|
Size: 3418
Comment:
|
Size: 3417
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 25: | Line 25: |
| * Using LDAP means disabling Sage Notebook user management (NB gets read-only view of users) | * Using LDAP means disabling Sage Notebook user management (NB gets read-only view of users) |
| Line 27: | Line 27: |
| * Architectural changes around Sage Notebook knowledge of users -- with LDAP it is not a good idea for NB to require a complete view of all users (imagine a university LDAP server). | * Architectural changes around Sage Notebook knowledge of users -- with LDAP it is not a good idea for NB to require a complete view of all users (imagine a university LDAP server). |
| Line 29: | Line 29: |
| * Problems easy_installing python-ldap under Sage | * Problems easy_installing python-ldap under Sage |
| Line 31: | Line 31: |
| * Some dependencies around OpenLDAP, OpenSSL, Cyrus-SASL, BerkeleyDB (SPKGS?) | * Some dependencies around OpenLDAP, OpenSSL, Cyrus-SASL, BerkeleyDB (SPKGS?) |
| Line 33: | Line 33: |
| * How to handle special accounts: _sage_, admin, guest, pub? | * How to handle special accounts: _sage_, admin, guest, pub? |
| Line 35: | Line 35: |
| ====== Open Questions | = Open Questions = |
| Line 51: | Line 51: |
| ====== Notes | = Notes = |
Motivation
Use an LDAP server to authenticate users to Sage Notebook
Initial Plans
1. Bind to an LDAP server and check username/password pairs for regular users.
2. Get sufficient user details from LDAP to create a notebook.user.User object.
3. Use group membership to identify "active" users (suspended/active).
4. Document and integrate with Flask
Bigger Plans
1. Consider IdM, Authn, and Authz models in place for Sage NB.
2. Think about ownership and access control around Worksheets.
3. (ISR) - This leads me to think the best way forward could be to investigate underlying architecture for serving NB content, and to investigate Django-based worksheet serving. Not making any decisions on the actual worksheet *content* coming from Django, but the framework around the NB coming from Django).
Issues
- Using LDAP means disabling Sage Notebook user management (NB gets read-only view of users)
- Architectural changes around Sage Notebook knowledge of users -- with LDAP it is not a good idea for NB to require a complete view of all users (imagine a university LDAP server).
- Problems easy_installing python-ldap under Sage
- Some dependencies around OpenLDAP, OpenSSL, Cyrus-SASL, BerkeleyDB (SPKGS?)
- How to handle special accounts: _sage_, admin, guest, pub?
Open Questions
1. How is the UserManager passed to the notebook.Notebook() init method?
2. How to disable the Sage Notebook user manager? If the accounts are managed through LDAP, Sage Notebook gets a read-only view.
3. How to deal with the special accounts: _sage_, admin, guest, pub?
4. Where is configuration information stored, re: LDAP server, DN prefix, which UserManager to use?
5. Setup group-membership to mark some users as "admins".
6. Consider if Notebook can really know about all users, or if it is OK just to know about "users who have logged in since Notebook was started" (i.e. each login will add a user to the list).
7. Consider if fullname, homedir, etc. are useful.
Notes
Sage doesn't install python-ldap nicely via easy_install (tested with 4.7 on CentOS 5.6 and OS X 10.6 -- same failure). Looks like it is a problem with the egg setup.cfg (2.3.5 to 2.3.9 from here). This forced me to do an install from a CVS checkout of python-ldap. I then had OpenLDAP and BerkeleyDB problems, so these were installed from the latest source versions (2.4.5 and 5.2.28 respectively).
For OpenLDAP, configure was run with:
1 ./configure --with-cyrus-sasl --with-tls --prefix=/usr
For BerkeleyDB, configure was run with:
The main thing for installing python-ldap was getting the following lines set properly in setup.cfg:
And then doing LDAP authentication is stupidly simple: