SlideShare una empresa de Scribd logo

Pain-free ldap scenarios

C
chaoflow
Tecnología
1 de 26
Descargar para leer sin conexión
Plone Conference 2010 Bristol Pain-free ldap scenarios Florian Friesdorf <flo@chaoflow.net> Munich, Germany 2010-10-28 Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 1 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
Overview ● What is LDAP and how do users and groups look in there ● The current stack of libraries for LDAP in Plone ● Our goal and principles ● Our tools ● Current status ● Outlook Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 2 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
LDAP, a tree ● basically an object database ● tree structure ● every object has attributes ● every object may have children ● slow in writing, but fast in searching ● indices for selected attributes Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 3 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
LDAP, a tree ● every object has – objectClasses defining possible attributes – attributes – children (optional) ● schemas define objectClasses and attributeTypes ● three scopes: – BASE: the entry itself – ONELEVEL: all children of the entry – SUBTREE: the entry and everything beneath Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 4 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
Example LDAP user dn: uid=hagbard,o=LDD uid: hagbard objectClass: person cn: Hagbard Celine sn: Celine userPassword: haileris password normally encrypted Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 5 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
Groups in LDAP ● membership information on the group – OpenLDAP (core.schema) ● membership information on the user ● membership information on both, redundant – ActiveDirectory, OpenLDAP (optional) ● membership information on both, not redundant – POSIX: OpenDirectory, OpenLDAP (nis.schema) Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 6 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
Membership info on group dn: cn=lieferickson,o=LDD cn: lieferickson objectClass: groupOfNames member: uid=hagbard,o=LDD member: uid=howard,o=LDD Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 7 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
Membership info on user dn: uid=hagbard,o=LDD uid: hagbard objectClass: person cn: Hagbard Celine sn: Celine userPassword: haileris memberOf: cn=lieferickson,o=LDD Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 8 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
Membership info on both non-redundant dn: uid=hagbard,o=LDD objectClass: posixAccount uidNumber: 17 gidNumber: 42 dn: cn=lieferickson,o=LDD objectClass: posixGroup gidNumber: 42 memberUID: 91 memberUID: 113 Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 9 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
Current LDAP stack and related ● python-ldap, dataflake.ldapconnection, dataflake.cache ● PloneLDAP / LDAPMultiPlugins / LDAPUserFolder ● PlonePAS / PluggableAuthServices ● plone.app.ldap ● PASGroupsFromLDAP (posix groups based on bda.ldap) Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 10 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
python-ldap, dataflake.connection dataflake.cache ● low-level python ldap library ● basic connection management ● ldapadd, ldapdelete, ldapmodify, passwd ● search, authenticate ● synchronous and asynchronous operation dataflake: ● enhanced connection management/caching ● unicode instead of utf-8 Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 11 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
PloneLDAP, LDAPMultiPlugins, LDAPUserFolder LDAPUserFolder – acl_users implementation of former times – builds on dataflake.ldapconnection/cache LDAPMultiPlugins – PAS plugins specific to ActiveDirectory and OpenLDAP, no posix support (OpenDirectory) – uses LDAPUserFolder to access LDAP PloneLDAP – wrapper for LDAPMultiPlugins Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 12 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
PlonePAS PluggableAuthServices PASGroupsFromLDAP PluggableAuthServices (PAS) – acl_users implementation nowadays – supports plugins for users, groups, rols, properties, session management PlonePAS – massive monkey patch for PAS – aware of PloneLDAP, monkey patching it if present PASGroupsFromLDAP – support for posix groups, parallel to ldapmp Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 13 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
plone.app.ldap ● genericSetup profile to wrap installation of all above ● plone control panel integration for configuration of default setups – baseDN – uid attribute, rdn attribute, ● for everything else → ZMI, with potential for conflict Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 14 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
Current LDAP stack wrap-up ● too many packages with no clear borders ● close to zero test coverage (except dataflake packages) ● caching on 5 levels – PAS – LDAPMultiPlugins – LDAPUserFolder – dataflake.cache – python-ldap ● too complex Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 15 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
Goal Make LDAP simple: ● for the developer ● for the inegrator ● for the system administrator Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 16 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
Principles ● (LDAP) usermanagement is not specific to plone and should be realized independent of plone ● minimal code for plone integration ● no ZMI ● loadable presets for default setups ● support whatever LDAP supports ● ldap is a tree, so should our abstraction of it be ● full test coverage Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 17 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
Our approach ● enhancement of python-ldap ● Node-based tree representation (bda.ldap/zodict) ● Node-based user management (bda.ldap), independent of plone ● glue code PAS plugin, just for API translation ● Plone integration (generic setup, config views) ● bfg user management UI, also based on the node-based user management Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 18 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
The nodes → python shell (bda.ldap fun) ● LDAPNode with attributes and children ● ONELEVEL vs. SUBTREE ● AliasedNodespace ● User/group node adapter ● User/group folder node adapter Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 19 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
Plone integration ● PAS plugin that maps PAS plugin API to the API of the outside user management API (bda.ldap) ● generic setup profile to install the plugin ● plone control panel views for persistent configuration – how to connect to ldap – how to find users and how to create one – how to find groups and how to create one Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 20 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
bda.bfg.ugm ● repoze.bfg application to manage users ● one dedicated application to manage users for multiple plone sites ● enable users for sites ● assign to global groups ● assign to site specific groups ● define global roles per site ● first stage suitable for up to 2000 users Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 21 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
bda.bfg.ugm ● node-based data model (bda.ldap) ● node-based application model ● direct rendering of UI on nodes ● new form library (yafowil) Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 22 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
Status bda.ldap ● ldap node – fully functional ● ldap filter abstraction – fully functional ● aliasing of attribute names – fully functional ● user node adapter – fully functional ● group node adapter – work in progress Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 23 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
bda.pasldap bda.plone.ldap bda.bfg.app ● bda.pasldap – users readonly for hardcoded config ● bda.plone.ldap – plugin installation – fully functional – users readonly for hardcoded config – configuration views – work in progress ● bda.bfg.ugm – work in progress Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 24 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
Outlook ● user management via bfg application + full plone support (end of 2010) ● group management via bfg application + full plone support (February 2011) ● no schedule – group in group support – further backends (sql) – adapt UI too seriously many users Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 25 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
The End Questions Answers Discussions Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 26 of 26 Keine Bearbeitung 3.0 Österreich Lizenz

