[Work In Progress] LDAP Authentication

This is a forum to suggest new features for mojoPortal. 

This thread is closed to new posts. You must sign in to post in the forums.
9/23/2005 10:49:51 AM
Gravatar
Total Posts 36

[Work In Progress] LDAP Authentication

[This is not currently in SVN nor published anywhere]

Current Status:
    Each site can be deployed with different LDAP Settings (server, port, bind dn, user base dn, group base dn)
    Authentication works
    Member List Works
    Profile Works

Working on:
    Cleaning up Groups/Roles
    Site admins stored in DB
    Tracking forum posts and other per user info via DB

I've tried to keep to a minimum the number api breaking changes I've introduced. I've added into SiteSettings a public property that handles per site LdapSettings (a class added into mojoPortal.Business), along with a boolean UseLdapAuth. The other significant change is places dealing with users and or groups where a simple SiteSettings.SiteID was passed you now pass the whole SiteSettings so mojoPortal.Business (in particularly SiteUser) can handle determining whether or not you're using LDAP or standard DB or some other means. I have added a class LdapManagement (it relys on Novell.Directory.Ldap which is distributed with Mono by default) to mojoPortal.Business which is designed to handle essentially what mojoPortal.dbPortal does for users and roles.

While working on this I realized how easy it was to make the code specific to my setup, so basically I'm asking for comments on how the maintainers feel the previous areas should be handled, along with a few more issues I've been pondering. The main issue is schema mapping, I would imagine that most who've implemented openldap+samba+pam have roughly similar setups, but would it be helpful to create an Ldap Configuration module that would handle which attributes map to different pieces of a users profile, or handle defualt group mappings to existing roles, etc etc. I suppose we could for specific mojoPortal details distribute a schema that extends and adds the fields we want/need.

Also if there are any other caveats you can think of with regards to LDAP integration I would certianly be glad to hear them. I hope to publish the first diff of my work by the end of next week.
9/23/2005 1:45:48 PM
Gravatar
Total Posts 148

Re: [Work In Progress] LDAP Authentication

Sounds very interesting.  I don't have any plans to use it myself, but I suspect others would find it useful.  My primary concern is that it not make deployment any more complicated for users who aren't using LDAP.  To that end, I'd recommend hiding LdapSettings and LdapManagement behind interfaces (IAuthSettings and IAuthManagement?) and providing implementations that work with the DB (DBAuthSettings and DBAuthManagement?).

Just my $.02.  Joe is the one with the power to accept/reject, so he's the one that matters. :-)

--Dean
9/23/2005 3:24:27 PM
Gravatar
Total Posts 18439

Re: [Work In Progress] LDAP Authentication

TJ,

Thanks for taking on this project!

I'm all for supporting LDAP authentication, its been on the planned feature list all along and I have no doubt we can implement it without making things difficult for users who are sticking with db authentication.

When you send me your changes I will try to work with you to arrive at something mutually acceptable that meets the above criteria.
I also want to implement authentication against Active Directory and I have a working implementation in one of my projects at work. It still uses Forms authentication but it authenticates against AD and then uses the Forms Auth methods for creating the authentication ticket with encrypted roles retrieved from AD. This works pretty well because you don't have to query AD any more for the rest of the session. I was planning to do something similar for mojoportal but I've been pondering the roles issues and thinking I might maintain roles in the db because they are site related roles. So in other words authenticate against AD or LDAP but authorize from the db. I envisioned if a user authenticated I would check the site users table for a matching user and if not found create one. Then no changes are needed for things like member list, it would still populate from the db. Sounds like you are populating Member list directly from ldap?

The main reason I'm thinking of managing roles in the db is that there are a few roles that mojoportal expects to be there which may not exist in the domain, specifically Admins, Content Administrators, Authenticated Users. I've made it so that there is a separate role display name so if users want to rename the role for localization purposes it changes the display but under the hood it doesn't change so nothing breaks. Even if there happen to be corresponding roles in the domain they may not corelate to who you want to be able to do what in the site.

I'm open to discussion on these things but this has been my thinking on a simple way to implement this. I'm not sure whether its possible to write a single ldap implementation that works both with Novell and AD so we will probably need to use a provider model or some mechanism to be able to easily use either one. It would be nice to support OpenLDAP as well.

Can you run the  Novell code on Windows with the .NET framework or only with mono? If so please give me some info on what I have to do to set that up so I will be able to test your work. I also have a Suse 9.3 machine that I could probably setup a Novell Domain on for testing but any instructions you can provide or point me too will be helpful when you send me the code since I've never worked with that before.

