Motivation

Use an LDAP server to authenticate users to Sage Notebook

Initial Plans

1. Bind to an LDAP server and check username/password pairs for regular users.

2. Get sufficient user details from LDAP to create a notebook.user.User object.

3. Use group membership to identify "active" users (suspended/active).

4. Document and integrate with Flask

Bigger Plans

1. Consider IdM, Authn, and Authz models in place for Sage NB.

2. Think about ownership and access control around Worksheets.

3. (ISR) - This leads me to think the best way forward could be to investigate underlying architecture for serving NB content, and to investigate Django-based worksheet serving. Not making any decisions on the actual worksheet *content* coming from Django, but the framework around the NB coming from Django).

Issues

Using LDAP means disabling Sage Notebook user management (NB gets read-only view of users)
Architectural changes around Sage Notebook knowledge of users -- with LDAP it is not a good idea for NB to require a complete view of all users (imagine a university LDAP server).
Problems easy_installing python-ldap under Sage
Some dependencies around OpenLDAP, OpenSSL, Cyrus-SASL, BerkeleyDB (SPKGS?)
How to handle special accounts: _sage_, admin, guest, pub?

Open Questions

1. How is the UserManager passed to the notebook.Notebook() init method?

- Currently, it is never explicitly passes in if you start the notebook in the "normal" ways. (MH)

2. How to disable the Sage Notebook user manager? If the accounts are managed through LDAP, Sage Notebook gets a read-only view.

- Code-wise, the UserManager code in Sage shouldn't be disabled. Instead, a LDAPUserManager should be used. The code should be fine with a read-only view. (MH)

3. How to deal with the special accounts: _sage_, admin, guest, pub?

- I don't think you can log in with _sage_, guest, or pub so it's mainly an internal thing. For admin, see question #5. (MH)

4. Where is configuration information stored, re: LDAP server, DN prefix, which UserManager to use?

- There is a need to standardize and provide a mechanize to have a UserManager to persist any data that it needs to. For example, see how the flask notebook currnently saves its data about mapping openid usernames to real usernames. (MH)

5. Setup group-membership to mark some users as "admins".

- Right now, the only way "administratorship" is checked is just by username. Some code will have to be changed. One straightforward way would be to just ask the UserManager. (MH)

6. Consider if Notebook can really know about all users, or if it is OK just to know about "users who have logged in since Notebook was started" (i.e. each login will add a user to the list).

- The notebook should currently be fine with just knowing users that have logged in since the notebook was first started. (MH)

7. Consider if fullname, homedir, etc. are useful.

Notes

Sage doesn't install python-ldap nicely via easy_install (tested with 4.7 on CentOS 5.6 and OS X 10.6 -- same failure). Looks like it is a problem with the egg setup.cfg (2.3.5 to 2.3.9 from here). This forced me to do an install from a CVS checkout of python-ldap. I then had OpenLDAP and BerkeleyDB problems, so these were installed from the latest source versions (2.4.5 and 5.2.28 respectively).

For OpenLDAP, configure was run with:

   1 ./configure --with-cyrus-sasl --with-tls --prefix=/usr

For BerkeleyDB, configure was run with:

   1 cd build
   2 ../dist/configure --prefix=/usr

The main thing for installing python-ldap was getting the following lines set properly in setup.cfg:

   1 library_dirs = /usr/lib /usr/lib64
   2 include_dirs = /usr/include /usr/include/sasl
   3 libs = ldap_r lber sasl2 ssl crypto
   4 requires = python libldap_r.so.2

And then doing LDAP authentication is stupidly simple:

   1 import ldap
   2 con = ldap.initialize('ldap://nebio-directory.in.hwlab')
   3 con.simple_bind_s("uid=ijstokes,cn=users,cn=portal,dc=nebiogrid,dc=org", "cleartext_password")