Development #6350
Plan LDAP provisionning from A2 directory
100%
Description
It should be developped with use of the CAS module in mind.
Files
History
Updated by Benjamin Dauvergne almost 6 years ago
- File 0001-utils-add-an-helper-function-to-cut-an-iterable-as-b.patch added
- File 0002-utils-add-helper-function-to-lowercase-the-keys-of-a.patch added
- File 0003-utils-add-a-helper-function-to-convert-a-dictionnary.patch added
- File 0004-add-new-application-authentic2_provisionning.patch added
Here is the start of a provisionning application for a2. The application provide just one command provision. It only targets LDAP dictories for now, it allow to select a group of user (a Django filter can be provided) and to create LDAP records based on their attributes. LDAP records matching a filter but none of the users are deleted, this behaviour can be disabled. All configuration is done through a setting named A2_PROVISIONNING_RESOURCES, an example configuration take from the unittest is given later.
This patch serie also include start of test framework for working with OpenLDAP, the class authentic2_provisionning.ldap_utils.Slapd allow to create a temporary OpenLDAP server to initialize its configuration and its database from scratch. It's currently used to test the provisionning command.
A2_PROVISIONNING_RESSOURCES = [{
'name': 'ldap',
'url': self.slapd.ldapi_url,
'bind_dn': 'uid=admin,o=orga',
'bind_pw': 'admin',
'base_dn': 'o=orga',
'rdn_attributes': ['uid',],
'attribute_mapping': {
'uid': 'django_user_username',
'givenName': 'django_user_first_name',
'sn': 'django_user_last_name',
'mail': 'django_user_email',
},
'format_mapping': {
'cn': ['{django_user_first_name} {django_user_last_name}'],
},
'static_attributes': {
'objectclass': 'inetorgperson',
},
'ldap_filter': '(objectclass=inetorgperson)',
}]
The goal is to extend this sripts to other databases like SQL, SCIM in the future and to allow creating ressource instances from the manager.
This is lightweight provisionning, the goal is not to handle complex use cases needing user workflows or validation.
Updated by Benjamin Dauvergne almost 6 years ago
- Status changed from Nouveau to Solution déployée
Updated by Thomas Noël almost 6 years ago
Ack for 1 and 2. In 3, please use dict() instead of dict comprehension (python 2.6).
Updated by Thomas Noël almost 6 years ago
patch 4, about app_settings and ldap_utils.py:
- app_settings.py: comment with "pgt" is not very clear...
- ldap_utils.py: line 22 "PATHS" in global...? In fact, I think SLAPD_PATH and SLAPADD_PATH should be in app_settings
- time.sleep(0) ...?
- s/juste/just/ because we don't speak french
- wel... that's all for today...
Updated by Benjamin Dauvergne almost 6 years ago
Thomas Noël a écrit :
patch 4, about app_settings and ldap_utils.py:
- app_settings.py: comment with "pgt" is not very clear...
Ok.
- ldap_utils.py: line 22 "PATHS" in global...? In fact, I think SLAPD_PATH and SLAPADD_PATH should be in app_settings
It's only used by tests, the goal is for the test to run easily on any platform.
- time.sleep(0) ...?
There is a comment to explain: it forces the process to yield to the kernel so that slapd has a chance to initialize; it's cooperative multiprocessing :)
I've just start to read management/commands/provision.py:
- s/juste/just/ because we don't speak french
Ok.
Updated by Benjamin Dauvergne almost 6 years ago
- File deleted (
0001-utils-add-an-helper-function-to-cut-an-iterable-as-b.patch)
Updated by Benjamin Dauvergne almost 6 years ago
- File deleted (
0002-utils-add-helper-function-to-lowercase-the-keys-of-a.patch)
Updated by Benjamin Dauvergne almost 6 years ago
- File deleted (
0003-utils-add-a-helper-function-to-convert-a-dictionnary.patch)
Updated by Benjamin Dauvergne almost 6 years ago
- File deleted (
0004-add-new-application-authentic2_provisionning.patch)
Updated by Benjamin Dauvergne almost 6 years ago
- File 0001-utils-add-an-helper-function-to-cut-an-iterable-as-b.patch 0001-utils-add-an-helper-function-to-cut-an-iterable-as-b.patch added
- File 0002-utils-add-helper-function-to-lowercase-the-keys-of-a.patch 0002-utils-add-helper-function-to-lowercase-the-keys-of-a.patch added
- File 0003-utils-add-a-helper-function-to-convert-a-dictionnary.patch 0003-utils-add-a-helper-function-to-convert-a-dictionnary.patch added
- File 0004-add-new-application-authentic2_provisionning.patch 0004-add-new-application-authentic2_provisionning.patch added
Updated by Benjamin Dauvergne almost 6 years ago
- Status changed from Solution déployée to Résolu (à déployer)
Updated by Benjamin Dauvergne almost 6 years ago
- Status changed from Résolu (à déployer) to En cours
Updated by Thomas Noël almost 6 years ago
À relire, tout me parait ok, je me demande cependant si un nom comme "authentic2_ldap_provisionning" ne serait pas préférable à "authentic2_provisionning" tout court... Mais si le plan c'est d'avoir à terme d'autres outils de provisionning dedans laissons ainsi (peut-être alors renommer la commande ldap-provisionning voir openldap-provisionning) ?
A part ce détail, qui peut être jugé important, c'est un «ack».
Updated by Benjamin Dauvergne almost 6 years ago
Oui c'est un peu l'idée mais à voir l'état du code je renommerai bien en ldap-provisionning pour l'instant, au moins la commande.
Updated by Thomas Noël almost 6 years ago
Je note juste pour confirmation ou clarification : ça me va très bien de renommer la commande ldap-provisionning.