Anyway this will be an important feature to have and we definitly will have it in some form.

I'll look forward to your patch.

Joe
9/24/2005 6:34:58 AM
Gravatar
Total Posts 36

Re: [Work In Progress] LDAP Authentication

Woo Hoo always glad to see positive responses!

First things first, in response to Dean:

As is the implementation doesn't directly impede on anyone trying to deploy without using Ldap, it merely becomes a check box and a few textboxes on the admin/SiteSettings page, that being said having some nice generic interfaces to handle any future authentication methods would indeed be preferable. For now though I'm going to get it into a much more workable state and see what Joe has to say.

And now for the boss:

Disclaimer, all your points you brought up are exactly why I decided to post my progress and questions so we could discuss how you wanted it to turn out.

Firstly I should have been more clear, Novell.Directory.Ldap is a .net provider to communicate with any Ldap server (even AD for that matter) I chose this method over System.Directory because System.Directory from what I could tell is aimed directly at AD and isn't fully implemented under Mono (as of now). My current setup is running on OpenLdap where my accounts inherit from inetOrgPerson, posixAccount, sambaSamAccount which I think is pretty standard for many folks running ldap for pam+samba integration as these are all schemas that are usually distributed by default with their distributions. That's just so you have more clarity as to where I'm coming from, and what I mean for specific to my site.

The Ldap authentication was shoehorned directly beside the DB Authentication, that is to say in secure/SiteLogin the only change is the passing of entire SiteSettings instead of just SiteSettings.SiteID, then SiteUser.Login looks to see if UseLdapAuth is true and if so call LdapManagement.Login(LdapSettings, email, pass) and returns the cn for displaying the userName. I didn't change anything else so I presume if DB authentication is using Forms auth then Ldap is as well.

The implementation currently does populate the member list and the user profile (the attributes I can) directly from Ldap, and for at least my uses I can't see any performance hit. That being said I had also been toying with the exact same idea of checking to see if user exists in db and if not creating them and then using that to store pertinent mojoportal information. This is especially helpful when you are considering how to manage the number of forum posts, and all the other fun pieces that tie each of the modules on a site together. Moving to a pure Ldap model would certainly cause issues as depending on what attribute you pick to identify your users it could change thus breaking ownership of modules, which in general would be a BadThing(tm).  But the upside to using a pure Ldap implementation is that the possibility of duplicated attributes/profile info (and thus the number of extra pieces you have to maintain across your systems) are reduced to one more central location. Another thing to consider is user deletion, for instance do you delete a user who exists in the db but whose entry doesn't exist in Ldap or do you delete when the user exists in the db but can no longer be authenticated via Ldap, or just run a maint script that checks per site per ldap server and keeps the lists in sync.

With regards to roles, I'm all for managing roles via the DB as it reduces the complexity of Ldap implementation significantly, the only reason I was considering manging them via Ldap is that it may be possible that some organizations already have seperated their users out enough via groups that they may want to map those groups to mojoPortal roles to ease the burden of manging users. This is why I was thinking of some way to map Ldap groups directly to your default mojoPortal roles.

I suppose the best plan of attack for Ldap authentication and management would be to implement the split personality version that allows sites to authenticate via ldap but manage roles and user information via the database, and then later provide modules that could pass more control to ldap for either user info, roles or both. In any event I'm sure that with enough peer review I can create an implementation that satisfies everyones needs.
9/24/2005 7:00:41 AM
Gravatar
Total Posts 18439

Re: [Work In Progress] LDAP Authentication

Good deal TJ!

For the first round lets go with the db for populating the member list and profile stuff. We can talk more about if we want to follow up with deeper integration of ldap based user properties. I was hoping that maybe the novell ldap would also work with AD, glad to know it is possible. The implementation I have done before is with the System.Directory and I knew that wouldn't work with Novell or OpenLDAP. This is great news that we can use 1 implementation with all 3.
How much control does Novell.Directory.Ldap expose? Is it actually possible to update user properties from the profile page, password etc using that?

I will be able to test it with Active Directory and if you can give me or point me to a primer on OpenLDAP I will try and get setup to test that too.

