Overview:
Most of the systems uses LDAP as a backend store for the user information and their groups for authentication and access control. So, the integration modules are developed keeping in mind this fact turned out to be with the fixed or limited set of attributes to be mapped with. So this makes the LDAP integration limited to those set of attributes and in turn assumes certain backend configuration.
The aim of this project is to develop a framework for creating and utilizing a map of any arbitrary entries. This would help in setting configuration that is flexible and not so dependent on the directory implementation.
Description
Objective:
The objective of this project is to develop a scalable framework for LDAP integration, which possibly work beyond the users or groups data.
Detailed Project Proposal:
The LDAP object can be defined by a set of attributes and to support this attributes it needs a set of objectclasses. So, the primary aim of the LDAP integration framework is to provide a mechanism for creating a mapping of the user attributes of host system with the attributes of the LDAP object.
The current LDAP integration modules try to do this by providing means to map attributes those are more specific to the authentication, such as email(can be mapped with mail in OpenLDAP or AD), username(can be mapped with uid in OpenLDAP, cn in AD or eDirectory), password etc. The similar thing can be done for mapping the roles with the LDAP (say role/group) object.
This enforces the limitation on the use of the module to administration of the (limited) user/group attributes. It also assumes, specific objectclasses should be used at the backend LDAP server.
This leads to the different yet backend dependent configuration because of the diffeent directory implementation to be used.
This project will focus on separating the LDAP connection parameters(such as host, port, use TLS/SSL) and bind parameters(such as binddn, bindpw, basedn) from the object attribute mapping.
So, the first step of the project will be to develop(or use the existing code base) interface for administering the LDAP configurations. This will be more or less similar to the existing LDAP integration module.
In the second step, the framework for creating arbitrary attribute maps (for particular LDAP configurations of step 1) will be developed. This can be achieved by providing the administrator interface for specifying attribute map(say username mapped to uid or cn, password mapped to userPassword, firstname mapped to cn or other attribute etc.) and the ObjectClasses needed for set of the LDAP attributes.
This will also involve gathering settings such as relative DN(RDN) e.g. uid=[username] where [username] will serve as a placeholder for the actual username. Another setting could be container or parent object(useful in groups as well as users) as uid=[username], ou=[groupname], dc=example,dc=com.
This approach is flexible enough to map any drupal (say database table field) mapped to LDAP object parameter. Hence, can be extended to any possible object (in addition to the users or groups) that is present in drupal's nomenclature. E.g. taxanomies or multiple sites configuration can be saved in LDAP and thereby can be imported by new installation.
Third stage of the project will be to use the infrastructure created in step 1 and 2. More specifically for user and group administration. In this stage, the interface for user and group administration with respect to LDAP will be provided. This will involve the import and export of the user's and group's data from and to LDAP directory respectively.
The primary motivation of this stage is to develop a use case with respect to the user and group management.
Mid/end term Deliverables:
The success criteria I assume for the midterm is the completion of the step 1 and 2 with the test cases (at least) for openLDAP and Microsoft AD. Alongwith the detailed documentation for user and the developer(along with the issued faced during the development).
And for end of the term, I would like to complete the step 3 along with the detailed documentation and test cases for OpenLDAP, AD, eDirectory, SunOne etc.
Explorations Done:
I looked into the ldap_integration module(of drupal) and I configured it for OpenLDAP(I also have looked into ldap integration modules for mediawiki, and joomla).
There are three features that is provided by this module, those are LDAP integration, LDAP Groups, and LDAP data.
In the project I am proposing LDAP integration part is is more or less similar to the one already there in the above module.
LDAP Data does quite of attribute mapping. But I find that is not very flexible, as for each configuration it tries to map the certain parameters with respect to user object. Also, for advanced configuration the configuration files on the server has to be modified.
The major idea behind my proposal is the dynamic attribute mapping(without overhead of edits in configuration file) of course with the mapping stored in the backend database.
Using this the administrator can create any number of drupal attributes(lets for simplicity, it can be the column name of tables in the database) to the LDAP object(there is flexibility in considering what LDAP attributes/parameters to include; flexible like in the phpldapadmin; this can be ensured by providing way to enter objectclasses ) attribute.
This would also overcome the one ldap configuration-to-one data (attribute) mapping. And can facilitate the thought of associating any kind of data to LDAP(not just user or group information).
The possible application of such approach is storing the categories in the LDAP. Or even store the whole administration configuration to LDAP.
So this project, can make use of the codebase of the existing LDAP integration modules. It may not be considered as few additions over exisisting because of its different design approach.
Timeline:
Community Bonding Period (26 Apr - 24 May)
Improve the project proposal, rewrite the detailed and final version. Ask for the additional features(or refining the proposed features) to be implemented to drupal community and mentor.
This project will need multiple platforms to be tested. So, working AD installation with(SSL for modifying UserPassword and userID field) is needed. For this the win2000 or 2008 will be installed in the virtualbox.
24 May - July 12(approx 7 weeks)
* 3-weeks for stage 1 (LDAP configuration administration) + Documentation (with test cases)
* 3-weeks for stage 2.(LDAP Object attribute mapping administration ) + Documentation(with test cases)
* 1-week buffer for pending work, bug fixes, or proceed to the next stage.
16 July - 9 August(approx 3 weeks)
* 2-3: weeks for stage 3 (LDAP User and group Management) + Documentation(with test cases)
* 1(if leftover) bug fixing, improve documentation Documentation(with test cases)
Contact Details (email at minimum):
Difficulty: medium