build your ldap web interface with linid directory manager
TRANSCRIPT
Build your LDAP Web Interface with LinID Directory Manager
Clément OUDOT
2
Table of contents
LDAP graphical interfaces
LinID Directory Manager
3
Resume
4
Clément OUDOT
Engineer since 2003 at LINAGORA company
LinID Dream Team Manager: http://linid.org
Founder of LDAP Tool Box project: http://ltb-project.org
Leader of LemonLDAP::NG project: http://lemonldap-ng.org
5
Interfaces
6
Administration tools
Command line interface (CLI):– ldapsearch, ldapmodify
– ldapvi
– Perl scripts (Net::LDAP)
Standalone clients:– Jxplorer, LDAP browser
– Apache Directory Studio
Web Interfaces:– phpLDAPadmin
– web2ldap
7
Apache Directory Studio
8
LDAP directory management interfaces
In the proprietary world:– Calendra Directory Manager (Calendra)
– Meibo (Ilex)
– Some Identity Manager (Oracle, Novell, etc.)
In the free software world:– LDAP Account Manager
– ldapSaisie
– FusionDirectory (ex GOSA)
– LinID Directory Manager
– OpenIDM (ForgeRock)
– Janua white pages
90% of deployments: self made applications
9
Main features
Screen modelling (HTML templates)
Specific displayer and editor for each attribute
Tag choice and internationalization
Authorization management with profiles
No data adaptation needed
10
LinID Directory Manager
11
History
Development started at UPMC in 2002. First version in PHP, quickly rewritten in Java. The software is called MetaLDAP
Open Source release in 2003, under the name InterLDAP
Became an ObjectWeb project in 2006 inside the FederID project
Creation of LinID in 2008, it becomes LinID Content Manager and then LinID Directory Manager
The project is now hosted by Linagora and released under AGPLv3
12
Built with free software
LinID Directory Manager is a web framework Web built upon:
– Tapestry 5
– Spring, Spring LDAP
– Maven
– Xstream
– Rhino
– Ehcache
– jQuery, jQuery UI
13
Technical overview
14
Extended schema
Based on LDAP technical schema (object classes, attributes)
Override some technical definitions (multi valuation, mandatory/optional)
Add a lot of new definitions:– Labels
– Default value
– Visibility in creation/consultation/research
– Allowed value
– Type of displayer/editor
15
Extended schema <entry> <string>givenName</string> <attributedefinition> <attributeName>givenName</attributeName> <type>string</type> <oid>2.5.4.42</oid> <description>'RFC2256: first name(s) for which the entity is known by'</description> <largeLabel xml:lang="en">Givenname</largeLabel> <largeLabel xml:lang="fr">Prénom</largeLabel> <printLabel xml:lang="en">Givenname</printLabel> <printLabel xml:lang="fr">Prenom</printLabel> <shortLabel xml:lang="en">Givenname</shortLabel> <shortLabel xml:lang="fr">Prénom</shortLabel> <precedence>15</precedence> <possibleValues> <null/> </possibleValues> <visible>true</visible> <multiValued>false</multiValued> <mandatory>true</mandatory> <filtrable>true</filtrable> <chosenInList>false</chosenInList> <operators> <operator>CONTAINS</operator> </operators> <shownAtCreation>true</shownAtCreation> </attributedefinition> </entry>
16
Authorization
Authorization is based on:– Relation between current user and target entry
– Attributes concerned
– Type of operation
The relation is expressed trough LDAP Query Language, a specific syntax to query LDAP directories almost like SQL databases
17
Authorization <bean id="localadmin_users_manage" class="org.linid.dm.authorization.lql.LqlTextRule" scope="prototype"> <property name="name" value="localadmin_users_manage" /> <property name="description" value="Manage users" /> <property name="module" value="" /> <property name="relation"> <value><![CDATA[ ldap.read( principalDN, "ssoRoles=${ldap.role.localadministrator.dn}"); ]]></value> </property> <property name="targetDn" value="${ldap.user.dn}" /> <property name="rights" value="Wd" /> <property name="attributes"> <list> <value>uid</value> <value>cn</value> <value>sn</value> <value>givenName</value> <value>telephoneNumber</value> <value>facsimileTelephoneNumber</value> <value>departmentNumber</value> <value>o</value> <value>ou</value> <value>mail</value> <value>ssoRoles</value> <value>ssoLogonHours</value> <value>userPassword</value> <value>photo</value> <value>entry</value> </list> </property> </bean>
18
LinID Directory Manager sample
A demonstration application is provided with the framework
It includes an in-memory directory (OpenDJ) with the following accounts:
– jdoe/secret : super administrator
– jsmith/secret : local administrator
– jbar/secret : user
Run in Tomcat, Jetty
Launch it from the sources:
$ mvn -Popends jetty:run
19
Demonstration
20
How to build your own application
Know what you want:– Which data should be managed in the interface
– Who can do what
Import the sample application in Eclipse
Generate the extended schema with the script eschemaGenerator.pl
Prepare your fingers to edit XML: Spring configuration, extended schema, authorization rules
Redesign the templates
21
Example: UPMC
22
Example: Agriculture French Ministry
23
Example: LinID OBM Manager
24
Example: LinID OpenLDAP Manager
25
Almost the end...
26
Thanks
Special thanks to:– LDAPCon!
– Company LINAGORA
– All LiniD developers
Keep in touch:– Identica: @coudot
– Twitter: @clementoudot @LinID_FOSS
– IRC: KPTN #LinID@freenode
– Web: http://linid.org
Thanks!