-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for user creation and deletion to GraphAPI (LDAP backend) #2947
Conversation
Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes. |
2c59900
to
2813959
Compare
2813959
to
90ba337
Compare
e0d62ec
to
1b24ca8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm ok with getting this in after getting rid of Msgf
, that is a personal vendetta I have.
Aside from that I am aware of the difficulty of configuring an LDAP schema. The current PR does harcode the inetOrgPerson, and I am not entirely sure that is 100% compatible with AD, which we will hit sooner rather than later. But we can defer making the mapping configurable to a subsequent PR.
Then there is the question of the default user id attribute. I tried giving my reasoning but would really like to better understand your opinion on that.
graph/pkg/service/v0/users.go
Outdated
"errors" | ||
"net/http" | ||
"net/url" | ||
|
||
libregraph "github.com/owncloud/libre-graph-api-go" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why three sections of packages? does vim add the deps automatically? vscode distinguishes between stdlib at the top, followed by other packages, sorted alphabetically.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah this one is in error on my side ;-)
Though projects split into 3 sections. (stdlib, external packages, imports from the local project). But yeas this one is borked.
graph/pkg/identity/ldap.go
Outdated
errmsg = fmt.Sprintf("too many results searching for user '%s'", nameOrID) | ||
i.logger.Debug().Str("backend", "ldap").Err(lerr).Msg(errmsg) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
errmsg = fmt.Sprintf("too many results searching for user '%s'", nameOrID) | |
i.logger.Debug().Str("backend", "ldap").Err(lerr).Msg(errmsg) | |
i.logger.Debug().Str("backend", "ldap").Err(lerr).Str("user", nameOrID).Msg("too many results searching for user") |
graph/pkg/config/defaultconfig.go
Outdated
UserEmailAttribute: "mail", | ||
UserDisplayNameAttribute: "displayName", | ||
UserNameAttribute: "uid", | ||
// FIXME: switch this to some more widely available attribute by default | ||
// ideally this needs to be constant for the lifetime of a users | ||
UserIDAttribute: "ownclouduuid", | ||
UserIDAttribute: "entryUUID", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I really don't like defaulting to an attribute that will change when a user is reimported. IMO we should stick to a custom attribute defined by us. I know that means admins have to change it when they cannot import custom attributes. But for our ocis binary we can add that attribute to libreidm.
Choosing an existing attrubute like entryUUID
, objectGUID
or any other UUID requires us to extensively document why using those attributes can fail in corner cases. Admins will run into that and then the support team will ask engineering for help to repair a deployment. I am just trying to make the defailt implementation as failsafe as possible. Using a dedicated ownclouduuid
at least forces admins to then THINK about what attribute to choose. Furthermore, the ownclouduuid
will leak via the apis.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I really don't like defaulting to an attribute that will change when a user is reimported.
If "reimported" the entryUUID will not change. (Provided the operator knows what he's doing). But yeah I get your point.
IMO we should stick to a custom attribute defined by us. I know that means admins have to change it when they cannot import custom attributes. But for our ocis binary we can add that attribute to libreidm.
I'll look into generating a custom uuid from here and probalby add a config knob for this. The whole handling is of the user's unique id in ocis is still huge mistery to me. Especially when integrating with external IDPs and Directories (IIRC we talk about that in the past).
IMO we can never rely on the stability of any externally provided unique identifier. We might just need to do our own internal mapping of identyties to uuid in some form (yet another service?)
@butonic The hardcoded inetOrgPerson is only for the write part of the API. I strongly suggest (and I think we agreed on that long ago) not to try to manage (add, delete, update) users on an LDAP servers where we don't have full control of the installed schema. That is going to fail miserably. I guess we need to add a switch to explicitly turn on the write part of the LDAP backend. The read part of the API does work without any hardcoded objectclass and attributetypes. All of those are configurable. |
1b24ca8
to
3ff5125
Compare
This adds basic support for creating users via the GraphAPI LDAP backend. This currently just maintains the bare minimum Attributes for the inetOrgPerson objectclass. Co-authored-by: Ralf Haferkamp <[email protected]>
By default the GraphAPI will generate the UUID itself now instead of relying on the LDAP server to generate a valid entryUUID attribute. This can been be switched off via the new `use_server_uuid` toggle in the LDAP config.
Defaults to `false` (for now). So the /graph/users endpoints are read-only by default, which should be the default configured against and existing external LDAP server.
3ff5125
to
cb7f9f7
Compare
Kudos, SonarCloud Quality Gate passed! |
running libregraph/idm with
and importing the ocis deployment example ldif I can add and modify users 🚀 needs thes env vars for ocis:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#nice
Description
Sending a POST request to /graph/v1.0/users with this body:
Will create the user
test
. The call will respond with the just created user (including the server generated ID:Types of changes
Checklist:
//cc @refs