You are here: Home Zope products LDAP Directory Manager

LDAP Directory Manager (1.12)

by Ihor Berehulyak last modified 2009-01-20
Released on 2005-04-17 by Stevray for Zope 2 under BSD License (revised) available for All platforms.
Software development stage: stable
The ST LDAP Manager is a tool for maintaining information about people, organizational units, and groups in an LDAP directory. It is not intended as the general purpose tool that a directory administrator would use. It is intended, instead, as a highly configurable tool for use in situations where you need levels of access to the information in an LDAP directory.
LDAP Directory Manager works in conjuction with Jens Vagelpohl's LDAPUserFolder: users login with their LDAP username and password, and are allowed to do whatever the LDAP directory security assertions allow. You will also need the python-ldap module.

OpenLDAP and iPlanet directory servers both allow the directory administrator to establish a complicated set of security assertions. While our product gets a lot of its information from the directory, the average user cannot get the directory to reveal its security rules. This creates a problem for user interface designers: how to avoid showing entry fields for attributes a user is not allowed to change, and the resultant "insufficient access" errors returned from the directory when those changes are submitted.

Our approach has been to build a product with customization flexible enough for you to match the user interface to your directory. You can decide which objectClasses will be used to represent people, org units, and groups. Of all the attributes of those objectClasses, you can decide which ones will be managed through the web and how they will be grouped onto screens for editing. You can establish access roles based on groups in the LDAP directory, in addition to special roles like the anonymous role, the LDAP authenticated role, an authenticated user accessing their own record, and a manager accessing the record of someone they (directly) manage. Then, for each attribute you want to manage, you can specify which roles can read and which can write that attribute. And for each of the person, org unit, and group object categories, you can specify which roles can create and delete them, or add and remove members from groups. If your directory already has the security assertions you want, you can configure this object to match them. Or, you can configure this object with the security assertions you want, and have it write them out for you in iPlanet ACI ldif or OpenLDAP slapd.conf format.

Instances of the product need to live in folders where access is controlled by an LDAPUserFolder. If you are already using LDAPUserFolders, you won't have to make any changes to get them to work with our product.

Tested configurations for the current release include Zope 2.6.0-2.6.4/Python 2.1.3/python-ldap-2.0.0pre14 and Zope 2.7.0/Python 2.3.3/python-ldap-2.0.0pre14, with OpenLDAP 2.1.12 and iPlanet Directory Server 5.0-5.2.

Version 1.12 incorporates many fixes and some enhancements: support for jpegPhoto, support for replicated directories, control over who can manage the schema, better reporting, updated help.

We continue to make this tool more general by moving choices that suit our use cases out of the code and into the configuration. The biggest remaining exception is the org chart view. We still assume that the directory contains a tree of organizationalUnit entries that match the org chart for your organization, and that people entries have information about their place in the org chart. We assume that either each person's entry has an entry whose value is the distinguished name of the appropriate entry in the tree of orgUnits, or their entry is actually at the appropriate place in the tree.

Document Actions
Powered by Plone