Motivation

Use an LDAP server to authenticate users to Sage Notebook

Initial Plans

1. Bind to an LDAP server and check username/password pairs for regular users.

2. Get sufficient user details from LDAP to create a notebook.user.User object.

3. Use group membership to identify "active" users (suspended/active).

4. Document and integrate with Flask

Bigger Plans

1. Consider IdM, Authn, and Authz models in place for Sage NB.

2. Think about ownership and access control around Worksheets.

3. (ISR) - This leads me to think the best way forward could be to investigate underlying architecture for serving NB content, and to investigate Django-based worksheet serving. Not making any decisions on the actual worksheet *content* coming from Django, but the framework around the NB coming from Django).

Issues

* Using LDAP means disabling Sage Notebook user management (NB gets read-only view of users)

* Architectural changes around Sage Notebook knowledge of users -- with LDAP it is not a good idea for NB to require a complete view of all users (imagine a university LDAP server).

* Problems easy_installing python-ldap under Sage

* Some dependencies around OpenLDAP, OpenSSL, Cyrus-SASL, BerkeleyDB (SPKGS?)

* How to handle special accounts: _sage_, admin, guest, pub?

====== Open Questions

1. How is the UserManager passed to the notebook.Notebook() init method?

2. How to disable the Sage Notebook user manager? If the accounts are managed through LDAP, Sage Notebook gets a read-only view.

3. How to deal with the special accounts: _sage_, admin, guest, pub?

4. Where is configuration information stored, re: LDAP server, DN prefix, which UserManager to use?

5. Setup group-membership to mark some users as "admins".

6. Consider if Notebook can really know about all users, or if it is OK just to know about "users who have logged in since Notebook was started" (i.e. each login will add a user to the list).

7. Consider if fullname, homedir, etc. are useful.

====== Notes

Sage doesn't install python-ldap nicely via easy_install (tested with 4.7 on CentOS 5.6 and OS X 10.6 -- same failure). Looks like it is a problem with the egg setup.cfg (2.3.5 to 2.3.9 from here). This forced me to do an install from a CVS checkout of python-ldap. I then had OpenLDAP and BerkeleyDB problems, so these were installed from the latest source versions (2.4.5 and 5.2.28 respectively).

For OpenLDAP, configure was run with:

   1 ./configure --with-cyrus-sasl --with-tls --prefix=/usr

For BerkeleyDB, configure was run with:

   1 cd build
   2 ../dist/configure --prefix=/usr

The main thing for installing python-ldap was getting the following lines set properly in setup.cfg:

   1 library_dirs = /usr/lib /usr/lib64
   2 include_dirs = /usr/include /usr/include/sasl
   3 libs = ldap_r lber sasl2 ssl crypto
   4 requires = python libldap_r.so.2

And then doing LDAP authentication is stupidly simple:

   1 import ldap
   2 con = ldap.initialize('ldap://nebio-directory.in.hwlab')
   3 con.simple_bind_s("uid=ijstokes,cn=users,cn=portal,dc=nebiogrid,dc=org", "cleartext_password")