Am 03.05.2015 um 14:03 schrieb bret curtis:
Hello there,
if you wish to make a pull request, file a bug report or ask Ldaptor
specific questions, you can contact the developer directly here:
https://github.com/twisted/ldaptor/issues
Not everyone who works on Ldaptor is a member of this mailing list.
Okay. I was not sure if it's okay to ask questions via the issue tracker. :)
I'll try to answer inline:
On Sat, May 2, 2015 at 12:37 PM, <the...@otpme.org
<mailto:the...@otpme.org>> wrote:
i'm currently investigating how to add ldap server support to
OTPme (https://www.otpme.org) as i want to extend it to be a
complete authentication/authorization system including some kind
of directory service. so i started working on integration with
ldaptor. my first problem, adding search support, is partly solved
now. i've checked ldifftree.py and after some debugging i got a
search() method that is able to do an indexed search of OTPme's
directory (which is not in svn yet) which allows fast search
results for a directory with more than 2048 users.
Congratulations! :) How are you going about this? Are these additions
backwards compatible with OpenLDAP? Are you also writing test-cases to
cover these?
Thanks. :) But its still in an early stage.
Currently the ldap support is implemented on top of OTPme's users,
groups, units etc. and will be read-only.
I've decided to implement it as OTPme extensions e.g. a "base" extension
that handles object classes like "dcObject", "organizationalUnit",
"inetOrgPerson" etc. and an "posix" extension for "posixAccount",
"posixGroup" and so on. the extensions will also do things like
uidNumber/gidNumber allocation etc.
An extension also automatically adds the needed objectClass if the
attribute the admin adds to a user needs it. if the admin disables an
extension (e.g. posix or maybe samba later) for a user the corresponding
ldap attributes are no longer visible via ldap(tor) but not removed from
the user so they can be re-enabled if needed. To resolve the attribute
<> objectClass dependencies i've written a simple (and maybe incomplete
;)) parser that can read openldap's schema files using
http://www.python-ldap.org/doc/html/ldap-schema.html#module-ldap.schema
The OTPme specific attributes (tokens, timeout values etc.) are not
implemented as ldap objects/attributes. The main reason for this is that
i didn't had any plan about the features that OTPme will have as i
started writing it a few months ago. I decided to learn python as my
first language in december last year and just wanted write anything
useful. it all started with the goal to implement
http://motp.sourceforge.net/ in python. :)
So atm i haven't done anything more than writing a class (staring at the
magic of ldiftree.py and friends ;)) that gets all needed objects,
attributes etc. from the OTPme backend as ldif and that can do an
indexed search using an OTPme function. This class basically works with
ldaptor. The OTPme backend is implemented using flat files with some
in-memory caching feature. It also supports AES encryption and i started
writing an master/slave synchronization for it that should be later used
to add some kind of cluster support to OTPme.
Maybe i'll implement all OTPme objects (tokens etc.) as ldap
objects/attributes some day because this would make it possible to also
get them from an external ldap server like openldap. But this also means
that i need to create a OTPme schema that can be used with an ldap
server like openldap. so i'm not sure if i'll go this road because not
everyone can/wants to add a schema extension. Another idea would be to
synchronize users from e.g. openldap and add them to OTPme/ldaptor. But
all of this is not on my current todo.
Continuous integration is on my todo but as there are so many things to
learn when one wants to learn wrinting software i haven't found the time
yet.
but as this is just a start there will be more problems to solve i
guess.
There always are, when I first started using Ldaptor, startTLS was
broken which was a requirement for me to do any work with it.
one issue i have is that an ldapsearch against ldaptor which
requests just some attributes instead of all always returns all
object attributes.
for example the ldapsearch below returns the complete ldif of each
found user in ldaptor (tested also with ldiftree.py):
ldapsearch -H ldap://localhost:8080 -b
"ou=users,dc=domain,dc=intern" -w abcd -x '(uid=*)' givenName
Running the same search against my openldap server it returns just
the dn and givenName attributes of each found user.
Is this a missing feature or do i just miss something in my db class?
Please file an issue on github with an example (ldif entries in a txt
file would work) that can be used to test with a real OpenLDAP server.
Then the ldapsearch like you provided above and a snippit of your
ldaptor code so we can try to reproduce it.
Done: https://github.com/twisted/ldaptor/issues/38
another important part i haven't looked at yet is how to implement
authentication. as OTPme focus on OTPs i dont want to add any user
passwords to the ldap tree. the smoothest solution would be to get
username+OTP from ldaptor to do authentication. maybe you can give
me some hints in the right direction? :)
Another issue/question for github, there are others that have spent
more time in this area of the codebase.
Done: https://github.com/twisted/ldaptor/issues/39
and the last question for now is related the licensing. OTPme is
licensed under GPLv2. do i run into any licensing issues when
using ldaptor with OTPme?
Ldaptor is MIT/Expat license, if you would like to commit code then
that too must be MIT/Expat otherwise it won't be accepted. As for
using Ldaptor to talk with OTPme, there shouldn't be a license problem
as they are two separate applications/services. What exactly is your
concern there?
I dont have any special concern. I'm just new to all of this and wanted
to make sure it's okay to use ldaptor it with an GPL'ed software.
And if i ever will (be able to ;)) commit any code to ldaptor i'm fine
with the MIT/Expat license. :)
regards
the2nd
Cheers,
Bret
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
