[server] Make "sources_by_uri" and "sources_by_eid" properties of repository
I.e. do not populate these dict as repo initialization (bootstrap step) but
always use information from database. This is needed because when multiple
instances of the same application run, if one instance adds a CWSource the
other ones will not see it. In particular, when using a scheduler instance,
new CWSource will be added by the web instance and not seen by the scheduler
which is supposed to update them.
We thus define properties for sources_by_eid and sources_by_uri instead
attributes on repository instance. CWSource entities are thus retrieved from
database every time these properties are accessed. We factor out
initialization of the "source" instance (subclass of
cubicweb.server.source.AbstractSource) in a _sources() method. Note that this
method takes care of calling "init" method on the source as well as
"set_schema" (previously done in repo.set_schema(), which now only touches
system_source). Accordingly the "init_sources_from_database" method is dropped
along with "add_source"/"remove_source" methods.
In syncsources hook, we thus drop:
* SourceAddedOp operation which called repo.add_source() so that the
SourceAddedHook only cares about checking source configuration now;
* SourceRemovedOp and SourceRenamedOp operations for the same reason;
* SourceConfigUpdatedOp as updating the live config of source is
meaningless once we rely on them being retrieved from the database;
* SourceHostConfigUpdatedHook hook which is now useless without call to
SourceConfigUpdatedOp;
In 3.10 migration script, remove usage of sources_by_uri repo attribute which,
unless I'm missing something, appears useless (at least now).
In tests:
* unittest_datafeed: remove test_update_url method since we dropped respective
hook;
* unittest_ldapsource: LDAPFeedUserDeletionTC.test_a_filter_inactivate()
currently fails because it still relies on live config being updated, this
will be fixed in the next changeset once all "live source" logic will be
removed.
.. _LDAP:
LDAP integration
================
Overview
--------
Using LDAP as a source for user credentials and information is quite
easy. The most difficult part lies in building an LDAP schema or
using an existing one.
At cube creation time, one is asked if more sources are wanted. LDAP
is one possible option at this time. Of course, it is always possible
to set it up later using the `CWSource` entity type, which we discuss
there.
It is possible to add as many LDAP sources as wanted, which translates
in as many `CWSource` entities as needed.
The general principle of the LDAP source is, given a proper
configuration, to create local users matching the users available in
the directory and deriving local user attributes from directory users
attributes. Then a periodic task ensures local user information
synchronization with the directory.
Users handled by such a source should not be edited directly from
within the application instance itself. Rather, updates should happen
at the LDAP server level.
Credential checks are _always_ done against the LDAP server.
.. Note::
There are currently two ldap source types: the older `ldapuser` and
the newer `ldapfeed`. The older will be deprecated anytime soon, as
the newer has now gained all the features of the old and does not
suffer from some of its illnesses.
The ldapfeed creates real `CWUser` entities, and then
activate/deactivate them depending on their presence/absence in the
corresponding LDAP source. Their attribute and state
(activated/deactivated) are hence managed by the source mechanism;
they should not be altered by other means (as such alterations may
be overridden in some subsequent source synchronisation).
Configuration of an LDAPfeed source
-----------------------------------
Additional sources are created at cube creation time or later through the
user interface.
Configure an `ldapfeed` source from the user interface under `Manage` then
`data sources`:
* At this point `type` has been set to `ldapfeed`.
* The `parser` attribute shall be set to `ldapfeed`.
* The `url` attribute shall be set to an URL such as ldap://ldapserver.domain/.
* The `configuration` attribute contains many options. They are described in
detail in the next paragraph.
Options of an LDAPfeed source
-----------------------------
Let us enumerate the options by categories (LDAP server connection,
LDAP schema mapping information).
LDAP server connection options:
* `auth-mode`, (choices are simple, cram_md5, digest_md5, gssapi, support
for the later being partial as of now)
* `auth-realm`, realm to use when using gssapi/kerberos authentication
* `data-cnx-dn`, user dn to use to open data connection to the ldap (eg
used to respond to rql queries)
* `data-cnx-password`, password to use to open data connection to the
ldap (eg used to respond to rql queries)
If the LDAP server accepts anonymous binds, then it is possible to
leave data-cnx-dn and data-cnx-password empty. This is, however, quite
unlikely in practice. Beware that the LDAP server might hide attributes
such as "userPassword" while the rest of the attributes remain visible
through an anonymous binding.
LDAP schema mapping options:
* `user-base-dn`, base DN to lookup for users
* `user-scope`, user search scope (valid values: "BASE", "ONELEVEL",
"SUBTREE")
* `user-classes`, classes of user (with Active Directory, you want to
say "user" here)
* `user-filter`, additional filters to be set in the ldap query to
find valid users
* `user-login-attr`, attribute used as login on authentication (with
Active Directory, you want to use "sAMAccountName" here)
* `user-default-group`, name of a group in which ldap users will be by
default. You can set multiple groups by separating them by a comma
* `user-attrs-map`, map from ldap user attributes to cubicweb
attributes (with Active Directory, you want to use
sAMAccountName:login,mail:email,givenName:firstname,sn:surname)
Other notes
-----------
* Cubicweb is able to start if ldap cannot be reached, even on
cubicweb-ctl start ... If some source ldap server cannot be used
while an instance is running, the corresponding users won't be
authenticated but their status will not change (e.g. they will not
be deactivated)
* The user-base-dn is a key that helps cubicweb map CWUsers to LDAP
users: beware updating it
* When a user is removed from an LDAP source, it is deactivated in the
CubicWeb instance; when a deactivated user comes back in the LDAP
source, it (automatically) is activated again
* You can use the :class:`CWSourceHostConfig` to have variants for a source
configuration according to the host the instance is running on. To do so
go on the source's view from the sources management view.