[Kimchi-devel] [RFC] LDAP integration in kimchi
Royce Lv
lvroyce at linux.vnet.ibm.com
Mon Oct 13 06:43:44 UTC 2014
LDAP supports connect to it (bind) for authentication, usr/group/role
add/delete for authorization.
For kimchi-LDAP integration we need to address following issues:
1. LDAP set up scripts for kimchi:
We need to add initial users: guest, admin; roles: netadmin,
hostadmin, guestadmin in LDAP server.
Adding these schema for user maybe a burden, we may supply a script
to init LDAP server configuration
2. Configuration of using LDAP:
Configured to use PAM/LDAP, Connecting to a dedicate LDAP server
address(As we may use an LDAP to store information of clustered machine,
address can be modified).
If this LDAP server does not exist, ask user if they want to setup
one, and help them with setup scripts.
For this release just support one LDAP per host.
3. Module for LDAP operation wrapping:
A dedicate module to encapsulate LDAP operations, such as
bind/unbind, adding, deleting, query groups/roles.
4. authentication:
We need to abstract authenticate class to be compatible with both
PAM and LDAP, and call bind/unbind to implement authentication.
5. authorization:
Abstract authentication module to distiguish PAM and LDAP, user name
still from cherrypy session, when using LDAP, user/role information are
all retrieved from LDAP server.
6. user/role maintenance:
Manipulate LDAP to add user, delete user, authorize user with a
role, add role/delete role, and so on.
This part will not be covered in this release.
More information about the Kimchi-devel
mailing list