Your SlideShare is downloading. ×
0
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Pain-free ldap scenarios
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Pain-free ldap scenarios

1,228

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,228
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Plone Conference 2010 Bristol Pain-free ldap scenarios Florian Friesdorf <flo@chaoflow.net> Munich, Germany 2010-10-28 Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 1 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 2. Overview ● What is LDAP and how do users and groups look in there ● The current stack of libraries for LDAP in Plone ● Our goal and principles ● Our tools ● Current status ● Outlook Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 2 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 3. LDAP, a tree ● basically an object database ● tree structure ● every object has attributes ● every object may have children ● slow in writing, but fast in searching ● indices for selected attributes Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 3 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 4. LDAP, a tree ● every object has – objectClasses defining possible attributes – attributes – children (optional) ● schemas define objectClasses and attributeTypes ● three scopes: – BASE: the entry itself – ONELEVEL: all children of the entry – SUBTREE: the entry and everything beneath Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 4 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 5. Example LDAP user dn: uid=hagbard,o=LDD uid: hagbard objectClass: person cn: Hagbard Celine sn: Celine userPassword: haileris password normally encrypted Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 5 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 6. Groups in LDAP ● membership information on the group – OpenLDAP (core.schema) ● membership information on the user ● membership information on both, redundant – ActiveDirectory, OpenLDAP (optional) ● membership information on both, not redundant – POSIX: OpenDirectory, OpenLDAP (nis.schema) Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 6 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 7. Membership info on group dn: cn=lieferickson,o=LDD cn: lieferickson objectClass: groupOfNames member: uid=hagbard,o=LDD member: uid=howard,o=LDD Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 7 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 8. Membership info on user dn: uid=hagbard,o=LDD uid: hagbard objectClass: person cn: Hagbard Celine sn: Celine userPassword: haileris memberOf: cn=lieferickson,o=LDD Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 8 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 9. Membership info on both non-redundant dn: uid=hagbard,o=LDD objectClass: posixAccount uidNumber: 17 gidNumber: 42 dn: cn=lieferickson,o=LDD objectClass: posixGroup gidNumber: 42 memberUID: 91 memberUID: 113 Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 9 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 10. Current LDAP stack and related ● python-ldap, dataflake.ldapconnection, dataflake.cache ● PloneLDAP / LDAPMultiPlugins / LDAPUserFolder ● PlonePAS / PluggableAuthServices ● plone.app.ldap ● PASGroupsFromLDAP (posix groups based on bda.ldap) Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 10 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 11. python-ldap, dataflake.connection dataflake.cache ● low-level python ldap library ● basic connection management ● ldapadd, ldapdelete, ldapmodify, passwd ● search, authenticate ● synchronous and asynchronous operation dataflake: ● enhanced connection management/caching ● unicode instead of utf-8 Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 11 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 12. PloneLDAP, LDAPMultiPlugins, LDAPUserFolder LDAPUserFolder – acl_users implementation of former times – builds on dataflake.ldapconnection/cache LDAPMultiPlugins – PAS plugins specific to ActiveDirectory and OpenLDAP, no posix support (OpenDirectory) – uses LDAPUserFolder to access LDAP PloneLDAP – wrapper for LDAPMultiPlugins Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 12 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 13. PlonePAS PluggableAuthServices PASGroupsFromLDAP PluggableAuthServices (PAS) – acl_users implementation nowadays – supports plugins for users, groups, rols, properties, session management PlonePAS – massive monkey patch for PAS – aware of PloneLDAP, monkey patching it if present PASGroupsFromLDAP – support for posix groups, parallel to ldapmp Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 13 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 14. plone.app.ldap ● genericSetup profile to wrap installation of all above ● plone control panel integration for configuration of default setups – baseDN – uid attribute, rdn attribute, ● for everything else → ZMI, with potential for conflict Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 14 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 15. Current LDAP stack wrap-up ● too many packages with no clear borders ● close to zero test coverage (except dataflake packages) ● caching on 5 levels – PAS – LDAPMultiPlugins – LDAPUserFolder – dataflake.cache – python-ldap ● too complex Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 15 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 16. Goal Make LDAP simple: ● for the developer ● for the inegrator ● for the system administrator Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 16 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 17. Principles ● (LDAP) usermanagement is not specific to plone and should be realized independent of plone ● minimal code for plone integration ● no ZMI ● loadable presets for default setups ● support whatever LDAP supports ● ldap is a tree, so should our abstraction of it be ● full test coverage Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 17 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 18. Our approach ● enhancement of python-ldap ● Node-based tree representation (bda.ldap/zodict) ● Node-based user management (bda.ldap), independent of plone ● glue code PAS plugin, just for API translation ● Plone integration (generic setup, config views) ● bfg user management UI, also based on the node-based user management Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 18 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 19. The nodes → python shell (bda.ldap fun) ● LDAPNode with attributes and children ● ONELEVEL vs. SUBTREE ● AliasedNodespace ● User/group node adapter ● User/group folder node adapter Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 19 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 20. Plone integration ● PAS plugin that maps PAS plugin API to the API of the outside user management API (bda.ldap) ● generic setup profile to install the plugin ● plone control panel views for persistent configuration – how to connect to ldap – how to find users and how to create one – how to find groups and how to create one Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 20 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 21. bda.bfg.ugm ● repoze.bfg application to manage users ● one dedicated application to manage users for multiple plone sites ● enable users for sites ● assign to global groups ● assign to site specific groups ● define global roles per site ● first stage suitable for up to 2000 users Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 21 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 22. bda.bfg.ugm ● node-based data model (bda.ldap) ● node-based application model ● direct rendering of UI on nodes ● new form library (yafowil) Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 22 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 23. Status bda.ldap ● ldap node – fully functional ● ldap filter abstraction – fully functional ● aliasing of attribute names – fully functional ● user node adapter – fully functional ● group node adapter – work in progress Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 23 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 24. bda.pasldap bda.plone.ldap bda.bfg.app ● bda.pasldap – users readonly for hardcoded config ● bda.plone.ldap – plugin installation – fully functional – users readonly for hardcoded config – configuration views – work in progress ● bda.bfg.ugm – work in progress Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 24 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 25. Outlook ● user management via bfg application + full plone support (end of 2010) ● group management via bfg application + full plone support (February 2011) ● no schedule – group in group support – further backends (sql) – adapt UI too seriously many users Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 25 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 26. The End Questions Answers Discussions Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 26 of 26 Keine Bearbeitung 3.0 Österreich Lizenz

×