Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for user creation and deletion to GraphAPI (LDAP backend) #2947

Merged
merged 6 commits into from
Jan 17, 2022

Conversation

rhafer
Copy link
Contributor

@rhafer rhafer commented Jan 11, 2022

Description

Sending a POST request to /graph/v1.0/users with this body:

{
  "displayName": "Test User",
  "mail": "[email protected]",
  "onPremisesSamAccountName": "test",
  "passwordProfile": {
    "password": "secret"
  }
}

Will create the user test. The call will respond with the just created user (including the server generated ID:

{
    "displayName": "Test User",
    "id": "2b7f0f9c-0739-103c-926e-03e52584738a",
    "mail": "[email protected]",
    "onPremisesSamAccountName": "test"
}

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests only (no source changes)

Checklist:

  • Code changes
  • Unit tests added
  • Acceptance tests added
  • Documentation ticket raised:

//cc @refs

@rhafer rhafer added the Status:Needs-Review Needs review from a maintainer label Jan 11, 2022
@rhafer rhafer self-assigned this Jan 11, 2022
@update-docs
Copy link

update-docs bot commented Jan 11, 2022

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

@rhafer rhafer requested a review from micbar January 11, 2022 14:53
graph/pkg/identity/cs3.go Outdated Show resolved Hide resolved
@rhafer rhafer force-pushed the ldap-as-user-backend branch from 2c59900 to 2813959 Compare January 11, 2022 16:23
@rhafer rhafer changed the title Add support for user creation to GraphAPI (LDAP backend) Add support for user creation and deletion to GraphAPI (LDAP backend) Jan 11, 2022
@rhafer rhafer requested a review from refs January 11, 2022 16:24
@rhafer rhafer force-pushed the ldap-as-user-backend branch from 2813959 to 90ba337 Compare January 12, 2022 08:28
graph/pkg/identity/cs3.go Show resolved Hide resolved
graph/pkg/identity/ldap.go Outdated Show resolved Hide resolved
graph/pkg/identity/ldap.go Show resolved Hide resolved
graph/pkg/service/v0/users.go Outdated Show resolved Hide resolved
@rhafer rhafer force-pushed the ldap-as-user-backend branch 4 times, most recently from e0d62ec to 1b24ca8 Compare January 13, 2022 08:50
Copy link
Member

@butonic butonic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm ok with getting this in after getting rid of Msgf, that is a personal vendetta I have.

Aside from that I am aware of the difficulty of configuring an LDAP schema. The current PR does harcode the inetOrgPerson, and I am not entirely sure that is 100% compatible with AD, which we will hit sooner rather than later. But we can defer making the mapping configurable to a subsequent PR.

Then there is the question of the default user id attribute. I tried giving my reasoning but would really like to better understand your opinion on that.

graph/pkg/identity/ldap.go Outdated Show resolved Hide resolved
graph/pkg/identity/ldap.go Outdated Show resolved Hide resolved
graph/pkg/identity/ldap.go Show resolved Hide resolved
graph/pkg/identity/ldap.go Show resolved Hide resolved
graph/pkg/identity/ldap.go Show resolved Hide resolved
graph/pkg/identity/ldap.go Show resolved Hide resolved
"errors"
"net/http"
"net/url"

libregraph "github.com/owncloud/libre-graph-api-go"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why three sections of packages? does vim add the deps automatically? vscode distinguishes between stdlib at the top, followed by other packages, sorted alphabetically.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah this one is in error on my side ;-)

Though projects split into 3 sections. (stdlib, external packages, imports from the local project). But yeas this one is borked.

Comment on lines 261 to 262
errmsg = fmt.Sprintf("too many results searching for user '%s'", nameOrID)
i.logger.Debug().Str("backend", "ldap").Err(lerr).Msg(errmsg)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
errmsg = fmt.Sprintf("too many results searching for user '%s'", nameOrID)
i.logger.Debug().Str("backend", "ldap").Err(lerr).Msg(errmsg)
i.logger.Debug().Str("backend", "ldap").Err(lerr).Str("user", nameOrID).Msg("too many results searching for user")

graph/pkg/identity/ldap.go Show resolved Hide resolved
UserEmailAttribute: "mail",
UserDisplayNameAttribute: "displayName",
UserNameAttribute: "uid",
// FIXME: switch this to some more widely available attribute by default
// ideally this needs to be constant for the lifetime of a users
UserIDAttribute: "ownclouduuid",
UserIDAttribute: "entryUUID",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really don't like defaulting to an attribute that will change when a user is reimported. IMO we should stick to a custom attribute defined by us. I know that means admins have to change it when they cannot import custom attributes. But for our ocis binary we can add that attribute to libreidm.

