Issue #293 has been reported by Jonathan Clarke. ---------------------------------------- Feature #293: OpenLDAP overlay to notify LSC of changes http://tools.lsc-project.org/issues/293
Author: Jonathan Clarke Status: New Priority: Low Assigned to: Category: Target version: Sometime in the future TMM came up with this idea on IRC: 15:47:23 < TMM> jooooooon, I once built a system by hand based on a plugin for openLDAP I wrote that would sync to AD and several others that I might like to rework using LSC 15:47:43 < jooooooon> we designed LSC so that source and dest plugins could be easily added, so they are most welcome :) 15:48:12 < jooooooon> there's actually a howto in the wiki somewhere on how to build a source connector (a dest connector is the same with an extra method to write the changes) 15:48:13 < TMM> what I was thinking of was to have a lsc run triggered by OpenLDAP EXOP and some other events 15:48:34 < TMM> and then sync to mysql users table and AD 15:48:52 < TMM> of course OpenLDAP would be leading in this scenario 15:49:06 < jooooooon> hmm. Seb is working on a source connector that uses OpenLDAP's syncrepl mecanism to get notifications of changes, which could allow to trigger the sync. would that fit your need? 15:49:08 < TMM> doing it with a leading AD is largely impossible from what I've seen of it 15:49:31 < TMM> no, by the time syncrepl gets it's hands on the data the passwords cleartext will be gone 15:49:37 < jooooooon> the same mechanism can be used to get notifications from AD too, actualy, using the replication mechanism (DirSync or something) 15:49:58 < jooooooon> ah, right. you suggest to intercept the changes method in openLDAP to pass the changes onto LSC before commiting them? 15:50:17 < TMM> yeah, but with AD it's laregely impossible to get at the clear password without nasty hacks, but last time I checked was late win2k AD so perhaps it's better now 15:50:56 < jooooooon> there are some DLL you can install on Windows to capture the password when it's changed - like http://passwdhk.sourceforge.net/ 15:50:59 < TMM> yeah, an OpenLDAP overlay has direct access to the password's cleartext right before or after the actual change to the dit 15:51:15 < jooooooon> sounds like a great idea! a "LSC" overlay would cut it nicely :))) 15:51:30 < TMM> yeah, that was what I was thinking 15:51:39 < jooooooon> I would love to see that 15:51:47 < TMM> there would probably be a permanently running LSC instance communicating with openLDAP over a socket or something 15:51:52 < TMM> to make it 'clean' 15:52:04 < TMM> but before that a more hacky solution could be made 15:52:16 < jooooooon> yes, in the trunk version LSC can run as a daemon, and receive calls by JMX 15:52:17 < TMM> this is one of those instances where using Java isn't exactly making things easier :P 15:52:34 < TMM> I don't think that using JMX is very suitable 15:52:46 < jooooooon> mebbe not, I don't really know much about it to be honest 15:52:52 < jooooooon> why is that you think it's not suitable? 15:52:56 < TMM> I've looked into implementing a JMX client in C for jboss/nagios monitoring 15:53:33 < TMM> it didn't seem particularly friendly to non-java implementations 15:53:39 < jooooooon> another solution would be to implement some simple web services, I guess 15:54:28 < TMM> I'm kind of reluctant to have anything as 'fat' as an HTTP client in my directory server to be honest 15:54:38 < TMM> some really lean binary protocol would probably be best 15:54:55 < TMM> not very javay, I know :P 15:55:01 < jooooooon> OK, I was just thinking "standard", but it's a good argument 15:56:12 < TMM> I would actually prefer something that simply would only work locally 15:56:23 < TMM> because otherwise you'd have to implement SSL and cert handling 15:56:33 < TMM> before you could really release it 15:57:04 < jooooooon> yep, very true 15:57:06 < jooooooon> any ideas? 15:57:52 < TMM> well... like I said, I was thinking simply a socket connection between OpenLDAP and LSC :P 15:58:00 < TMM> but I guess that's not terribly portable 15:58:30 < TMM> maybe chuck a STOMP server in between 15:58:30 < jooooooon> I wonder how hard it would be to implement a queuing tool (such as RabbitMQ) 15:58:35 < TMM> lol 15:58:41 < TMM> great minds think alike 15:58:56 < TMM> I actually was thinking of using rabbitmq 15:59:11 < jooooooon> hehe :) 15:59:38 < jooooooon> that way, messages could be passed out of OpenLDAP and queued, and if LSC was not available for any reason, it wouldn't block writes on the OpenLDAP server, just syncs 15:59:46 < TMM> you'd have an async queue in the ldap server itself, queueing up to rabbitmq 16:00:08 < TMM> (overlays are blocking, you want to basically copy the password and give control back to the server as quick as you can) 16:01:09 < TMM> so the overlay would spin off a thread with a stomp client anda queue in 16:01:58 < TMM> the in-process part would simply copy a configurable list of attributes into an object on the queue that LSC would then get from the stomp server and process 16:02:33 < TMM> at least, that's pretty much how I did it before 16:03:07 < TMM> but instead of LSC it was 'tmms nasty python conglomerate' 16:03:24 < jooooooon> I'd never heard of STOMP - is it still maintaned ? lots of links are dead 16:03:47 < TMM> stomp is the name of the protocol that activemq and rabitmq implement 16:04:11 < TMM> at least I thought so 16:04:29 < jooooooon> oh right - I just came across this: http://stomp.codehaus.org/ 16:04:38 < TMM> http://www.rabbitmq.com/plugins.html 16:04:49 < TMM> rabbitmq-stomp 16:04:49 < TMM> A gateway for exposing AMQP functionality via the STOMP protocol, as implemented by many clients for various programming languages, and a few other servers besides RabbitMQ. 16:04:53 < TMM> glad I'm not insane 16:05:29 < jooooooon> interesting :)) 16:05:33 < TMM> but using amqp would probably be better now that I look closer 16:07:26 < jooooooon> I like this idea! 16:07:32 < TMM> regardless, <insert protocol> client in openldap :P -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-dev mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-dev
