Skip to first unread message
Anthony Sheehy
Jan 4, 2018, 8:40:14 AM1/4/18
to AtoM Users
Hi guys,
Anthony
I have been hacking away at the LDAP integration in 2.4 and I have made enough changes in 3 php files to allow secure LDAPS login to AtoM via Active Directory. How do I go about sharing this information and is anyone interested?
Regards
Anthony
Dan Gillean
Jan 4, 2018, 1:03:09 PM1/4/18
to ICA-AtoM Users
Hi Anthony,
Interesting! I do think that there would be users interested in this - in fact, we had a user asking about it recently. We at Artefactual haven't done a deep analysis or any testing yet, but our supposition was actually that the module might work with AD without modification (or with very few mods), if one could figure out the correct AD values to enter. This is unproven, so I'm curious to hear about your process.
If you would like to share your work with the community, we would definitely welcome a pull request. If the pull request is accepted, we will add it to the next major public release, so that our entire community can benefit. This also means that you won't have to maintain your customization locally through successive upgrades, which reduces the technical burden on your end. If you are curious about how we maintain AtoM as an open source project, you might want to read this page:
Now, some resources and important notes about contributing code:
First, we have some initial wiki pages on our coding standard, code repository, code review process, and more available on our wiki here:
Please be sure to review these and ensure that your code meets these minimum requirements before submitting - we need to ensure that the codebase remains fairly consistent, and that our team can maintain it over time.
I would also strongly suggest that you review the recommendations found here:
We had some questions about this process recently, especially as it relates to larger feature-based pull requests, to which I responded at some length with further thoughts - please see that as well:
Most important for us in considering such changes will be that the current LDAP module continues to work - i.e. that these changes do not mean that the LDAP module will only work with Microsoft's Active Directory going forward. Alternatively, there should be a configuration option available to users if it's one or the other.
Please understand that reviewing community submitted code is unpaid work for our team, so it can take a bit of time for us to be able to get to it (we need to prioritize our paid work so we can keep the lights on), and there is a limit on what we can take on in terms of size/complexity without some support for the time we'll have to invest. If you've rebased your work against our latest development branch (currently qa/2.5.x), kept your work organized into clean, atomic commits with clear commit messages, followed our coding standard recommendations, added useful comments in the code where necessary, and can make yourself available to respond to feedback on the PR, this well help us immensely and will greatly increase the likelihood of this moving forward, to the benefit of everyone!
Thanks again, and let us know if you have any further questions!
Cheers,
--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-users+unsubscribe@googlegroups.com.
To post to this group, send email to ica-atom-users@googlegroups.com.
Visit this group at https://groups.google.com/group/ica-atom-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/e6ff720c-2e3e-4d44-a691-bf417d02195e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Dan Gillean
Jan 4, 2018, 1:06:06 PM1/4/18
to ICA-AtoM Users
One more option, if you don't want to prep a pull request and all that this entails:
If you want, you might consider adding your changes and some usage notes to a gist or something similar, and sharing it here. I can always links and further information to our wiki in the Community development section - or you are welcome to register for a wiki account and do that as well!
Regards,
To post to this group, send email to ica-ato...@googlegroups.com.
Anthony Sheehy
Jan 5, 2018, 4:09:35 AM1/5/18
to ica-ato...@googlegroups.com
Hi Dan,
Thanks. Something to chew over re development.
So... my process. I did initially try out the LDAP module. You could make it work by tying it down to a single Organisational Unit (OU) in AD and using CN as the ldapBindingAttribute. This would produce the dn that the LDAP module makes a binding with. There were a couple of very unworkable down points with this that would make any implementation impossible:
1. The binding to a particular OU. My organisation, and many more, break users down in to multiple OUs in order to apply group policy to disparate groups of users and aid in user management. Some of our existing software (Cisco CUCM) uses specific OUs to populate its user lists. To have to reduce all users to a single OU, when you have over a 1000 users, is unworkable.
