1 |
Hey! |
2 |
|
3 |
This is really not a good timing and I was unfortunately not observing your |
4 |
progress (so I may be left out on details), but did you take a look at |
5 |
http://packages.python.org/django-auth-ldap/ ? |
6 |
|
7 |
Cheers, Domen |
8 |
|
9 |
|
10 |
On Thu, Aug 25, 2011 at 12:35 AM, Theo Chatzimichos <tampakrap@g.o>wrote: |
11 |
|
12 |
> Intro: |
13 |
> |
14 |
> Okupy is a Django CMS, with a full LDAP frontend, XML to HTML (and the |
15 |
> opposite) converter and a WYSIWYG editor, Beacon, to edit the XML files. |
16 |
> Ultimate goal is to fully replace current Gentoo website, and Gorg, the web |
17 |
> server that does the XML to HTML convertion currently. In the future I'd |
18 |
> like |
19 |
> to see more gentoo websites being provided by Okupy. |
20 |
> |
21 |
> Summary: |
22 |
> |
23 |
> The application has a fully working and fully configurable LDAP backend. It |
24 |
> can |
25 |
> work with any LDAP configuration file, but it will need accordingly some |
26 |
> setup |
27 |
> in Okupy's settings files. It currently supports: |
28 |
> |
29 |
> - Creation of a new user, which means that the Gentoo LDAP server can now |
30 |
> be |
31 |
> enabled for non-developers |
32 |
> - Log in of current users, using any of their verified emails |
33 |
> - Adding new email, along with email verification |
34 |
> - Password reset |
35 |
> - View someone's account data (based on the privileges, the according |
36 |
> attributes will show up) |
37 |
> - Edit own account data (again, based on privileges, the according |
38 |
> attributes |
39 |
> will be available for editing) |
40 |
> - An addressbook |
41 |
> In order to support all users and not only developers, I had to do some |
42 |
> internal infra discussions about which OU will be used for them. Plus, a |
43 |
> few |
44 |
> new values were needed for the GentooAccess attribute, such as user.group, |
45 |
> docs.group and other privileged groups. Most LDAP backends were using an |
46 |
> administrator account for performing both queries and changes in the data, |
47 |
> which could easily lead to a security issue. This problem was solved by |
48 |
> using |
49 |
> a secondary password for the user, which is encrypted and stored in the |
50 |
> session variable. The secondary password is available for only one session, |
51 |
> and gets destroyed by using itself. Django uses a database to store users, |
52 |
> but |
53 |
> it also supports other backends for the authentication part. When the user |
54 |
> logs in for the first time, the data gets transfered in the database, which |
55 |
> is |
56 |
> a significant time improvement. Anonymous common LDAP Queries are performed |
57 |
> either by using a minimal privileged (anon) account, or they should be |
58 |
> available to anyone (which could lead to a security issue). I used some |
59 |
> wrappers to cover that easily. The administrator can use a lot of options |
60 |
> in |
61 |
> the settings files, to cover the ACL part, the initial user creation and |
62 |
> many |
63 |
> other aspects. |
64 |
> |
65 |
> As I said in my previous post, Beacon didn't work out as expected. It |
66 |
> became |
67 |
> too complex, consisting of lots of JS and XSLT, for reading the XML files |
68 |
> and |
69 |
> printing them. It even stores accounts in its own DB to keep track of the |
70 |
> documents that users edit. This was way out of our needs, we just need the |
71 |
> WYSIWYG part only and plug it in in a separate web app. Obviously in its |
72 |
> current state it is not a workable solution without significant additional |
73 |
> effort. I tried to split some parts of its code, like the python scripts |
74 |
> for |
75 |
> converting XML to HTML and the opposite, but the time was not sufficient. |
76 |
> |
77 |
> The future: |
78 |
> |
79 |
> I am really happy to have such an interesting pet project now. I created an |
80 |
> ebuild in my personal overlay, and an alias (okupy at gentoo dot org) to |
81 |
> easily contact me for future issues. I plan to make it more accessible to |
82 |
> some |
83 |
> people soon, but not before Robin ACKs it first, since the LDAP server he |
84 |
> gave |
85 |
> me for testing is full of real data. I don't feel very confident on working |
86 |
> with that, and I'll possibly request an empty one. |
87 |
> |
88 |
> Before implementing, it will need too much work. Most importantly, people |
89 |
> familiar with Web Design are very welcome to help on this. If we are going |
90 |
> to |
91 |
> redesign the current gentoo.org website, it is a huge step that has to be |
92 |
> done |
93 |
> very carefully. The LDAP part although finished will need too much testing, |
94 |
> in |
95 |
> order to assure we are not opening any security holes here. As for the |
96 |
> Beacon |
97 |
> part, it will need better approach, and most of the work has to be done |
98 |
> upstream, which is what I intend to do from now on. It should become a |
99 |
> single |
100 |
> JS WYSIWYG editor that we should be able to plug in directly, since it |
101 |
> currently is a full web application, which is using its own DB to store |
102 |
> users |
103 |
> and documents. |
104 |
> |
105 |
> If you are interested in testing it, please contact me directly for now. |
106 |
> The |
107 |
> installation is not very easy at the moment, due to the need of both a |
108 |
> database and an LDAP server, but it can work with minimal configuration for |
109 |
> development purposes. I also added some config files in a separate branch |
110 |
> for |
111 |
> that reason. |
112 |
> |
113 |
> Many thanks to my mentor, Matthew Summers, my co-mentor Robin Johnson, and |
114 |
> the |
115 |
> Gentoo GSoC admin Donnie Berkholz for all their help and support. Also, |
116 |
> special thanks to Ben Cooksley, KDE Sysadmin, for his precious suggestions. |
117 |
> -- |
118 |
> Theo Chatzimichos | blog.tampakrap.gr |
119 |
> Gentoo KDE/Qt, Planet, Overlays |