[Twisted-Python] twisted ldaptor

the2nd the2nd at otpme.org
Tue May 5 13:18:06 MDT 2015 

Am 03.05.2015 um 14:03 schrieb bret curtis:
> Hello there,
>
> if you wish to make a pull request, file a bug report or ask Ldaptor 
> specific questions, you can contact the developer directly here:
> https://github.com/twisted/ldaptor/issues
>
> Not everyone who works on Ldaptor is a member of this mailing list.

Okay. I was not sure if it's okay to ask questions via the issue tracker. :)

>
> I'll try to answer inline:
>
> On Sat, May 2, 2015 at 12:37 PM, <the2nd at otpme.org 
> <mailto:the2nd at otpme.org>> wrote:
>
>
>     i'm currently investigating how to add ldap server support to
>     OTPme (https://www.otpme.org) as i want to extend it to be a
>     complete authentication/authorization system including some kind
>     of directory service. so i started working on integration with
>     ldaptor. my first problem, adding search support, is partly solved
>     now. i've checked ldifftree.py and after some debugging i got a
>     search() method that is able to do an indexed search of OTPme's
>     directory (which is not in svn yet) which allows fast search
>     results for a directory with more than 2048 users.
>
>
> Congratulations! :) How are you going about this? Are these additions 
> backwards compatible with OpenLDAP? Are you also writing test-cases to 
> cover these?

Thanks. :) But its still in an early stage.

Currently the ldap support is implemented on top of OTPme's users, 
groups, units etc. and will be read-only.

I've decided to implement it as OTPme extensions e.g. a "base" extension 
that handles object classes like "dcObject", "organizationalUnit", 
"inetOrgPerson" etc. and an "posix" extension for "posixAccount", 
"posixGroup" and so on. the extensions will also do things like 
uidNumber/gidNumber allocation etc.

An extension also automatically adds the needed objectClass if the 
attribute the admin adds to a user needs it. if the admin disables an 
extension (e.g. posix or maybe samba later) for a user the corresponding 
ldap attributes are no longer visible via ldap(tor) but not removed from 
the user so they can be re-enabled if needed. To resolve the attribute 
<> objectClass dependencies i've written a simple (and maybe incomplete 
;)) parser that can read openldap's schema files using 
http://www.python-ldap.org/doc/html/ldap-schema.html#module-ldap.schema

The OTPme specific attributes (tokens, timeout values etc.) are not 
implemented as ldap objects/attributes. The main reason for this is that 
i didn't had any plan about the features that OTPme will have as i 
started writing it a few months ago. I decided to learn python as my 
first language in december last year and just wanted write anything 
useful. it all started with the goal to implement 
http://motp.sourceforge.net/ in python. :)

So atm i haven't done anything more than writing a class (staring at the 
magic of ldiftree.py and friends ;)) that gets all needed objects, 
attributes etc. from the OTPme backend as ldif and that can do an 
indexed search using an OTPme function. This class basically works with 
ldaptor. The OTPme backend is implemented using flat files with some 
in-memory caching feature. It also supports AES encryption and i started 
writing an master/slave synchronization for it that should be later used 
to add some kind of cluster support to OTPme.

Maybe i'll implement all OTPme objects (tokens etc.) as ldap 
objects/attributes some day because this would make it possible to also 
get them from an external ldap server like openldap. But this also means 
that i need to create a OTPme schema that can be used with an ldap 
server like openldap. so i'm not sure if i'll go this road because not 
everyone can/wants to add a schema extension. Another idea would be to 
synchronize users from e.g. openldap and add them to OTPme/ldaptor. But 
all of this is not on my current todo.

Continuous integration is on my todo but as there are so many things to 
learn when one wants to learn wrinting software i haven't found the time 
yet.

>     but as this is just a start there will be more problems to solve i
>     guess.
>
>
> There always are, when I first started using Ldaptor, startTLS was 
> broken which was a requirement for me to do any work with it.
>
>     one issue i have is that an ldapsearch against ldaptor which
>     requests just some attributes instead of all always returns all
>     object attributes.
>     for example the ldapsearch below returns the complete ldif of each
>     found user in ldaptor (tested also with ldiftree.py):
>     ldapsearch -H ldap://localhost:8080 -b
>     "ou=users,dc=domain,dc=intern" -w abcd -x '(uid=*)' givenName
>     Running the same search against my openldap server it returns just
>     the dn and givenName attributes of each found user.
>     Is this a missing feature or do i just miss something in my db class?
>
>
> Please file an issue on github with an example (ldif entries in a txt 
> file would work) that can be used to test with a real OpenLDAP server. 
> Then the ldapsearch like you provided above and a snippit of your 
> ldaptor code so we can try to reproduce it.

Done: https://github.com/twisted/ldaptor/issues/38

>     another important part i haven't looked at yet is how to implement
>     authentication. as OTPme focus on OTPs i dont want to add any user
>     passwords to the ldap tree. the smoothest solution would be to get
>     username+OTP from ldaptor to do authentication. maybe you can give
>     me some hints in the right direction? :)
>
> Another issue/question for github, there are others that have spent 
> more time in this area of the codebase.
>

Done: https://github.com/twisted/ldaptor/issues/39

>
>     and the last question for now is related the licensing. OTPme is
>     licensed under GPLv2. do i run into any licensing issues when
>     using ldaptor with OTPme?
>
>
> Ldaptor is MIT/Expat license, if you would like to commit code then 
> that too must be MIT/Expat otherwise it won't be accepted. As for 
> using Ldaptor to talk with OTPme, there shouldn't be a license problem 
> as they are two separate applications/services. What exactly is your 
> concern there?

I dont have any special concern. I'm just new to all of this and wanted 
to make sure it's okay to use ldaptor it with an GPL'ed software.

And if i ever will (be able to ;)) commit any code to ldaptor i'm fine 
with the MIT/Expat license. :)

>
>     regards
>     the2nd
>
>
> Cheers,
> Bret
>
>
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20150505/24eed37e/attachment-0002.html>

More information about the Twisted-Python mailing list