Re: [Studio] Visual way to identify "disabled" users
Fall is the best time to get into stuff like this, I guess... :-) >> There is no bad time to have fun on an OSS project :-) > Except that every day with sun and light winds is better spend in the > mountains, IMHO. Fall is consistently disappointing in that regard... Sun is dead anyway ;-) -- Emmanuel Lecharny Symas.com directory.apache.org
Re: [Studio] Visual way to identify "disabled" users
Emmanuel Lécharny wrote: > Well, that's not true, the problem is that we all have a day job, a > familly, and little time to dedicate to an OSS project, so when we have > some time, we do code, instead of writing doc, and we write doc, we > don't code while other do, so the doc quickly becomes obsolete :-) That's what I meant, basically. There's so much interesting or urgent stuff to code that anyone is hardly ever bored enough to write docs. > > Fall is the best time to get into stuff like this, I guess... :-) > > There is no bad time to have fun on an OSS project :-) Except that every day with sun and light winds is better spend in the mountains, IMHO. Fall is consistently disappointing in that regard...
Re: [Studio] Visual way to identify "disabled" users
Le 04/10/2017 à 19:42, Lothar Haeger a écrit : > Emmanuel Lécharny wrote: > >> There is no 'getting started' guide, sadly :/ > My opes were not too high, nobody likes writing documentation, it seems. Same > issue here and everywhere... Well, that's not true, the problem is that we all have a day job, a familly, and little time to dedicate to an OSS project, so when we have some time, we do code, instead of writing doc, and we write doc, we don't code while other do, so the doc quickly becomes obsolete :-) That being said, the code base is pretty stable, so once you start to get use to it - and we are aroud to provide some direction - what you do will not break every 2 days because of some external code change :-) >> So to speak, the only code base you need to understand (at least >> partially) is the ldapbrowser.common. We are still talking about around >> 23 000 SLOCS ;-) > Fall is the best time to get into stuff like this, I guess... :-) There is no bad time to have fun on an OSS project :-) -- Emmanuel Lecharny Symas.com directory.apache.org
Re: [Studio] Visual way to identify "disabled" users
Emmanuel Lécharny wrote: > There is no 'getting started' guide, sadly :/ My opes were not too high, nobody likes writing documentation, it seems. Same issue here and everywhere... > First of all, you need to grok a bit about Eclipse development, if you > don't know a thing about it, then this is clearly the first step... I've written a few Eclipse plugins before and have a general understanding of the framework. One step closer to the interesting part. :-) > That being said, the part that 'decorates' the entries in the tree is in > the ldapbrowser.common plugin, more specifically in the > getImageByObjectClass class (see the getImageByObjectClass method). This > is where we select the image to expose accordingly to some hard coded > settings (see BrowserCommonPreferencesInitializer, > initializeDefaultPreferences() method). > > We should make those hard coded preferences part of the preferences, > like the value editors, which are handled by the > ValueEditorsPreferencePage class in the same plugin. Thanks a lot for those pointers, I'll see how far I get from there. > So to speak, the only code base you need to understand (at least > partially) is the ldapbrowser.common. We are still talking about around > 23 000 SLOCS ;-) Fall is the best time to get into stuff like this, I guess... :-)
Re: [Studio] Visual way to identify "disabled" users
Le 04/10/2017 à 17:57, Lothar Haeger a écrit : > Emmanuel Lécharny wrote: > >> Not that complicated to implement, but it requires a bit of work. If >> someone wants to give it a try, we would be very please to add this code >> to the server ! > I'd be happy to give this a try, I even got Studio to compile on my Macbook > already. I'm a bit overwhelmed by the amount of code and could need a little > help getting orientated. Is there something like a "Getting Started" guide for > Studio development in particular, explaining the overall structure and > approach > etc a bit? There is no 'getting started' guide, sadly :/ First of all, you need to grok a bit about Eclipse development, if you don't know a thing about it, then this is clearly the first step... That being said, the part that 'decorates' the entries in the tree is in the ldapbrowser.common plugin, more specifically in the getImageByObjectClass class (see the getImageByObjectClass method). This is where we select the image to expose accordingly to some hard coded settings (see BrowserCommonPreferencesInitializer, initializeDefaultPreferences() method). We should make those hard coded preferences part of the preferences, like the value editors, which are handled by the ValueEditorsPreferencePage class in the same plugin. So to speak, the only code base you need to understand (at least partially) is the ldapbrowser.common. We are still talking about around 23 000 SLOCS ;-) -- Emmanuel Lecharny Symas.com directory.apache.org
Re: [Studio] Visual way to identify "disabled" users
Emmanuel Lécharny wrote: > Not that complicated to implement, but it requires a bit of work. If > someone wants to give it a try, we would be very please to add this code > to the server ! I'd be happy to give this a try, I even got Studio to compile on my Macbook already. I'm a bit overwhelmed by the amount of code and could need a little help getting orientated. Is there something like a "Getting Started" guide for Studio development in particular, explaining the overall structure and approach etc a bit?
