[Kimchi-devel] [RFC] LDAP integration in kimchi

[Royce Lv]

LDAP supports connect to it (bind) for authentication, usr/group/role 
add/delete for authorization.
For kimchi-LDAP integration we need to address following issues:

1. LDAP set up scripts for kimchi:
     We need to add initial users: guest, admin; roles: netadmin, 
hostadmin, guestadmin in LDAP server.
     Adding these schema for user maybe a burden, we may supply a script 
to init LDAP server configuration


2. Configuration of using LDAP:
     Configured to use PAM/LDAP, Connecting to a dedicate LDAP server 
address(As we may use an LDAP to store information of clustered machine, 
address can be modified).
     If this LDAP server does not exist, ask user if they want to setup 
one, and help them with setup scripts.
     For this release just support one LDAP per host.

3. Module for LDAP operation wrapping:
    A dedicate module to encapsulate LDAP operations, such as 
bind/unbind, adding, deleting, query groups/roles.

4. authentication:
    We need to abstract authenticate class to be compatible with both 
PAM and LDAP, and call bind/unbind to implement authentication.

5. authorization:
    Abstract authentication module to distiguish PAM and LDAP, user name 
still from cherrypy session, when using LDAP, user/role information are 
all retrieved from LDAP server.

6. user/role maintenance:
    Manipulate LDAP to add user, delete user, authorize user with a 
role, add role/delete role, and so on.
    This part will not be covered in this release.