I think we can  leave it to the admin discretion whether to delete users from a site if they de-activate or remove them from the LDAP. I've also been thinking about the flow of installation and switch to LDAP. The installation will of course continue to default to db authentication. To convert to ldap, the admin would login and change his username to match his ldap username so that when he changes the site settings his user will still be in admins role. So I need to probably add a username field to the users table separate from the Name field which is the full name. We would have to enforce unique values per site id for this field while it is possible for 2 users to have the same value in the Name field ie John Smith.
I have been thinking that I need this anyway because not everyone wants to use email as the unique login identifier. I'm willing to implement that but don't want to slow your progress so if you add it to your db version I'll do the other 2 layers.

I've added you to a developer role in this site which gives you permission to create and edit pages beneath the Developer Area of this site that is only visible to users in this role and also under the Documentation section if you care to author any instructions for setting up the LDAP stuff at some point, feel free.

Keep in touch as needed while you progress, I'll help in any way I can.

Joe
9/24/2005 7:58:22 AM
Gravatar
Total Posts 148

Re: [Work In Progress] LDAP Authentication

TJ,

I realize it's just a checkbox from an admin's perspective, but I was thinking about what would need to be installed.  Won't Novell.Ldap.Directory.dll need to be installed even if LDAP isn't being used?  If so, Mono users will have it but .NET users won't.  So either mojoPortal releases would need to include it, or .NET users would need to install it.  If mojoPortal included it, Mono users that upgrade Mono after installing mojoPortal would end up running an older-than-necessary Novell.Ldap.Directory.dll. 

Perhaps, the best way to handle this is to include Novell.Ldap.Directory.dll with mojoPortal, but to recommend that Mono LDAP users remove it.

One way or the other, this is not a big issue.

--Dean
9/24/2005 8:21:59 AM
Gravatar
Total Posts 18439

Re: [Work In Progress] LDAP Authentication

I'm thinking it would be ok to include the dll in the bin folder. If the user running on mono has a newer version it will be in the GAC and that will be used instead of the one in the bin folder won't it?
9/24/2005 8:55:58 AM
Gravatar
Total Posts 148

Re: [Work In Progress] LDAP Authentication

You're right.  Since Novell.Ldap.Directory.dll is strongly named, a more recent version in the GAC would take precedence.  Sorry for the confusion.

--Dean
9/25/2005 3:03:56 PM
Gravatar
Total Posts 36

Re: [Work In Progress] LDAP Authentication

Edd Dumbill just posted on his blog one of the best tutorials I've seen for setting up LDAP/Samba/Pam wish I would have had this resource long before I started my journey
9/25/2005 4:17:12 PM
Gravatar
Total Posts 18439

Re: [Work In Progress] LDAP Authentication

Yes, I saw that this morning, perfect timing
9/30/2005 11:38:12 AM
Gravatar
Total Posts 36

[Patch] LDAP Authentication (Finally)

Sorry, took longer to rip out dead code and manage life at the same time. You can find the patch here. There is still some left over code in LdapManagement.cs that's been commented out that may in some form or another come back to life in a Ldap management module, or in a pure Ldap based backend.

This patch assumes:
  1. You have a properly setup Ldap for user authentication (for instance like this tutorial)
  2. That each desired user have an entry in the UserBaseDN and a mail attribute to be identified from (if more than one entry have the same email the first returned will be used).
  3. A CN attribute exists for use as a display name.
  4. If you specify an AdminEmail and admin@admin.com exists in the DB, the first time the user with AdminEmail logs in the Admin account will be migrated to AdminEmail.
How to use this patch:
  1. Create a new test database (migration to Ldap hasn't been tested, nor reccomended (one could Deploy a new site and then use Ldap auth))
  2. Log in as the default admin@admin.com user
  3. Go to site settings click Use Ldap Auth and specify Ldap Server, Ldap Port, Bind Credentials (in the form "cn=admin,dc=example,dc=org"), User Base DN, and Admin Email. Save.
  4. Logout, and log in as the AdminEmail you specified... Tadah you are the site administrator
  5. Any one else that exists in the UserBaseDN is able to log in.
What you can do with this patch:
  1. Login and authenticate via Ldap
  2. Change User Name, Email* (actually you can't do any of these yet as it isn't supported by MojoPortal yet)
What you can't do with this patch:
  1. Add new users to Ldap database (If a user is added via the memberlist their profile information is used if a user logs in with the specified email)
  2. Delete users from Ldap (If you delete a user from the member list their information will be readded when the log back in)
  3. Change users passwords (This is a bug on my part)

Comments on my terrible coding style welcomed, along with any thoughts, concerns, or ideas of things to change in the patch.
You must sign in to post in the forums. This thread is closed to new posts.