Project

General

Profile

Development #6350

Plan LDAP provisionning from A2 directory

Added by Benjamin Dauvergne over 4 years ago. Updated about 4 years ago.

Status:
Fermé
Priority:
Normal
Category:
LDAP
Target version:
Start date:
26 Jan 2015
Due date:
% Done:

100%

Patch proposed:
No
Planning:
No

Description

It should be developped with use of the CAS module in mind.

0001-utils-add-an-helper-function-to-cut-an-iterable-as-b.patch View (1.65 KB) Benjamin Dauvergne, 23 Mar 2015 04:28 PM

0002-utils-add-helper-function-to-lowercase-the-keys-of-a.patch View (972 Bytes) Benjamin Dauvergne, 23 Mar 2015 04:28 PM

0003-utils-add-a-helper-function-to-convert-a-dictionnary.patch View (1.05 KB) Benjamin Dauvergne, 23 Mar 2015 04:28 PM

0004-add-new-application-authentic2_provisionning.patch View (62.6 KB) Benjamin Dauvergne, 23 Mar 2015 04:28 PM

History

#1 Updated by Benjamin Dauvergne over 4 years ago

  • Priority changed from Normal to Haut

#2 Updated by Benjamin Dauvergne over 4 years ago

  • Target version set to future

#3 Updated by Benjamin Dauvergne over 4 years ago

  • Target version changed from future to 2.1.12

#5 Updated by Benjamin Dauvergne over 4 years ago

  • Target version changed from 2.1.12 to 2.1.13

#6 Updated by Benjamin Dauvergne over 4 years ago

  • File 0003-utils-add-a-helper-function-to-convert-a-dictionnary.patch added
  • File 0001-utils-add-an-helper-function-to-cut-an-iterable-as-b.patch added
  • File 0002-utils-add-helper-function-to-lowercase-the-keys-of-a.patch added
  • File 0004-add-new-application-authentic2_provisionning.patch added

Here is the start of a provisionning application for a2. The application provide just one command provision. It only targets LDAP dictories for now, it allow to select a group of user (a Django filter can be provided) and to create LDAP records based on their attributes. LDAP records matching a filter but none of the users are deleted, this behaviour can be disabled. All configuration is done through a setting named A2_PROVISIONNING_RESOURCES, an example configuration take from the unittest is given later.

This patch serie also include start of test framework for working with OpenLDAP, the class authentic2_provisionning.ldap_utils.Slapd allow to create a temporary OpenLDAP server to initialize its configuration and its database from scratch. It's currently used to test the provisionning command.

A2_PROVISIONNING_RESSOURCES = [{
            'name': 'ldap',
            'url': self.slapd.ldapi_url,
            'bind_dn': 'uid=admin,o=orga',
            'bind_pw': 'admin',
            'base_dn': 'o=orga',
            'rdn_attributes': ['uid',],
            'attribute_mapping': {
                'uid': 'django_user_username',
                'givenName': 'django_user_first_name',
                'sn': 'django_user_last_name',
                'mail': 'django_user_email',
            },
            'format_mapping': {
                'cn': ['{django_user_first_name} {django_user_last_name}'],
            },
            'static_attributes': {
                'objectclass': 'inetorgperson',
            },
            'ldap_filter': '(objectclass=inetorgperson)',
        }]

The goal is to extend this sripts to other databases like SQL, SCIM in the future and to allow creating ressource instances from the manager.

This is lightweight provisionning, the goal is not to handle complex use cases needing user workflows or validation.

#7 Updated by Benjamin Dauvergne over 4 years ago

  • Status changed from Nouveau to Solution déployée

#8 Updated by Thomas Noël over 4 years ago

Ack for 1 and 2. In 3, please use dict() instead of dict comprehension (python 2.6).

#9 Updated by Thomas Noël over 4 years ago

patch 4, about app_settings and ldap_utils.py:

  • app_settings.py: comment with "pgt" is not very clear...
  • ldap_utils.py: line 22 "PATHS" in global...? In fact, I think SLAPD_PATH and SLAPADD_PATH should be in app_settings
  • time.sleep(0) ...?
I've just start to read management/commands/provision.py:
  • s/juste/just/ because we don't speak french
  • wel... that's all for today...

#10 Updated by Benjamin Dauvergne over 4 years ago

Thomas Noël a écrit :

patch 4, about app_settings and ldap_utils.py:

  • app_settings.py: comment with "pgt" is not very clear...

Ok.

  • ldap_utils.py: line 22 "PATHS" in global...? In fact, I think SLAPD_PATH and SLAPADD_PATH should be in app_settings

It's only used by tests, the goal is for the test to run easily on any platform.

  • time.sleep(0) ...?

There is a comment to explain: it forces the process to yield to the kernel so that slapd has a chance to initialize; it's cooperative multiprocessing :)

I've just start to read management/commands/provision.py:
  • s/juste/just/ because we don't speak french

Ok.

#11 Updated by Benjamin Dauvergne over 4 years ago

  • File deleted (0001-utils-add-an-helper-function-to-cut-an-iterable-as-b.patch)

#12 Updated by Benjamin Dauvergne over 4 years ago

  • File deleted (0002-utils-add-helper-function-to-lowercase-the-keys-of-a.patch)

#13 Updated by Benjamin Dauvergne over 4 years ago

  • File deleted (0003-utils-add-a-helper-function-to-convert-a-dictionnary.patch)

#14 Updated by Benjamin Dauvergne over 4 years ago

  • File deleted (0004-add-new-application-authentic2_provisionning.patch)

#16 Updated by Benjamin Dauvergne over 4 years ago

  • Target version changed from 2.1.13 to 2.2.0

#17 Updated by Benjamin Dauvergne over 4 years ago

  • Status changed from Solution déployée to Résolu (à déployer)

#18 Updated by Benjamin Dauvergne over 4 years ago

  • % Done changed from 0 to 100

#19 Updated by Benjamin Dauvergne over 4 years ago

  • Status changed from Résolu (à déployer) to En cours

#20 Updated by Thomas Noël over 4 years ago

À relire, tout me parait ok, je me demande cependant si un nom comme "authentic2_ldap_provisionning" ne serait pas préférable à "authentic2_provisionning" tout court... Mais si le plan c'est d'avoir à terme d'autres outils de provisionning dedans laissons ainsi (peut-être alors renommer la commande ldap-provisionning voir openldap-provisionning) ?

A part ce détail, qui peut être jugé important, c'est un «ack».

#21 Updated by Benjamin Dauvergne over 4 years ago

Oui c'est un peu l'idée mais à voir l'état du code je renommerai bien en ldap-provisionning pour l'instant, au moins la commande.

#22 Updated by Thomas Noël over 4 years ago

Je note juste pour confirmation ou clarification : ça me va très bien de renommer la commande ldap-provisionning.

#23 Updated by Benjamin Dauvergne about 4 years ago

  • Priority changed from Haut to Normal

#24 Updated by Benjamin Dauvergne about 4 years ago

  • Status changed from En cours to Fermé

#25 Updated by Benjamin Dauvergne about 4 years ago

  • Status changed from Fermé to Solution déployée

#26 Updated by Benjamin Dauvergne about 4 years ago

  • Status changed from Solution déployée to Fermé

Also available in: Atom PDF