Recomendados

Inaugural Addresses
Inaugural AddressesInaugural Addresses
Inaugural AddressesBooz Allen Hamilton
 
How to think like a startup
How to think like a startupHow to think like a startup
How to think like a startupLoic Le Meur
 
Teaching Students with Emojis, Emoticons, & Textspeak
Teaching Students with Emojis, Emoticons, & TextspeakTeaching Students with Emojis, Emoticons, & Textspeak
Teaching Students with Emojis, Emoticons, & TextspeakShelly Sanchez Terrell
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your BusinessBarry Feldman
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
 
Full Identity and Access Management with LemonLDAP::NG and Fusion Directory: ...
Full Identity and Access Management with LemonLDAP::NG and Fusion Directory: ...Full Identity and Access Management with LemonLDAP::NG and Fusion Directory: ...
Full Identity and Access Management with LemonLDAP::NG and Fusion Directory: ...OW2
 
Full Identity and Access Management with LemonLDAP::NG and Fusion Directory: ...
Full Identity and Access Management with LemonLDAP::NG and Fusion Directory: ...Full Identity and Access Management with LemonLDAP::NG and Fusion Directory: ...
Full Identity and Access Management with LemonLDAP::NG and Fusion Directory: ...OW2
 
[OW2Con 2018] The FusionIAM project
[OW2Con 2018] The FusionIAM project[OW2Con 2018] The FusionIAM project
[OW2Con 2018] The FusionIAM projectClément OUDOT
 

Recomendados

Inaugural Addresses
Inaugural AddressesInaugural Addresses
Inaugural AddressesBooz Allen Hamilton
 
How to think like a startup
How to think like a startupHow to think like a startup
How to think like a startupLoic Le Meur
 
Teaching Students with Emojis, Emoticons, & Textspeak
Teaching Students with Emojis, Emoticons, & TextspeakTeaching Students with Emojis, Emoticons, & Textspeak
Teaching Students with Emojis, Emoticons, & TextspeakShelly Sanchez Terrell
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your BusinessBarry Feldman
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
 
Full Identity and Access Management with LemonLDAP::NG and Fusion Directory: ...
Full Identity and Access Management with LemonLDAP::NG and Fusion Directory: ...Full Identity and Access Management with LemonLDAP::NG and Fusion Directory: ...
Full Identity and Access Management with LemonLDAP::NG and Fusion Directory: ...OW2
 
