rmll 2013 - build your ldap management web interface with linid directory manager
DESCRIPTION
Presentation of LinID Directory Manager, and how you can use it to build your own LDAP management web interfaceTRANSCRIPT
LinID Directory Manager
Clément OUDOTRMLL 2013
2
Table of contents● LDAP Directories● LDAP graphical interfaces● LinID Directory Manager
3
Resume
4
Clément OUDOT● Engineer since 2003 at LINAGORA company● LinID Dream Team Manager: http://linid.org ● Founder of LDAP Tool Box project:
http://ltb-project.org ● Leader of LemonLDAP::NG project:
http://lemonldap-ng.org
5
LDAP directories
6
LDAP protocol● Defined by standards (RFC)● LDAPv2 in 1995, LDAPv3 in 1997● TCP/IP, LBER, ASN1 ● 9 core operations, and extended operations● Schema define object classes, attributes, syntaxes
and matching rules● Data organized hierarchically (tree)
7
Directory Information Tree
dc=linid,dc=org
ou=people ou=groupsou=structures
uid=coudot cn=admin
Entry / Attribute / Value
Attribute Attribute
AttributeAttribute
Entry
Attribute
Value
Value
Value
9
Interfaces
10
Administration tools● Command line interface (CLI):
● ldapsearch, ldapmodify● ldapvi● Perl scripts (Net::LDAP)
● Standalone clients:● Jxplorer, LDAP browser● Apache Directory Studio
● Web Interfaces:● phpLDAPadmin● web2ldap
11
Apache Directory Studio
12
LDAP directory management interfaces● In the proprietary world:
● Calendra Directory Manager (Calendra)● Meibo (Ilex)● Some Identity Manager (Oracle, Novell, etc.)
● In the free software world:● LDAP Account Manager● ldapSaisie● FusionDirectory (ex GOSA)● LinID Directory Manager● OpenIDM (ForgeRock)● Janua white pages
● 90% of deployments: self made applications
13
Main features● Screen modelling (HTML templates)● Specific displayer and editor for each attribute● Tag choice and internationalization● Authorization management with profiles● No data adaptation needed
14
LinID Directory Manager
15
History● Development started at UPMC in 2002. First version in
PHP, quickly rewritten in Java. The software is called MetaLDAP
● Open Source release in 2003, under the name InterLDAP
● Became an ObjectWeb project in 2006 inside the FederID project
● Creation of LinID in 2008, it becomes LinID Content Manager and then LinID Directory Manager
● The project is now hosted by Linagora and released under AGPLv3
16
Built with free software● LinID Directory Manager is a web framework
Web built upon:● Tapestry 5● Spring, Spring LDAP● Maven● Xstream● Rhino● Ehcache● jQuery, jQuery UI
17
Technical overview
18
Extended schema● Based on LDAP technical schema (object classes,
attributes)● Override some technical definitions (multi
valuation, mandatory/optional)● Add a lot of new definitions:
● Labels● Default value● Visibility in creation/consultation/research● Allowed value● Type of displayer/editor
19
Extended schema <entry> <string>givenName</string> <attributedefinition> <attributeName>givenName</attributeName> <type>string</type> <oid>2.5.4.42</oid> <description>'RFC2256: first name(s) for which the entity is known by'</description> <largeLabel xml:lang="en">Givenname</largeLabel> <largeLabel xml:lang="fr">Prénom</largeLabel> <printLabel xml:lang="en">Givenname</printLabel> <printLabel xml:lang="fr">Prenom</printLabel> <shortLabel xml:lang="en">Givenname</shortLabel> <shortLabel xml:lang="fr">Prénom</shortLabel> <precedence>15</precedence> <possibleValues> <null/> </possibleValues> <visible>true</visible> <multiValued>false</multiValued> <mandatory>true</mandatory> <filtrable>true</filtrable> <chosenInList>false</chosenInList> <operators> <operator>CONTAINS</operator> </operators> <shownAtCreation>true</shownAtCreation> </attributedefinition> </entry>
20
Authorization● Authorization is based on:
● Relation between current user and target entry● Attributes concerned● Type of operation
● The relation is expressed trough LDAP Query Language, a specific syntax to query LDAP directories almost like SQL databases
21
Authorization <bean id="localadmin_users_manage" class="org.linid.dm.authorization.lql.LqlTextRule" scope="prototype"> <property name="name" value="localadmin_users_manage" /> <property name="description" value="Manage users" /> <property name="module" value="" /> <property name="relation"> <value><![CDATA[ ldap.read( principalDN, "ssoRoles=${ldap.role.localadministrator.dn}"); ]]></value> </property> <property name="targetDn" value="${ldap.user.dn}" /> <property name="rights" value="Wd" /> <property name="attributes"> <list> <value>uid</value> <value>cn</value> <value>sn</value> <value>givenName</value> <value>telephoneNumber</value> <value>facsimileTelephoneNumber</value> <value>departmentNumber</value> <value>o</value> <value>ou</value> <value>mail</value> <value>ssoRoles</value> <value>ssoLogonHours</value> <value>userPassword</value> <value>photo</value> <value>entry</value> </list> </property> </bean>
22
LinID Directory Manager sample● A demonstration application is provided with the
framework● It includes an in-memory directory (OpenDJ) with
the following accounts:● jdoe/secret : super administrator● jsmith/secret : local administrator● jbar/secret : user
● Run in Tomcat, Jetty● Launch it from the sources:
$ mvn -Popends jetty:run
23
Demonstration
24
How to build your own application● Know what you want:
● Which data should be managed in the interface● Who can do what
● Import the sample application in Eclipse● Generate the extended schema with the script
eschemaGenerator.pl● Prepare your fingers to edit XML: Spring
configuration, extended schema, authorization rules
● Redesign the templates
25
Example: UPMC
26
Example: Agriculture French Ministry
27
Example: LinID OBM Manager
28
Example: LinID OpenLDAP Manager
29
Almost the end...
31
Thanks● Special thanks to:
● RMLL/LSM and their organizers● Company LINAGORA● All LiniD developers
● Keep in touch:● Identica: @coudot● Twitter: @clementoudot @LinID_FOSS ● IRC: KPTN #LinID@freenode● Web: http://linid.org
32
Questions?
Thanks for your attention
http://www.linid.org
Logiciels et services Open Source80 rue Roque de Fillol l 92800 PUTEAUXTel : 0810 251 251 l Fax : +33 1 46 96 63 64www.linagora.com