlugins / LDAPUserFolder● PlonePAS / PluggableAuthServices● plone.app.ldap● PASGroupsFromLDAP (posix groups based on

bda.ldap)


python-ldap, dataflake.connection

dataflake.cache● low-level python ldap library● basic connection management● ldapadd, ldapdelete, ldapmodify, passwd● search, authenticate● synchronous and asynchronous operation

dataflake:● enhanced connection management/caching● unicode instead of utf-8


PloneLDAP, LDAPMultiPlugins,

LDAPUserFolder

LDAPUserFolder– acl_users implementation of former times

– builds on dataflake.ldapconnection/cache

LDAPMultiPlugins– PAS plugins specific to ActiveDirectory and OpenLDAP,

no posix support (OpenDirectory)

– uses LDAPUserFolder to access LDAP

PloneLDAP– wrapper for LDAPMultiPlugins


PlonePASPluggableAuthServices

PASGroupsFromLDAP

PluggableAuthServices (PAS)– acl_users implementation nowadays

– supports plugins for users, groups, rols, properties, session management

PlonePAS– massive monkey patch for PAS

– aware of PloneLDAP, monkey patching it if present

PASGroupsFromLDAP– support for posix groups, parallel to ldapmp


plone.app.ldap

● genericSetup profile to wrap installation of all above

● plone control panel integration for configuration of default setups

– baseDN

– uid attribute, rdn attribute,

● for everything else → ZMI, with potential for conflict


Current LDAP stackwrap-up

● too many packages with no clear borders● close to zero test coverage (except dataflake

packages)● caching on 5 levels

– PAS

– LDAPMultiPlugins

– LDAPUserFolder

– dataflake.cache

– python-ldap

● too complex


Goal

Make LDAP simple:● for the developer● for the inegrator● for the system administrator


Principles

● (LDAP) usermanagement is not specific to plone and should be realized independent of plone

● minimal code for plone integration● no ZMI● loadable presets for default setups● support whatever LDAP supports● ldap is a tree, so should our abstraction of it be● full test coverage


Our approach

● enhancement of python-ldap● Node-based tree representation

(bda.ldap/zodict)● Node-based user management (bda.ldap),

independent of plone● glue code PAS plugin, just for API translation● Plone integration (generic setup, config views)● bfg user management UI, also based on the

node-based user management


The nodes

→ python shell (bda.ldap fun)● LDAPNode with attributes and children● ONELEVEL vs. SUBTREE● AliasedNodespace● User/group node adapter● User/group folder node adapter


Plone integration

● PAS plugin that maps PAS plugin API to the API of the outside user management API (bda.ldap)

● generic setup profile to install the plugin● plone control panel views for persistent

configuration– how to connect to ldap

– how to find users and how to create one

– how to find groups and how to create one


bda.bfg.ugm

● repoze.bfg application to manage users● one dedicated application to manage users for

multiple plone sites● enable users for sites● assign to global groups● assign to site specific groups● define global roles per site● first stage suitable for up to 2000 users


bda.bfg.ugm

● node-based data model (bda.ldap)● node-based application model● direct rendering of UI on nodes● new form library (yafowil)


Statusbda.ldap

● ldap node – fully functional● ldap filter abstraction – fully functional● aliasing of attribute names – fully functional● user node adapter – fully functional● group node adapter – work in progress


bda.pasldapbda.plone.ldap

bda.bfg.app● bda.pasldap

– users readonly for hardcoded config

● bda.plone.ldap– plugin installation – fully functional

– users readonly for hardcoded config

– configuration views – work in progress

● bda.bfg.ugm– work in progress


Outlook

● user management via bfg application + full plone support (end of 2010)

● group management via bfg application + full plone support (February 2011)

● no schedule– group in group support

– further backends (sql)

– adapt UI too seriously many users


The End

Questions

Answers

Discussions

Pain-free ldap scenarios

Technology

Transcript of Pain-free ldap scenarios