Full Identity and Access Management with LemonLDAP::NG and Fusion Directory: ...
Full Identity and Access Management with LemonLDAP::NG and Fusion Directory: ...Full Identity and Access Management with LemonLDAP::NG and Fusion Directory: ...
Full Identity and Access Management with LemonLDAP::NG and Fusion Directory: ...OW2
 
[OW2Con 2018] The FusionIAM project
[OW2Con 2018] The FusionIAM project[OW2Con 2018] The FusionIAM project
[OW2Con 2018] The FusionIAM projectClément OUDOT
 
Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-LinuxBalaji Ravi
 
LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)Fran Fabrizio
 
drbd9_and_drbdmanage_may_2015
drbd9_and_drbdmanage_may_2015drbd9_and_drbdmanage_may_2015
drbd9_and_drbdmanage_may_2015Alexandre Huynh
 
Software Development with PHP & Laravel
Software Development with PHP & LaravelSoftware Development with PHP & Laravel
Software Development with PHP & LaravelJuan Victor Minaya León
 
Introduction to Perl Net::LDAP
Introduction to Perl Net::LDAPIntroduction to Perl Net::LDAP
Introduction to Perl Net::LDAPClément OUDOT
 
Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01SANE Ibrahima
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)Anatoliy Okhotnikov
 
Ldapsession 1217528612650451-9
Ldapsession 1217528612650451-9Ldapsession 1217528612650451-9
Ldapsession 1217528612650451-9rezgui
 
Ldapsession
LdapsessionLdapsession
Ldapsessionguest648519
 
Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2Vinaykumar Hebballi
 
CS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIXCS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIXruchith
 
HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2
HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2
HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2Utah Networxs Consultoria e Treinamento
 
Build your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerBuild your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerLDAPCon
 
Time to rethink /proc
Time to rethink /procTime to rethink /proc
Time to rethink /procKir Kolyshkin
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologySagi Brody
 
Speeding up ps and top
Speeding up ps and topSpeeding up ps and top
Speeding up ps and topKirill Kolyshkin
 
Speeding up ps and top
Speeding up ps and topSpeeding up ps and top
Speeding up ps and topOpenVZ
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Clustersmalltown
 
ivanova-samba_backend.pdf
ivanova-samba_backend.pdfivanova-samba_backend.pdf
ivanova-samba_backend.pdfOrlandoJesusFigueroa
 
OpenNebulaConf 2016 - The DRBD SDS for OpenNebula by Philipp Reisner, LINBIT
OpenNebulaConf 2016 - The DRBD SDS for OpenNebula by Philipp Reisner, LINBITOpenNebulaConf 2016 - The DRBD SDS for OpenNebula by Philipp Reisner, LINBIT
OpenNebulaConf 2016 - The DRBD SDS for OpenNebula by Philipp Reisner, LINBITOpenNebula Project
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 

Más contenido relacionado

Similar a Pain-free ldap scenarios

Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-LinuxBalaji Ravi
 
LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)Fran Fabrizio
 
drbd9_and_drbdmanage_may_2015
drbd9_and_drbdmanage_may_2015drbd9_and_drbdmanage_may_2015
drbd9_and_drbdmanage_may_2015Alexandre Huynh
 
Introduction to Perl Net::LDAP
Introduction to Perl Net::LDAPIntroduction to Perl Net::LDAP
Introduction to Perl Net::LDAPClément OUDOT
 
Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01SANE Ibrahima
 
Ldapsession 1217528612650451-9
Ldapsession 1217528612650451-9Ldapsession 1217528612650451-9
Ldapsession 1217528612650451-9rezgui
 
Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2Vinaykumar Hebballi
 
CS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIXCS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIXruchith
 
Build your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerBuild your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerLDAPCon
 
Time to rethink /proc
Time to rethink /procTime to rethink /proc
Time to rethink /procKir Kolyshkin
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologySagi Brody
 
Speeding up ps and top
Speeding up ps and topSpeeding up ps and top
Speeding up ps and topOpenVZ
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Clustersmalltown
 
OpenNebulaConf 2016 - The DRBD SDS for OpenNebula by Philipp Reisner, LINBIT
OpenNebulaConf 2016 - The DRBD SDS for OpenNebula by Philipp Reisner, LINBITOpenNebulaConf 2016 - The DRBD SDS for OpenNebula by Philipp Reisner, LINBIT
OpenNebulaConf 2016 - The DRBD SDS for OpenNebula by Philipp Reisner, LINBITOpenNebula Project
 