Re: [Studio] Visual way to identify "disabled" users
Radovan Semancik wrote: > Well, that would be only a partial solution anyway. Depends on what your problem is. > Displaying disabled users > using a different style is not that useful if you cannot enable or disable > them. Sorry, I have to disagree. This might be the case for you, but being able to easy visualize aspects of LDAP data that are intereting to a user would be a great feature just by itself. Of cource Studio could implement standard lifecycle procedures like "enable/disable account" as well, but that's a next step and not a prerequisite for conditional formatting in the browser and editor views, IMHO.
Re: [Studio] Visual way to identify "disabled" users
Le 04/10/2017 à 17:04, Radovan Semancik a écrit : > On 10/04/2017 01:57 PM, Shawn McKinney wrote: >> >>> On Oct 4, 2017, at 2:25 AM, Radovan Semancik >>>wrote: >>> >>> The problem is that there is no standard way how to disable a user >>> in LDAP. Some LDAP servers have proprietary attributes for this. And >>> some servers (such as OpenLDAP) have no good way to do this at all. >>> Therefore there the studio has to support many algorithms and it may >>> even need custom extensions to support this properly. >> I wouldn’t characterize adherence to an expired IETF draft — >> proprietary. The main problem is LDAPv3 doesn’t include pw policies >> and the communities (us) have never bothered to ratify an extension >> as standard. > > Password expiration/disable is quite different from account disable. This was just an example. On AD, a filter like (userAccountControl:1.2.840.113556.1.4.803:=2) will match disabled users (note that we currently don't support extensible match in the API, so it would require some work on the API). The real problem would be for LDAP server that uses a group to mark a user as disabled (ie, the user is disabled if it belongs to teh Disabled group). > E.g. even if password is expired/disabled then the user can still log > in using non-password authentication scheme, such as SSH keys on a > UNIX system. Which is a big problem. Password might not be used at all > for some usecases (e.g. X.509-based auth or federation) so there is no > password policy that could be used. But account disable is usually > still needed. Account disable should prohibit any authentication, > regardless of the authentication method. And that is something that > OpenLDAP does not have. Most other servers have it, although the > mechanism is proprietary. This is getting really important with all > that multi-factor, adaptive and token-based authentication schemes. > But as far as I know there is no good solution for this in LDAP. There > is no standard for LDAP account disable. Not even an expired one. (But > please correct me if I'm wrong. I looked for that, but I might have > overlooked something.) You are plain correct, I'm not disputing that :-) > > Therefore this means that in practice the disable mechanism is > implemented (read: worked around) by using various creative ways > (read: hacks). There is no single unified way that works for > everybody. Not even for majority of cases. It is different for every > deployment. Agreed. But we can cover many simple use cases, at least, and leave the more complex ones crumbling under their weight in the near/far future... A la Darwin. -- Emmanuel Lecharny Symas.com directory.apache.org
Re: [Studio] Visual way to identify "disabled" users
Le 04/10/2017 à 16:44, Radovan Semancik a écrit : > On 10/04/2017 01:47 PM, Lothar Haeger wrote: >> >> A general solution (solving a lot of other use cases as a side >> effect) would be >> to implement a generic color/font/format coding feature. Let users >> define ldap >> searches and assign formatting styles to those objects that match. >> Could be >> strikethrough font, font/background color, object icon, watever. >> >> In a second step, pre-defined filter/formatting sets implementing >> common useful >> scenario's (like the one Graham posted) could be delivered with >> Studio so user >> can just enable them if needed. Those delivered sets would also >> double as >> example code and templates for custom needs. > > Well, that would be only a partial solution anyway. Displaying > disabled users using a different style is not that useful if you > cannot enable or disable them. And that won't be easy to implement > unless Studio really understands how the enable/disable mechanism works. Indeed. > > However, as far as I understand, Studio is LDAP editor. It is not a > replacement for identity management system. Actualy, I do have a plugin that manages users and groups :-) I just have to contribute it to teh code base, something I may do after LDAP Con when I have a bit of more time... > What we usually do is that we manage LDAP content from a real IDM > system. IDM can understand how the users are enabled, disabled, when > to create them, delete them, disable them, assign to groups and so on. > I do not think that Studio will ever have an ambition to do this. E.g. > there are at least three different ways how to manage groups in LDAP. > All of them are standard, but they are mutually incompatible. And > there are even more non-standard ways how to manage groups, > organizations, roles, etc. Managing content of generic LDAP directory > is really a job for quite a sophisticated system. Indeed. But there is no reason not to start thinking about adding such features to Studio :-) -- Emmanuel Lecharny Symas.com directory.apache.org
Re: [Studio] Visual way to identify "disabled" users
