cone.ldap 0.2

LDAP integration for cone.app

Plugin for cone.app providing LDAP integration.

Features

• LDAP access via node.ext.ldap

• Application integration into cone.app

• Integration into cone.ugm

• POSIX support

• Samba support

Development Setup

Prerequirements

lxml, python-ldap and openldap gets compiled, the required dev headers must be installed on the system.

On debian based systems install:

$ apt-get install -y libxml2-dev libxslt1-dev
$ apt-get install -y libsasl2-dev libssl-dev libdb-dev

Installation

cone.ldap contains a buildout configuration. Download or checkout package and run:

cone.ldap$ ./bootstrap.sh python3

Start Test LDAP server with appropriate LDIF layer:

cone.ldap$ ./bin/testldap start groupOfNames_10_10

Start the application:

cone.ldap$ ./bin/pserve cfg/gon_10_10/ldap_gon_10_10.ini

and browse http://localhost:8081/. Default admin user password is admin.

The “roles” behavior in the principal form is only displayed if roles configuration is sane. The LDIF imported for test layer does not provide the roles container by default. Browse “Settings -> LDAP Roles” and perform “create roles container” action if you want to enable roles in the demo.

Note: If python_ldap fails, don’t use buildout offline mode!

Configuration and Customization

General

For customizing the plugin, make an integration package and include it in your setup.

Application configuration

To define the LDAP related configuration locations, provide the following settings in your application ini file.

# LDAP UGM backend activation
ugm.backend = ldap

# Basic LDAP server configuration
ldap.server_config = /path/to/ldap_server.xml

# LDAP UGM backend related configuration
ldap.users_config = /path/to/ldap_users.xml
ldap.groups_config = /path/to/ldap_groups.xml
ldap.roles_config = /path/to/ldap_roles.xml

Examples of these configuration file can be found at cfg folder of the source package.

UGM Default values and default value callbacks

Depending on the LDAP object classes used for users and groups, more or less attributes are required for the entries. Maybe not all of these attributes should be visible to the user. Some might even require to be computed. Therefor the plugin supports default values and default value callbacks.

Default values and callbacks are registered via factory_defaults.users, factory_defaults.groups and factory_defaults.roles.

from cone.ldap.settings import factory_defaults

The factory defaults can be static values.

factory_defaults.user['someField'] = '12345'

Default value callbacks get the principal node and id as attributes.

def some_field_callback(node, id):
    return 'some computed value'

factory_defaults.user['someField'] = some_field_callback

Samba support

Example configuration to enable samba support.

from cone.ldap.settings import factory_defaults
from node.ext.ldap.ugm import posix
from node.ext.ldap.ugm import shadow
from node.ext.ldap.ugm import samba

samba.SAMBA_LOCAL_SID = 'S-1-5-21-1234567890-1234567890-1234567890'
samba.SAMBA_DEFAULT_DOMAIN = 'yourdomain'
samba.SAMBA_PRIMARY_GROUP_SID = 'S-1-5-21-1234567890-1234567890-1234567890-123'

user = factory_defaults.user
user['gidNumber'] = posix.memberGid
user['loginShell'] = posix.loginShell
user['shadowFlag'] = shadow.shadowFlag
user['shadowMin'] = shadow.shadowMin
user['shadowMax'] = shadow.shadowMax
user['shadowWarning'] = shadow.shadowWarning
user['shadowInactive'] = shadow.shadowInactive
user['shadowLastChange'] = shadow.shadowLastChange
user['shadowExpire'] = shadow.shadowExpire
user['sambaSID'] = samba.sambaUserSID
user['sambaDomainName'] = samba.sambaDomainName
user['sambaPrimaryGroupSID'] = samba.sambaPrimaryGroupSID
user['sambaAcctFlags'] = samba.sambaAcctFlags
user['sambaPwdLastSet'] = samba.sambaPwdLastSet

group = factory_defaults.group
factory_defaults.group['memberUid'] = posix.memberUid

Contributors

• Robert Niederreiter (Author)

Changes

0.2 (2022-12-05)

• Move users_expires_attr and users_expires_unit settings from cone.ugm, since they always have been used only for LDAP UGM backend.

0.1 (2020-07-09)

• Initial release.

License

Copyright (c) 2019-2021, BlueDynamics Alliance, Austria Copyright (c) 2021-2022, Cone Contributors All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

• Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.