Similar a Pain-free ldap scenarios (20)

Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-Linux
 
LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)
 
drbd9_and_drbdmanage_may_2015
drbd9_and_drbdmanage_may_2015drbd9_and_drbdmanage_may_2015
drbd9_and_drbdmanage_may_2015
 
Software Development with PHP & Laravel
Software Development with PHP & LaravelSoftware Development with PHP & Laravel
Software Development with PHP & Laravel
 
Introduction to Perl Net::LDAP
Introduction to Perl Net::LDAPIntroduction to Perl Net::LDAP
Introduction to Perl Net::LDAP
 
Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)
 
Ldapsession 1217528612650451-9
Ldapsession 1217528612650451-9Ldapsession 1217528612650451-9
Ldapsession 1217528612650451-9
 
Ldapsession
LdapsessionLdapsession
Ldapsession
 
Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2
 
CS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIXCS 626 - March : Capsicum: Practical Capabilities for UNIX
CS 626 - March : Capsicum: Practical Capabilities for UNIX
 
HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2
HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2
HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2
 
Build your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerBuild your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory Manager
 
Time to rethink /proc
Time to rethink /procTime to rethink /proc
Time to rethink /proc
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container Technology
 
Speeding up ps and top
Speeding up ps and topSpeeding up ps and top
Speeding up ps and top
 
Speeding up ps and top
Speeding up ps and topSpeeding up ps and top
Speeding up ps and top
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
 
ivanova-samba_backend.pdf
ivanova-samba_backend.pdfivanova-samba_backend.pdf
ivanova-samba_backend.pdf
 
OpenNebulaConf 2016 - The DRBD SDS for OpenNebula by Philipp Reisner, LINBIT
OpenNebulaConf 2016 - The DRBD SDS for OpenNebula by Philipp Reisner, LINBITOpenNebulaConf 2016 - The DRBD SDS for OpenNebula by Philipp Reisner, LINBIT
OpenNebulaConf 2016 - The DRBD SDS for OpenNebula by Philipp Reisner, LINBIT
 

