One thing I would like to have personally, is LDAP authentication with options stored in LDAP. So for example, CustomerA add's a new employee and needs access to only CustomerA's graphs. I would only need to add the information to our LDAP's servers and username, password, and access would work for cacti.
... just my 2 cents
-sean
LDAP based authorization
Moderators: Developers, Moderators
-
gandalf
- Developer
- Posts: 22383
- Joined: Thu Dec 02, 2004 2:46 am
- Location: Muenster, Germany
- Contact:
Spliited off of http://forums.cacti.net/viewtopic.php?p=51882#51882
Reinhard
Reinhard
-
rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
If I were to think about adding support for Cacti to store it's permissions in LDAP and even groups, yes new version will have groups. Would importing a Schema for Cacti be an issue?
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Importing a schema wouldn't be a big deal, but...
Overall I think that cacti's auth system would benefit from using the template model rather than the clone model it currently uses. There are a lot of problems with the clone model currently, and replicating that complexity to LDAP wouldn't be doing anybody a favor. For one thing, the current model requires that everytime a new plugin or feature is installed, the related attributes have to be set for every user. This is complicated enough already but if the attributes were moved to LDAP then new plugins would also have to extend the schema, which will prove unmanagable going forward.
Using the template model alleviates a lot of that trouble. Basically I think that the core auth table should start with three accounts (guest, operator, administrator), with the ability to expand/shrink the available "role" accounts. User-specific accounts would then be mapped to one of those template accounts. That would work better for all types of users, regardless of whether they are stored locally or in LDAP, and it allows for one-click changes whenever new attributes are defined.
I'm a big LDAP user btw. But I don't think it's necessary to store all of the attributes there. In a lot of ways it is more complex than needed.
Overall I think that cacti's auth system would benefit from using the template model rather than the clone model it currently uses. There are a lot of problems with the clone model currently, and replicating that complexity to LDAP wouldn't be doing anybody a favor. For one thing, the current model requires that everytime a new plugin or feature is installed, the related attributes have to be set for every user. This is complicated enough already but if the attributes were moved to LDAP then new plugins would also have to extend the schema, which will prove unmanagable going forward.
Using the template model alleviates a lot of that trouble. Basically I think that the core auth table should start with three accounts (guest, operator, administrator), with the ability to expand/shrink the available "role" accounts. User-specific accounts would then be mapped to one of those template accounts. That would work better for all types of users, regardless of whether they are stored locally or in LDAP, and it allows for one-click changes whenever new attributes are defined.
I'm a big LDAP user btw. But I don't think it's necessary to store all of the attributes there. In a lot of ways it is more complex than needed.
-
rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
It's ok, it would require extensive testing at my work location before we would even consider it. Testing and even the production implementation would cause way to many Change request forms to be generated.
I'm currently reworking the authenication system to support a group system in 0.9.0. But I honestly am not thinking about intergration with LDAP, farther than just authenicating the user, as storing permissions and graph permissions ( 2 sets of permissions ) would require an interesting LDAP schema.
I'm currently reworking the authenication system to support a group system in 0.9.0. But I honestly am not thinking about intergration with LDAP, farther than just authenicating the user, as storing permissions and graph permissions ( 2 sets of permissions ) would require an interesting LDAP schema.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Is there any documentation on the upcoming LDAP changes? The current structure seems very Active Directory-biased, and I'm hoping there'll be a more portable structure in the future. ie: username is NOT part of the DN, using a anonbind->search->rebind pattern...rony wrote:I'm currently reworking the authenication system to support a group system in 0.9.0. But I honestly am not thinking about intergration with LDAP, farther than just authenicating the user, as storing permissions and graph permissions ( 2 sets of permissions ) would require an interesting LDAP schema.
-
rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
The upcoming version of cacti 0.9.0, has more control, including DN searching capabilities.
I wrote it and tested it against OpenLDAP and ADS. I didn't have a NDS to test against, but I assume with the proper filter you wouldn't have a problem getting NDS or any other LDAP directory to work.
Anon and Specific searching of the LDAP is supported in the 0.9.0 LDAP authenication, as well as the following: Version 2 and version 3 protocols, Secure Socket communications (if php is configured correctly), DN Searching, Etc.
Any more questions, let me know, other than asking me when 0.9.0 is going to be out.
I wrote it and tested it against OpenLDAP and ADS. I didn't have a NDS to test against, but I assume with the proper filter you wouldn't have a problem getting NDS or any other LDAP directory to work.
Anon and Specific searching of the LDAP is supported in the 0.9.0 LDAP authenication, as well as the following: Version 2 and version 3 protocols, Secure Socket communications (if php is configured correctly), DN Searching, Etc.
Any more questions, let me know, other than asking me when 0.9.0 is going to be out.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
-
rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
Yes, it will support TLS... But.... There can be complications with php and getting it to work correctly.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Who is online
Users browsing this forum: No registered users and 1 guest