LinID Directory Manager - RMLL Directory Manager OpenIDM (ForgeRock)
Transcript of LinID Directory Manager - RMLL Directory Manager OpenIDM (ForgeRock)
LinID Directory Manager
Clément OUDOTRMLL 2013
2
Table of contents● LDAP Directories● LDAP graphical interfaces● LinID Directory Manager
3
Resume
4
Clément OUDOT● Engineer since 2003 at LINAGORA company● LinID Dream Team Manager: http://linid.org ● Founder of LDAP Tool Box project:
http://ltb-project.org ● Leader of LemonLDAP::NG project:
http://lemonldap-ng.org
5
LDAP directories
6
LDAP protocol● Defined by standards (RFC)● LDAPv2 in 1995, LDAPv3 in 1997● TCP/IP, LBER, ASN1 ● 9 core operations, and extended operations● Schema define object classes, attributes, syntaxes
and matching rules● Data organized hierarchically (tree)
7
Directory Information Tree
dc=linid,dc=org
ou=people ou=groupsou=structures
uid=coudot cn=admin
Entry / Attribute / Value
Attribute Attribute
AttributeAttribute
Entry
Attribute
Value
Value
Value
9
Interfaces
10
Administration tools● Command line interface (CLI):
● ldapsearch, ldapmodify● ldapvi● Perl scripts (Net::LDAP)
● Standalone clients:● Jxplorer, LDAP browser● Apache Directory Studio
● Web Interfaces:● phpLDAPadmin● web2ldap
11
Apache Directory Studio
12
LDAP directory management interfaces● In the proprietary world:
● Calendra Directory Manager (Calendra)● Meibo (Ilex)● Some Identity Manager (Oracle, Novell, etc.)
● In the free software world:● LDAP Account Manager● ldapSaisie● FusionDirectory (ex GOSA)● LinID Directory Manager● OpenIDM (ForgeRock)● Janua white pages
● 90% of deployments: self made applications
13
Main features● Screen modelling (HTML templates)● Specific displayer and editor for each attribute● Tag choice and internationalization● Authorization management with profiles● No data adaptation needed
14
LinID Directory Manager
15
History● Development started at UPMC in 2002. First version in
PHP, quickly rewritten in Java. The software is called MetaLDAP
● Open Source release in 2003, under the name InterLDAP
● Became an ObjectWeb project in 2006 inside the FederID project
● Creation of LinID in 2008, it becomes LinID Content Manager and then LinID Directory Manager
● The project is now hosted by Linagora and released under AGPLv3
16
Built with free software● LinID Directory Manager is a web framework
Web built upon:● Tapestry 5● Spring, Spring LDAP● Maven● Xstream● Rhino● Ehcache● jQuery, jQuery UI
17
Technical overview
18
Extended schema● Based on LDAP technical schema (object classes,
attributes)● Override some technical definitions (multi
valuation, mandatory/optional)● Add a lot of new definitions:
● Labels● Default value● Visibility in creation/consultation/research● Allowed value● Type of displayer/editor
19
Extended schema <entry> <string>givenName</string> <attributedefinition> <attributeName>givenName</attributeName> <type>string</type> <oid>2.5.4.42</oid> <description>'RFC2256: first name(s) for which the entity is known by'</description> <largeLabel xml:lang="en">Givenname</largeLabel> <largeLabel xml:lang="fr">Prénom</largeLabel> <printLabel xml:lang="en">Givenname</printLabel> <printLabel xml:lang="fr">Prenom</printLabel> <shortLabel xml:lang="en">Givenname</shortLabel> <shortLabel xml:lang="fr">Prénom</shortLabel> <precedence>15</precedence> <possibleValues> <null/> </possibleValues> <visible>true</visible> <multiValued>false</multiValued> <mandatory>true</mandatory> <filtrable>true</filtrable> <chosenInList>false</chosenInList> <operators> <operator>CONTAINS</operator> </operators> <shownAtCreation>true</shownAtCreation> </attributedefinition> </entry>
20
Authorization● Authorization is based on:
● Relation between current user and target entry● Attributes concerned● Type of operation
● The relation is expressed trough LDAP Query Language, a specific syntax to query LDAP directories almost like SQL databases
21
Authorization <bean id="localadmin_users_manage" class="org.linid.dm.authorization.lql.LqlTextRule" scope="prototype"> <property name="name" value="localadmin_users_manage" /> <property name="description" value="Manage users" /> <property name="module" value="" /> <property name="relation"> <value><![CDATA[ ldap.read( principalDN, "ssoRoles=${ldap.role.localadministrator.dn}"); ]]></value> </property> <property name="targetDn" value="${ldap.user.dn}" /> <property name="rights" value="Wd" /> <property name="attributes"> <list> <value>uid</value> <value>cn</value> <value>sn</value> <value>givenName</value> <value>telephoneNumber</value> <value>facsimileTelephoneNumber</value> <value>departmentNumber</value> <value>o</value> <value>ou</value> <value>mail</value> <value>ssoRoles</value> <value>ssoLogonHours</value> <value>userPassword</value> <value>photo</value> <value>entry</value> </list> </property> </bean>
22
LinID Directory Manager sample● A demonstration application is provided with the
framework● It includes an in-memory directory (OpenDJ) with
the following accounts:● jdoe/secret : super administrator● jsmith/secret : local administrator● jbar/secret : user
● Run in Tomcat, Jetty● Launch it from the sources:
$ mvn -Popends jetty:run
23
Demonstration
24
How to build your own application● Know what you want:
● Which data should be managed in the interface● Who can do what
● Import the sample application in Eclipse● Generate the extended schema with the script
eschemaGenerator.pl● Prepare your fingers to edit XML: Spring
configuration, extended schema, authorization rules
● Redesign the templates
25
Example: UPMC
26
Example: Agriculture French Ministry
27
Example: LinID OBM Manager
28
Example: LinID OpenLDAP Manager
29
Almost the end...
31
Thanks● Special thanks to:
● RMLL/LSM and their organizers● Company LINAGORA● All LiniD developers
● Keep in touch:● Identica: @coudot● Twitter: @clementoudot @LinID_FOSS ● IRC: KPTN #LinID@freenode● Web: http://linid.org
32
Questions?
Thanks for your attention
http://www.linid.org
Logiciels et services Open Source80 rue Roque de Fillol l 92800 PUTEAUXTel : 0810 251 251 l Fax : +33 1 46 96 63 64www.linagora.com