Último

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Pain-free ldap scenarios

  • 1. Plone Conference 2010 Bristol Pain-free ldap scenarios Florian Friesdorf <flo@chaoflow.net> Munich, Germany 2010-10-28 Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 1 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 2. Overview ● What is LDAP and how do users and groups look in there ● The current stack of libraries for LDAP in Plone ● Our goal and principles ● Our tools ● Current status ● Outlook Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 2 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 3. LDAP, a tree ● basically an object database ● tree structure ● every object has attributes ● every object may have children ● slow in writing, but fast in searching ● indices for selected attributes Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 3 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 4. LDAP, a tree ● every object has – objectClasses defining possible attributes – attributes – children (optional) ● schemas define objectClasses and attributeTypes ● three scopes: – BASE: the entry itself – ONELEVEL: all children of the entry – SUBTREE: the entry and everything beneath Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 4 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 5. Example LDAP user dn: uid=hagbard,o=LDD uid: hagbard objectClass: person cn: Hagbard Celine sn: Celine userPassword: haileris password normally encrypted Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 5 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 6. Groups in LDAP ● membership information on the group – OpenLDAP (core.schema) ● membership information on the user ● membership information on both, redundant – ActiveDirectory, OpenLDAP (optional) ● membership information on both, not redundant – POSIX: OpenDirectory, OpenLDAP (nis.schema) Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 6 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 7. Membership info on group dn: cn=lieferickson,o=LDD cn: lieferickson objectClass: groupOfNames member: uid=hagbard,o=LDD member: uid=howard,o=LDD Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 7 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 8. Membership info on user dn: uid=hagbard,o=LDD uid: hagbard objectClass: person cn: Hagbard Celine sn: Celine userPassword: haileris memberOf: cn=lieferickson,o=LDD Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 8 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 9. Membership info on both non-redundant dn: uid=hagbard,o=LDD objectClass: posixAccount uidNumber: 17 gidNumber: 42 dn: cn=lieferickson,o=LDD objectClass: posixGroup gidNumber: 42 memberUID: 91 memberUID: 113 Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 9 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 10. Current LDAP stack and related ● python-ldap, dataflake.ldapconnection, dataflake.cache ● PloneLDAP / LDAPMultiPlugins / LDAPUserFolder ● PlonePAS / PluggableAuthServices ● plone.app.ldap ● PASGroupsFromLDAP (posix groups based on bda.ldap) Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 10 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 11. python-ldap, dataflake.connection dataflake.cache ● low-level python ldap library ● basic connection management ● ldapadd, ldapdelete, ldapmodify, passwd ● search, authenticate ● synchronous and asynchronous operation dataflake: ● enhanced connection management/caching ● unicode instead of utf-8 Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 11 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 12. PloneLDAP, LDAPMultiPlugins, LDAPUserFolder LDAPUserFolder – acl_users implementation of former times – builds on dataflake.ldapconnection/cache LDAPMultiPlugins – PAS plugins specific to ActiveDirectory and OpenLDAP, no posix support (OpenDirectory) – uses LDAPUserFolder to access LDAP PloneLDAP – wrapper for LDAPMultiPlugins Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 12 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 13. PlonePAS PluggableAuthServices PASGroupsFromLDAP PluggableAuthServices (PAS) – acl_users implementation nowadays – supports plugins for users, groups, rols, properties, session management PlonePAS – massive monkey patch for PAS – aware of PloneLDAP, monkey patching it if present PASGroupsFromLDAP – support for posix groups, parallel to ldapmp Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 13 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 14. plone.app.ldap ● genericSetup profile to wrap installation of all above ● plone control panel integration for configuration of default setups – baseDN – uid attribute, rdn attribute, ● for everything else → ZMI, with potential for conflict Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 14 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 15. Current LDAP stack wrap-up ● too many packages with no clear borders ● close to zero test coverage (except dataflake packages) ● caching on 5 levels – PAS – LDAPMultiPlugins – LDAPUserFolder – dataflake.cache – python-ldap ● too complex Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 15 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 16. Goal Make LDAP simple: ● for the developer ● for the inegrator ● for the system administrator Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 16 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 17. Principles ● (LDAP) usermanagement is not specific to plone and should be realized independent of plone ● minimal code for plone integration ● no ZMI ● loadable presets for default setups ● support whatever LDAP supports ● ldap is a tree, so should our abstraction of it be ● full test coverage Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 17 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 18. Our approach ● enhancement of python-ldap ● Node-based tree representation (bda.ldap/zodict) ● Node-based user management (bda.ldap), independent of plone ● glue code PAS plugin, just for API translation ● Plone integration (generic setup, config views) ● bfg user management UI, also based on the node-based user management Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 18 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 19. The nodes → python shell (bda.ldap fun) ● LDAPNode with attributes and children ● ONELEVEL vs. SUBTREE ● AliasedNodespace ● User/group node adapter ● User/group folder node adapter Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 19 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 20. Plone integration ● PAS plugin that maps PAS plugin API to the API of the outside user management API (bda.ldap) ● generic setup profile to install the plugin ● plone control panel views for persistent configuration – how to connect to ldap – how to find users and how to create one – how to find groups and how to create one Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 20 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 21. bda.bfg.ugm ● repoze.bfg application to manage users ● one dedicated application to manage users for multiple plone sites ● enable users for sites ● assign to global groups ● assign to site specific groups ● define global roles per site ● first stage suitable for up to 2000 users Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 21 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 22. bda.bfg.ugm ● node-based data model (bda.ldap) ● node-based application model ● direct rendering of UI on nodes ● new form library (yafowil) Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 22 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 23. Status bda.ldap ● ldap node – fully functional ● ldap filter abstraction – fully functional ● aliasing of attribute names – fully functional ● user node adapter – fully functional ● group node adapter – work in progress Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 23 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 24. bda.pasldap bda.plone.ldap bda.bfg.app ● bda.pasldap – users readonly for hardcoded config ● bda.plone.ldap – plugin installation – fully functional – users readonly for hardcoded config – configuration views – work in progress ● bda.bfg.ugm – work in progress Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 24 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 25. Outlook ● user management via bfg application + full plone support (end of 2010) ● group management via bfg application + full plone support (February 2011) ● no schedule – group in group support – further backends (sql) – adapt UI too seriously many users Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 25 of 26 Keine Bearbeitung 3.0 Österreich Lizenz
  • 26. The End Questions Answers Discussions Creative Commons Namensnennung- Keine kommerzielle Nutzung- Page 26 of 26 Keine Bearbeitung 3.0 Österreich Lizenz