LinID Directory Manager

Clément OUDOTRMLL 2013

2

Table of contents● LDAP Directories● LDAP graphical interfaces● LinID Directory Manager

3

Resume

4

Clément OUDOT● Engineer since 2003 at LINAGORA company● LinID Dream Team Manager: http://linid.org ● Founder of LDAP Tool Box project:

http://ltb-project.org ● Leader of LemonLDAP::NG project:

http://lemonldap-ng.org

5

LDAP directories

6

LDAP protocol● Defined by standards (RFC)● LDAPv2 in 1995, LDAPv3 in 1997● TCP/IP, LBER, ASN1 ● 9 core operations, and extended operations● Schema define object classes, attributes, syntaxes

and matching rules● Data organized hierarchically (tree)

7

Directory Information Tree

dc=linid,dc=org

ou=people ou=groupsou=structures

uid=coudot cn=admin

Entry / Attribute / Value

Attribute Attribute

AttributeAttribute

Entry

Attribute

Value

Value

Value

9

Interfaces

10

Administration tools● Command line interface (CLI):

● ldapsearch, ldapmodify● ldapvi● Perl scripts (Net::LDAP)

● Standalone clients:● Jxplorer, LDAP browser● Apache Directory Studio

● Web Interfaces:● phpLDAPadmin● web2ldap

11

Apache Directory Studio

12

LDAP directory management interfaces● In the proprietary world:

● Calendra Directory Manager (Calendra)● Meibo (Ilex)● Some Identity Manager (Oracle, Novell, etc.)

● In the free software world:● LDAP Account Manager● ldapSaisie● FusionDirectory (ex GOSA)● LinID Directory Manager● OpenIDM (ForgeRock)● Janua white pages

● 90% of deployments: self made applications

13

Main features● Screen modelling (HTML templates)● Specific displayer and editor for each attribute● Tag choice and internationalization● Authorization management with profiles● No data adaptation needed

14

LinID Directory Manager

15

History● Development started at UPMC in 2002. First version in

PHP, quickly rewritten in Java. The software is called MetaLDAP

● Open Source release in 2003, under the name InterLDAP

● Became an ObjectWeb project in 2006 inside the FederID project

● Creation of LinID in 2008, it becomes LinID Content Manager and then LinID Directory Manager

● The project is now hosted by Linagora and released under AGPLv3

16

Built with free software● LinID Directory Manager is a web framework

Web built upon:● Tapestry 5● Spring, Spring LDAP● Maven● Xstream● Rhino● Ehcache● jQuery, jQuery UI

17

Technical overview

18

Extended schema● Based on LDAP technical schema (object classes,

attributes)● Override some technical definitions (multi

valuation, mandatory/optional)● Add a lot of new definitions:

● Labels● Default value● Visibility in creation/consultation/research● Allowed value● Type of displayer/editor

19

Extended schema <entry> <string>givenName</string> <attributedefinition> <attributeName>givenName</attributeName> <type>string</type> <oid>2.5.4.42</oid> <description>&apos;RFC2256: first name(s) for which the entity is known by&apos;</description> <largeLabel xml:lang="en">Givenname</largeLabel> <largeLabel xml:lang="fr">Prénom</largeLabel> <printLabel xml:lang="en">Givenname</printLabel> <printLabel xml:lang="fr">Prenom</printLabel> <shortLabel xml:lang="en">Givenname</shortLabel> <shortLabel xml:lang="fr">Prénom</shortLabel> <precedence>15</precedence> <possibleValues> <null/> </possibleValues> <visible>true</visible> <multiValued>false</multiValued> <mandatory>true</mandatory> <filtrable>true</filtrable> <chosenInList>false</chosenInList> <operators> <operator>CONTAINS</operator> </operators> <shownAtCreation>true</shownAtCreation> </attributedefinition> </entry>

20

Authorization● Authorization is based on:

● Relation between current user and target entry● Attributes concerned● Type of operation

● The relation is expressed trough LDAP Query Language, a specific syntax to query LDAP directories almost like SQL databases

21

Authorization <bean id="localadmin_users_manage" class="org.linid.dm.authorization.lql.LqlTextRule" scope="prototype"> <property name="name" value="localadmin_users_manage" /> <property name="description" value="Manage users" /> <property name="module" value="" /> <property name="relation"> <value><![CDATA[ ldap.read( principalDN, "ssoRoles=${ldap.role.localadministrator.dn}"); ]]></value> </property> <property name="targetDn" value="${ldap.user.dn}" /> <property name="rights" value="Wd" /> <property name="attributes"> <list> <value>uid</value> <value>cn</value> <value>sn</value> <value>givenName</value> <value>telephoneNumber</value> <value>facsimileTelephoneNumber</value> <value>departmentNumber</value> <value>o</value> <value>ou</value> <value>mail</value> <value>ssoRoles</value> <value>ssoLogonHours</value> <value>userPassword</value> <value>photo</value> <value>entry</value> </list> </property> </bean>

22

LinID Directory Manager sample● A demonstration application is provided with the

framework● It includes an in-memory directory (OpenDJ) with

the following accounts:● jdoe/secret : super administrator● jsmith/secret : local administrator● jbar/secret : user

● Run in Tomcat, Jetty● Launch it from the sources:

$ mvn -Popends jetty:run

23

Demonstration

24

How to build your own application● Know what you want:

● Which data should be managed in the interface● Who can do what

● Import the sample application in Eclipse● Generate the extended schema with the script

eschemaGenerator.pl● Prepare your fingers to edit XML: Spring

configuration, extended schema, authorization rules

● Redesign the templates

25

Example: UPMC

26

Example: Agriculture French Ministry

27

Example: LinID OBM Manager

28

Example: LinID OpenLDAP Manager

29

Almost the end...

30

18-19 November - PARIS

http://www.ldapcon.org

31

Thanks● Special thanks to:

● RMLL/LSM and their organizers● Company LINAGORA● All LiniD developers

● Keep in touch:● Identica: @coudot● Twitter: @clementoudot @LinID_FOSS ● IRC: KPTN #LinID@freenode● Web: http://linid.org

32

Questions?

Thanks for your attention

http://www.linid.org

Logiciels et services Open Source80 rue Roque de Fillol l 92800 PUTEAUXTel : 0810 251 251 l Fax : +33 1 46 96 63 64www.linagora.com