On 10/04/2017 01:57 PM, Shawn McKinney wrote: On Oct 4, 2017, at 2:25 AM, Radovan Semancikwrote: The problem is that there is no standard way how to disable a user in LDAP. Some LDAP servers have proprietary attributes for this. And some servers (such as OpenLDAP) have no good way to do this at all. Therefore there the studio has to support many algorithms and it may even need custom extensions to support this properly. I wouldn’t characterize adherence to an expired IETF draft — proprietary. The main problem is LDAPv3 doesn’t include pw policies and the communities (us) have never bothered to ratify an extension as standard. Password expiration/disable is quite different from account disable. E.g. even if password is expired/disabled then the user can still log in using non-password authentication scheme, such as SSH keys on a UNIX system. Which is a big problem. Password might not be used at all for some usecases (e.g. X.509-based auth or federation) so there is no password policy that could be used. But account disable is usually still needed. Account disable should prohibit any authentication, regardless of the authentication method. And that is something that OpenLDAP does not have. Most other servers have it, although the mechanism is proprietary. This is getting really important with all that multi-factor, adaptive and token-based authentication schemes. But as far as I know there is no good solution for this in LDAP. There is no standard for LDAP account disable. Not even an expired one. (But please correct me if I'm wrong. I looked for that, but I might have overlooked something.) Therefore this means that in practice the disable mechanism is implemented (read: worked around) by using various creative ways (read: hacks). There is no single unified way that works for everybody. Not even for majority of cases. It is different for every deployment. -- Radovan Semancik Software Architect evolveum.com
Re: [Studio] Visual way to identify "disabled" users
On 10/04/2017 01:47 PM, Lothar Haeger wrote: A general solution (solving a lot of other use cases as a side effect) would be to implement a generic color/font/format coding feature. Let users define ldap searches and assign formatting styles to those objects that match. Could be strikethrough font, font/background color, object icon, watever. In a second step, pre-defined filter/formatting sets implementing common useful scenario's (like the one Graham posted) could be delivered with Studio so user can just enable them if needed. Those delivered sets would also double as example code and templates for custom needs. Well, that would be only a partial solution anyway. Displaying disabled users using a different style is not that useful if you cannot enable or disable them. And that won't be easy to implement unless Studio really understands how the enable/disable mechanism works. However, as far as I understand, Studio is LDAP editor. It is not a replacement for identity management system. What we usually do is that we manage LDAP content from a real IDM system. IDM can understand how the users are enabled, disabled, when to create them, delete them, disable them, assign to groups and so on. I do not think that Studio will ever have an ambition to do this. E.g. there are at least three different ways how to manage groups in LDAP. All of them are standard, but they are mutually incompatible. And there are even more non-standard ways how to manage groups, organizations, roles, etc. Managing content of generic LDAP directory is really a job for quite a sophisticated system. -- Radovan Semancik Software Architect evolveum.com
Re: [Studio] Visual way to identify "disabled" users
Le 04/10/2017 à 13:57, Shawn McKinney a écrit : >> On Oct 4, 2017, at 2:25 AM, Radovan Semancik>> wrote: >> >> The problem is that there is no standard way how to disable a user in LDAP. >> Some LDAP servers have proprietary attributes for this. And some servers >> (such as OpenLDAP) have no good way to do this at all. Therefore there the >> studio has to support many algorithms and it may even need custom extensions >> to support this properly. > I wouldn’t characterize adherence to an expired IETF draft — proprietary. > The main problem is LDAPv3 doesn’t include pw policies and the communities > (us) have never bothered to ratify an extension as standard. > > I’d suggest there could be coverage of a limited set of servers. > > For example fortress supports extensions common to openldap and apacheds and > studio could as well. Actually, all those considerations are useless. As I said in another mail, Studio does not have to knwo anything about the semantic of what characterises a 'disabled' user : we just need to associated a filter (that the Studio users will configure to fit their need) to a presentation handler, leveraged by the Browser plugin when drawing an entry. Simple, context-free, and does not take care of non-standard dead draft that are not implemnted properly by many servers... -- Emmanuel Lecharny Symas.com directory.apache.org
Re: [Studio] Visual way to identify "disabled" users
