Plone Conference 2010
                             Bristol



Pain-free ldap scenarios

Florian Friesdorf <flo@chaoflow.ne...
Overview

●   What is LDAP and how do users and groups look
    in there
●   The current stack of libraries for LDAP in Pl...
LDAP, a tree

●   basically an object database
●   tree structure
●   every object has attributes
●   every object may hav...
LDAP, a tree

●   every object has
       –   objectClasses defining possible attributes
       –   attributes
       –   ...
Example LDAP user

dn: uid=hagbard,o=LDD
uid: hagbard
objectClass: person
cn: Hagbard Celine
sn: Celine
userPassword: hail...
Groups in LDAP

●   membership information on the group
       –   OpenLDAP (core.schema)
●   membership information on th...
Membership info on group

dn: cn=lieferickson,o=LDD
cn: lieferickson
objectClass: groupOfNames
member: uid=hagbard,o=LDD
m...
Membership info on user

dn: uid=hagbard,o=LDD
uid: hagbard
objectClass: person
cn: Hagbard Celine
sn: Celine
userPassword...
Membership info on both
                          non-redundant
dn: uid=hagbard,o=LDD
objectClass: posixAccount
uidNumber:...
Current LDAP stack
                                   and related
●   python-ldap, dataflake.ldapconnection,
    dataflake...
python-ldap,
                         dataflake.connection
                              dataflake.cache
●   low-level pyt...
PloneLDAP,
                                LDAPMultiPlugins,
                                  LDAPUserFolder
LDAPUserFold...
PlonePAS
                      PluggableAuthServices
                        PASGroupsFromLDAP
PluggableAuthServices (PAS)...
plone.app.ldap

●   genericSetup profile to wrap installation of all
    above
●   plone control panel integration for con...
Current LDAP stack
                                              wrap-up
●   too many packages with no clear borders
●   c...
Goal

    Make LDAP simple:
●   for the developer
●   for the inegrator
●   for the system administrator




             ...
Principles

●   (LDAP) usermanagement is not specific to plone
    and should be realized independent of plone
●   minimal...
Our approach

●   enhancement of python-ldap
●   Node-based tree representation
    (bda.ldap/zodict)
●   Node-based user ...
The nodes

    → python shell (bda.ldap fun)
●   LDAPNode with attributes and children
●   ONELEVEL vs. SUBTREE
●   Aliase...
Plone integration

●   PAS plugin that maps PAS plugin API to the API
    of the outside user management API (bda.ldap)
● ...
bda.bfg.ugm

●   repoze.bfg application to manage users
●   one dedicated application to manage users for
    multiple plo...
bda.bfg.ugm

●   node-based data model (bda.ldap)
●   node-based application model
●   direct rendering of UI on nodes
●  ...
Status
                                           bda.ldap
●   ldap node – fully functional
●   ldap filter abstraction – ...
bda.pasldap
                                              bda.plone.ldap
                                                b...
Outlook

●   user management via bfg application + full
    plone support (end of 2010)
●   group management via bfg appli...
The End




Questions

 Answers

Discussions


                  Creative Commons Namensnennung-
                  Keine k...
Upcoming SlideShare
Loading in...5
×

Pain-free ldap scenarios

1,246

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,246
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Pain-free ldap scenarios