Choosing an existing attrubute like entryUUID, objectGUID or any other UUID requires us to extensively document why using those attributes can fail in corner cases. Admins will run into that and then the support team will ask engineering for help to repair a deployment. I am just trying to make the defailt implementation as failsafe as possible. Using a dedicated ownclouduuid at least forces admins to then THINK about what attribute to choose. Furthermore, the ownclouduuid will leak via the apis.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really don't like defaulting to an attribute that will change when a user is reimported.

If "reimported" the entryUUID will not change. (Provided the operator knows what he's doing). But yeah I get your point.

IMO we should stick to a custom attribute defined by us. I know that means admins have to change it when they cannot import custom attributes. But for our ocis binary we can add that attribute to libreidm.

I'll look into generating a custom uuid from here and probalby add a config knob for this. The whole handling is of the user's unique id in ocis is still huge mistery to me. Especially when integrating with external IDPs and Directories (IIRC we talk about that in the past).
IMO we can never rely on the stability of any externally provided unique identifier. We might just need to do our own internal mapping of identyties to uuid in some form (yet another service?)

@rhafer
Copy link
Contributor Author

rhafer commented Jan 13, 2022

The current PR does harcode the inetOrgPerson, and I am not entirely sure that is 100% compatible with AD, which we will hit sooner rather than later. But we can defer making the mapping configurable to a subsequent PR.

@butonic The hardcoded inetOrgPerson is only for the write part of the API. I strongly suggest (and I think we agreed on that long ago) not to try to manage (add, delete, update) users on an LDAP servers where we don't have full control of the installed schema. That is going to fail miserably. I guess we need to add a switch to explicitly turn on the write part of the LDAP backend.

The read part of the API does work without any hardcoded objectclass and attributetypes. All of those are configurable.

@rhafer rhafer force-pushed the ldap-as-user-backend branch from 1b24ca8 to 3ff5125 Compare January 13, 2022 15:28
refs and others added 6 commits January 13, 2022 16:30
This adds basic support for creating users via the GraphAPI
LDAP backend. This currently just maintains the bare minimum
Attributes for the inetOrgPerson objectclass.

Co-authored-by: Ralf Haferkamp <[email protected]>
By default the GraphAPI will generate the UUID itself now instead of
relying on the LDAP server to generate a valid entryUUID attribute. This
can been be switched off via the new `use_server_uuid` toggle in the
LDAP config.
Defaults to `false` (for now). So the /graph/users endpoints are
read-only by default, which should be the default configured against
and existing external LDAP server.
@rhafer rhafer force-pushed the ldap-as-user-backend branch from 3ff5125 to cb7f9f7 Compare January 13, 2022 15:30
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 10 Code Smells

20.0% 20.0% Coverage
15.4% 15.4% Duplication

@rhafer rhafer requested a review from butonic January 17, 2022 07:34
@butonic
Copy link
Member

butonic commented Jan 17, 2022

running libregraph/idm with

go run cmd/idmd/main.go serve --ldap-handler boltdb --ldap-base-dn='ou=users,dc=owncloud,dc=com' --log-level=debug --ldap-admin-dn='uid=admin,ou=users,dc=owncloud,dc=com'

and importing the ocis deployment example ldif I can add and modify users 🚀

needs thes env vars for ocis:


                "GRAPH_IDENTITY_BACKEND": "ldap",
                "GRAPH_LDAP_URI": "ldap://localhost:10389",
                "GRAPH_LDAP_BIND_DN": "uid=admin,ou=users,dc=owncloud,dc=com",
                "GRAPH_LDAP_BIND_PASSWORD": "admin",
                "GRAPH_LDAP_SERVER_UUID": "false",
                "GRAPH_LDAP_SERVER_WRITE_ENABLED": "true",
                "GRAPH_LDAP_USER_BASE_DN": "ou=users,dc=owncloud,dc=com"

Copy link
Member

@butonic butonic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#nice

@butonic butonic merged commit 4a48708 into owncloud:master Jan 17, 2022
@butonic butonic added Category:Enhancement Add new functionality and removed Status:Needs-Review Needs review from a maintainer labels Jan 17, 2022
@micbar micbar mentioned this pull request Feb 16, 2022
22 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Category:Enhancement Add new functionality
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants