Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Pain-free ldap scenarios

on

  • 1,412 views

 

Statistics

Views

Total Views
1,412
Views on SlideShare
1,412
Embed Views
0

Actions

Likes
0
Downloads
19
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Pain-free ldap scenarios Pain-free ldap scenarios Presentation Transcript

  • Plone Conference 2010 Bristol Pain-free ldap scenarios Florian Friesdorf <flo@chaoflow.net> Munich, Germany 2010-10-28 Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 1 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • Overview ● What is LDAP and how do users and groups look in there ● The current stack of libraries for LDAP in Plone ● Our goal and principles ● Our tools ● Current status ● Outlook Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 2 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • LDAP, a tree ● basically an object database ● tree structure ● every object has attributes ● every object may have children ● slow in writing, but fast in searching ● indices for selected attributes Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 3 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • LDAP, a tree ● every object has – objectClasses defining possible attributes – attributes – children (optional) ● schemas define objectClasses and attributeTypes ● three scopes: – BASE: the entry itself – ONELEVEL: all children of the entry – SUBTREE: the entry and everything beneath Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 4 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • Example LDAP user dn: uid=hagbard,o=LDD uid: hagbard objectClass: person cn: Hagbard Celine sn: Celine userPassword: haileris password normally encrypted Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 5 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • Groups in LDAP ● membership information on the group – OpenLDAP (core.schema) ● membership information on the user ● membership information on both, redundant – ActiveDirectory, OpenLDAP (optional) ● membership information on both, not redundant – POSIX: OpenDirectory, OpenLDAP (nis.schema) Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 6 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • Membership info on group dn: cn=lieferickson,o=LDD cn: lieferickson objectClass: groupOfNames member: uid=hagbard,o=LDD member: uid=howard,o=LDD Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 7 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • Membership info on user dn: uid=hagbard,o=LDD uid: hagbard objectClass: person cn: Hagbard Celine sn: Celine userPassword: haileris memberOf: cn=lieferickson,o=LDD Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 8 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • Membership info on both non-redundant dn: uid=hagbard,o=LDD objectClass: posixAccount uidNumber: 17 gidNumber: 42 dn: cn=lieferickson,o=LDD objectClass: posixGroup gidNumber: 42 memberUID: 91 memberUID: 113 Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 9 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • Current LDAP stack and related ● python-ldap, dataflake.ldapconnection, dataflake.cache ● PloneLDAP / LDAPMultiPlugins / LDAPUserFolder ● PlonePAS / PluggableAuthServices ● plone.app.ldap ● PASGroupsFromLDAP (posix groups based on bda.ldap) Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 10 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • python-ldap, dataflake.connection dataflake.cache ● low-level python ldap library ● basic connection management ● ldapadd, ldapdelete, ldapmodify, passwd ● search, authenticate ● synchronous and asynchronous operation dataflake: ● enhanced connection management/caching ● unicode instead of utf-8 Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 11 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • PloneLDAP, LDAPMultiPlugins, LDAPUserFolder LDAPUserFolder – acl_users implementation of former times – builds on dataflake.ldapconnection/cache LDAPMultiPlugins – PAS plugins specific to ActiveDirectory and OpenLDAP, no posix support (OpenDirectory) – uses LDAPUserFolder to access LDAP PloneLDAP – wrapper for LDAPMultiPlugins Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 12 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • PlonePAS PluggableAuthServices PASGroupsFromLDAP PluggableAuthServices (PAS) – acl_users implementation nowadays – supports plugins for users, groups, rols, properties, session management PlonePAS – massive monkey patch for PAS – aware of PloneLDAP, monkey patching it if present PASGroupsFromLDAP – support for posix groups, parallel to ldapmp Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 13 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • plone.app.ldap ● genericSetup profile to wrap installation of all above ● plone control panel integration for configuration of default setups – baseDN – uid attribute, rdn attribute, ● for everything else → ZMI, with potential for conflict Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 14 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • Current LDAP stack wrap-up ● too many packages with no clear borders ● close to zero test coverage (except dataflake packages) ● caching on 5 levels – PAS – LDAPMultiPlugins – LDAPUserFolder – dataflake.cache – python-ldap ● too complex Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 15 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • Goal Make LDAP simple: ● for the developer ● for the inegrator ● for the system administrator Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 16 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • Principles ● (LDAP) usermanagement is not specific to plone and should be realized independent of plone ● minimal code for plone integration ● no ZMI ● loadable presets for default setups ● support whatever LDAP supports ● ldap is a tree, so should our abstraction of it be ● full test coverage Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 17 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • Our approach ● enhancement of python-ldap ● Node-based tree representation (bda.ldap/zodict) ● Node-based user management (bda.ldap), independent of plone ● glue code PAS plugin, just for API translation ● Plone integration (generic setup, config views) ● bfg user management UI, also based on the node-based user management Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 18 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • The nodes → python shell (bda.ldap fun) ● LDAPNode with attributes and children ● ONELEVEL vs. SUBTREE ● AliasedNodespace ● User/group node adapter ● User/group folder node adapter Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 19 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • Plone integration ● PAS plugin that maps PAS plugin API to the API of the outside user management API (bda.ldap) ● generic setup profile to install the plugin ● plone control panel views for persistent configuration – how to connect to ldap – how to find users and how to create one – how to find groups and how to create one Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 20 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • bda.bfg.ugm ● repoze.bfg application to manage users ● one dedicated application to manage users for multiple plone sites ● enable users for sites ● assign to global groups ● assign to site specific groups ● define global roles per site ● first stage suitable for up to 2000 users Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 21 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • bda.bfg.ugm ● node-based data model (bda.ldap) ● node-based application model ● direct rendering of UI on nodes ● new form library (yafowil) Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 22 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • Status bda.ldap ● ldap node – fully functional ● ldap filter abstraction – fully functional ● aliasing of attribute names – fully functional ● user node adapter – fully functional ● group node adapter – work in progress Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 23 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • bda.pasldap bda.plone.ldap bda.bfg.app ● bda.pasldap – users readonly for hardcoded config ● bda.plone.ldap – plugin installation – fully functional – users readonly for hardcoded config – configuration views – work in progress ● bda.bfg.ugm – work in progress Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 24 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • Outlook ● user management via bfg application + full plone support (end of 2010) ● group management via bfg application + full plone support (February 2011) ● no schedule – group in group support – further backends (sql) – adapt UI too seriously many users Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 25 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • The End Questions Answers Discussions Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 26 of 26 Keine Bearbeitung 3.0 Österreich Lizenz