  1. 1. Plone Conference 2010 Bristol Pain-free ldap scenarios Florian Friesdorf <flo@chaoflow.net> Munich, Germany 2010-10-28 Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 1 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  2. 2. Overview ● What is LDAP and how do users and groups look in there ● The current stack of libraries for LDAP in Plone ● Our goal and principles ● Our tools ● Current status ● Outlook Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 2 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  3. 3. LDAP, a tree ● basically an object database ● tree structure ● every object has attributes ● every object may have children ● slow in writing, but fast in searching ● indices for selected attributes Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 3 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  4. 4. LDAP, a tree ● every object has – objectClasses defining possible attributes – attributes – children (optional) ● schemas define objectClasses and attributeTypes ● three scopes: – BASE: the entry itself – ONELEVEL: all children of the entry – SUBTREE: the entry and everything beneath Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 4 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  5. 5. Example LDAP user dn: uid=hagbard,o=LDD uid: hagbard objectClass: person cn: Hagbard Celine sn: Celine userPassword: haileris password normally encrypted Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 5 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  6. 6. Groups in LDAP ● membership information on the group – OpenLDAP (core.schema) ● membership information on the user ● membership information on both, redundant – ActiveDirectory, OpenLDAP (optional) ● membership information on both, not redundant – POSIX: OpenDirectory, OpenLDAP (nis.schema) Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 6 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  7. 7. Membership info on group dn: cn=lieferickson,o=LDD cn: lieferickson objectClass: groupOfNames member: uid=hagbard,o=LDD member: uid=howard,o=LDD Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 7 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  8. 8. Membership info on user dn: uid=hagbard,o=LDD uid: hagbard objectClass: person cn: Hagbard Celine sn: Celine userPassword: haileris memberOf: cn=lieferickson,o=LDD Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 8 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  9. 9. Membership info on both non-redundant dn: uid=hagbard,o=LDD objectClass: posixAccount uidNumber: 17 gidNumber: 42 dn: cn=lieferickson,o=LDD objectClass: posixGroup gidNumber: 42 memberUID: 91 memberUID: 113 Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 9 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  10. 10. Current LDAP stack and related ● python-ldap, dataflake.ldapconnection, dataflake.cache ● PloneLDAP / LDAPMultiPlugins / LDAPUserFolder ● PlonePAS / PluggableAuthServices ● plone.app.ldap ● PASGroupsFromLDAP (posix groups based on bda.ldap) Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 10 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  11. 11. python-ldap, dataflake.connection dataflake.cache ● low-level python ldap library ● basic connection management ● ldapadd, ldapdelete, ldapmodify, passwd ● search, authenticate ● synchronous and asynchronous operation dataflake: ● enhanced connection management/caching ● unicode instead of utf-8 Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 11 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  12. 12. PloneLDAP, LDAPMultiPlugins, LDAPUserFolder LDAPUserFolder – acl_users implementation of former times – builds on dataflake.ldapconnection/cache LDAPMultiPlugins – PAS plugins specific to ActiveDirectory and OpenLDAP, no posix support (OpenDirectory) – uses LDAPUserFolder to access LDAP PloneLDAP – wrapper for LDAPMultiPlugins Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 12 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  13. 13. PlonePAS PluggableAuthServices PASGroupsFromLDAP PluggableAuthServices (PAS) – acl_users implementation nowadays – supports plugins for users, groups, rols, properties, session management PlonePAS – massive monkey patch for PAS – aware of PloneLDAP, monkey patching it if present PASGroupsFromLDAP – support for posix groups, parallel to ldapmp Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 13 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  14. 14. plone.app.ldap ● genericSetup profile to wrap installation of all above ● plone control panel integration for configuration of default setups – baseDN – uid attribute, rdn attribute, ● for everything else → ZMI, with potential for conflict Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 14 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  15. 15. Current LDAP stack wrap-up ● too many packages with no clear borders ● close to zero test coverage (except dataflake packages) ● caching on 5 levels – PAS – LDAPMultiPlugins – LDAPUserFolder – dataflake.cache – python-ldap ● too complex Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 15 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  16. 16. Goal Make LDAP simple: ● for the developer ● for the inegrator ● for the system administrator Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 16 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  17. 17. Principles ● (LDAP) usermanagement is not specific to plone and should be realized independent of plone ● minimal code for plone integration ● no ZMI ● loadable presets for default setups ● support whatever LDAP supports ● ldap is a tree, so should our abstraction of it be ● full test coverage Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 17 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  18. 18. Our approach ● enhancement of python-ldap ● Node-based tree representation (bda.ldap/zodict) ● Node-based user management (bda.ldap), independent of plone ● glue code PAS plugin, just for API translation ● Plone integration (generic setup, config views) ● bfg user management UI, also based on the node-based user management Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 18 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  19. 19. The nodes → python shell (bda.ldap fun) ● LDAPNode with attributes and children ● ONELEVEL vs. SUBTREE ● AliasedNodespace ● User/group node adapter ● User/group folder node adapter Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 19 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  20. 20. Plone integration ● PAS plugin that maps PAS plugin API to the API of the outside user management API (bda.ldap) ● generic setup profile to install the plugin ● plone control panel views for persistent configuration – how to connect to ldap – how to find users and how to create one – how to find groups and how to create one Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 20 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  21. 21. bda.bfg.ugm ● repoze.bfg application to manage users ● one dedicated application to manage users for multiple plone sites ● enable users for sites ● assign to global groups ● assign to site specific groups ● define global roles per site ● first stage suitable for up to 2000 users Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 21 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  22. 22. bda.bfg.ugm ● node-based data model (bda.ldap) ● node-based application model ● direct rendering of UI on nodes ● new form library (yafowil) Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 22 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  23. 23. Status bda.ldap ● ldap node – fully functional ● ldap filter abstraction – fully functional ● aliasing of attribute names – fully functional ● user node adapter – fully functional ● group node adapter – work in progress Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 23 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  24. 24. bda.pasldap bda.plone.ldap bda.bfg.app ● bda.pasldap – users readonly for hardcoded config ● bda.plone.ldap – plugin installation – fully functional – users readonly for hardcoded config – configuration views – work in progress ● bda.bfg.ugm – work in progress Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 24 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  25. 25. Outlook ● user management via bfg application + full plone support (end of 2010) ● group management via bfg application + full plone support (February 2011) ● no schedule – group in group support – further backends (sql) – adapt UI too seriously many users Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 25 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  26. 26. The End Questions Answers Discussions Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 26 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×