Le 04/10/2017 à 13:47, Lothar Haeger a écrit : > Radovan Semancik wrote: > >> The problem is that there is no standard way how to disable a user in >> LDAP. Some LDAP servers have proprietary attributes for this. And some >> servers (such as OpenLDAP) have no good way to do this at all. Therefore >> there the studio has to support many algorithms and it may even need >> custom extensions to support this properly. > A general solution (solving a lot of other use cases as a side effect) would > be > to implement a generic color/font/format coding feature. Let users define ldap > searches and assign formatting styles to those objects that match. Could be > strikethrough font, font/background color, object icon, watever. > > In a second step, pre-defined filter/formatting sets implementing common > useful > scenario's (like the one Graham posted) could be delivered with Studio so user > can just enable them if needed. Those delivered sets would also double as > example code and templates for custom needs. That could work. Note that the user would just have to define a filter to match entries, something like : (&(objectClass=posixAccount)(|pwdAccountLockedTime=*)) which will be valid if the entry is a PosixAccount and the account is locked (that is when you use passwordPolicy). We can imagine other filters, typically when working with AD. The logic would be to associated such a filter to a entry handler in charge of the entry presentation (color, police, style, etc) so that when the browser expose the entries, it calls the handler and knows what to do accordingly to the filter. | Not that complicated to implement, but it requires a bit of work. If someone wants to give it a try, we would be very please to add this code to the server ! -- Emmanuel Lecharny Symas.com directory.apache.org
Re: [Studio] Visual way to identify "disabled" users
> On Oct 4, 2017, at 2:25 AM, Radovan Semancik> wrote: > > The problem is that there is no standard way how to disable a user in LDAP. > Some LDAP servers have proprietary attributes for this. And some servers > (such as OpenLDAP) have no good way to do this at all. Therefore there the > studio has to support many algorithms and it may even need custom extensions > to support this properly. I wouldn’t characterize adherence to an expired IETF draft — proprietary. The main problem is LDAPv3 doesn’t include pw policies and the communities (us) have never bothered to ratify an extension as standard. I’d suggest there could be coverage of a limited set of servers. For example fortress supports extensions common to openldap and apacheds and studio could as well. Shawn
Re: [Studio] Visual way to identify "disabled" users
Radovan Semancik wrote: > The problem is that there is no standard way how to disable a user in > LDAP. Some LDAP servers have proprietary attributes for this. And some > servers (such as OpenLDAP) have no good way to do this at all. Therefore > there the studio has to support many algorithms and it may even need > custom extensions to support this properly. A general solution (solving a lot of other use cases as a side effect) would be to implement a generic color/font/format coding feature. Let users define ldap searches and assign formatting styles to those objects that match. Could be strikethrough font, font/background color, object icon, watever. In a second step, pre-defined filter/formatting sets implementing common useful scenario's (like the one Graham posted) could be delivered with Studio so user can just enable them if needed. Those delivered sets would also double as example code and templates for custom needs.
Re: [Studio] Visual way to identify "disabled" users
Hi, The problem is that there is no standard way how to disable a user in LDAP. Some LDAP servers have proprietary attributes for this. And some servers (such as OpenLDAP) have no good way to do this at all. Therefore there the studio has to support many algorithms and it may even need custom extensions to support this properly. -- Radovan Semancik Software Architect evolveum.com On 10/03/2017 03:23 PM, Graham Leggett wrote: Hi all, We have a directory containing current users, as well as historical accounts that are disabled but still present. We’d like to be able to see at glance which accounts are “live” and which are “disabled” to stop people asking about disabled accounts. Does Apache DIrectory Studio have a mechanism where objects in a “disabled” state are marked as such in the UI? (For example, maybe they’re displayed with a strikethrough, etc etc) There are different icons for various objectclasses, but is there an icon for a disabled user? Regards, Graham —
Re: [Studio] Visual way to identify "disabled" users
On 10/03/2017 03:23 PM, Graham Leggett wrote: > We have a directory containing current users, as well as historical accounts > that are disabled but still present. > > We’d like to be able to see at glance which accounts are “live” and which are > “disabled” to stop people asking about disabled accounts. > > Does Apache DIrectory Studio have a mechanism where objects in a “disabled” > state are marked as such in the UI? (For example, maybe they’re displayed > with a strikethrough, etc etc) > > There are different icons for various objectclasses, but is there an icon for > a disabled user? I assume those "disabled" users have a specific attribute set? Or do they get another objectclass assigned? I know "userAccountControl" in AD or the pwdLockout attribute. But anyway, currently that is not possible. The icons are selected based on the entry's objectclasses only. The reason is that while browsing (expanding nodes in the LDAP Browser view) we only fetch the objectclass attributes but not all attributes of the entries, only if you click on a particular entry all attributes are fetched and shown. Also the mapping from OC to icon is currently hardcoded. Technically everything you want is possible, just lot of work :) But maybe you can use a filter to filter out the disabled users on the server side? Kind Regards, Stefan