Voice discussions with ReimarBauer
Date 11.06.2008.
- split the job into two parts
- Someone has already LDAP with users and groups:
- if there is a change on LDAP it needs to be updated on the wiki (see To do)
- why do you need to update it "on the wiki"?
we should have used the right word, the wiki's cache was meant
- if not what will happen when admin ads a user to LDAP and the user want's to log in but the data wasn't updated on the wiki?
- why do you need to update it "on the wiki"?
- use LDAP security policy for users and groups (admin of the LDAP server)
??? we already have ldap auth and group code, you don't need a SecurityPolicy, but a ldap backend for the group code
- after connecting wiki and LDAP should provide list of groups that can be used in wiki or the list needs to be configured in the wiki. We have already some vars which can be used too (acl_rights_default ...) At least groups named there should be requested from the ldap server.
- why not just request the groups where user x is member at the time when user x logs in with ldap auth and cache it to disk (or to session data)?
- good idea, is it wanted to exclude some of the groups? With getting all groups a user is member you do find other members in those groups too and I am not sure if this in every case is wanted. There could be groups which shouldn't be used.
- another question is if we do it this way we need to know which groups could be used for which restriction. i think we should need anyway some tools which do show the dependencies or one which does warn you if you do use a group name which isn't defined on ldap.
- good idea, is it wanted to exclude some of the groups? With getting all groups a user is member you do find other members in those groups too and I am not sure if this in every case is wanted. There could be groups which shouldn't be used.
- why not just request the groups where user x is member at the time when user x logs in with ldap auth and cache it to disk (or to session data)?
- prepare cache system
- what happens when LDAP server is down (should users already logged in stay logged in on the wiki and how long, or should they be logged out with the next request?)
- if you store it into session, it would get killed when the session times out
- ask on groups what other did in this case.
- ask on groups how LDAP software works when two or more wikis did much simultanous requests for getting login / group data. In which frequency could this data be requested without a DOS?
- ldap is rather fast, but you should avoid requesting useless amounts of information
- if there is a change on LDAP it needs to be updated on the wiki (see To do)
- set up LDAP configuration by one or more wikis:
- make it more flexibile, users can add groups, configure
- use moin security policy
- discuss about that on ldap groups also ...
Date 18.06.2008.
- Find all groups that user X is a member of:
use search_filter '(objectClass=default_group)' where default_group is: PosixGroup, groupOfNames or groupOfUniqueNames.
if a group doesn't have one of the LDAP default group objectClass then search all objectClass that have a member (UniqueMember,Member,...) in it's record. If that is so, search for uid of user X.
- also had a discussion on python-ldap-dev mailing list how to do it and why isn't good to use substring and why it will not work
- Add config backend
- with users and groups that users are members of