2. The connection is limited to LDAP without SSL (using host and port number.) This is insecure and a threat to security as it causes user credentials to be passed over the network in plain text. Definitely a showstopper.
Initially I thought I would take a copy of the LDAP class files (there are three) but my initial testing threw up an unknown class exception when reading the factories.yml configuration. So I settled for amending the existing LDAP classes. Here are the basic things I did:
1. Remove the port number field (in ldapAction.class.php and ldapSuccess.php) and renamed the host field as URI. PHP ldap_connect allows for a URI only as a parameter. This allowed me to use a secure LDAP connection: ldaps://<hostname>:<port number> as the URI. I changed the code (in ldapUser.class.php) accordingly to make the connection using simply the URI. This change should be happy with any LDAP directory because it relies only on PHP and not the directory. To make LDAPS work, the certificate for the CA that issued the LDAP host's certificate needs to be imported to the file referred to in /etc/ldap/ldap.conf.
2. I made a number of changes to ldapUser.class.php apart from removing the port in getLdapConnection().
a. In the ldapBind function I removed the DN creation (which severely limited the scope of directory integration) and bound simply using the username (for which I used the userPrincipleName (UPN) - which in our organisation is the same as the email address <username>@<domain>. (That might not be for other organisations who sometime hold mail on different domains.) For Active Directory, this is acceptable (and an alternative identifier to <domain>\<username>) and will bind to any user in any OU in the directory. (Unsure how this will work on other LDAP implementations.)
b. In the createUserFromLdapInfo function I retrieve the name attribute from AD and applied that to $user->username, as to have the UPN would be unwieldy in the User List in Atom. I then save to $user->email the UPN that the user logged in with.
c. Putting the UPN in to $user->email meant a change to the authenticate function, otherwise the user would not be retrieved. I changed the criteria from QubitUser::NAME to QubitUser::EMAIL so that the correct existing user is retrieved from the UPN.
At this point the ldapBaseDN is practically useless, unless I add additional code to check whether the bound user falls under that Base. I left it in but would use the domain root as the Base. I note that the requester wants group enumeration and access by AD group. This would also be quite possible. I was thinking along the lines of adding security to newly created users based on group membership. But for the moment, my Archive Department is simply happy to have AD logins.
So yes, it could break other LDAP implementations. As mentioned, I initially tried simply copying the files and creating a completely separate class. If I could have a hint as to where to register new classes, I would go down that route so that plain LDAP can work/develope uninterrupted.
Ricardo Pinho
Jan 5, 2018, 4:43:55 AM1/5/18
to ica-ato...@googlegroups.com
Hi Anthony,
Congratulations and thank you so much for sharing this information.
We are very interested on using LDAP integration in AtoM 2.4!
Since AtoM 2.4 license is AGPL and distributed on github, I would suggest you to make a fork and add/change those 3 php files so we could try them.
@Dan, Don't know if this is way recommended by Artefactual for someone that is not a Professional Coder to share our code changes so they can be useful for the AtoM future.
But this seems to me the simplest way to comply with AGPL license to share the code with all users!
Best regards,
Ricardo Pinho
--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-users+unsubscribe@googlegroups.com.
To post to this group, send email to ica-atom-users@googlegroups.com.
Visit this group at https://groups.google.com/group/ica-atom-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/e6ff720c-2e3e-4d44-a691-bf417d02195e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Ricardo Pinho
Anthony Sheehy
Jan 5, 2018, 7:05:07 AM1/5/18
to ica-ato...@googlegroups.com
Sooo... who gets the signed contributor license?
I have actually figured out the class thing so it can slip in beside the LDAP module as a separate entity now.
Ricardo Pinho
Jan 5, 2018, 7:44:34 AM1/5/18
to ica-ato...@googlegroups.com
Hi,
Sooo... who gets the signed contributor license?
Sorry, I don't understand your question.
As far as I understand, AGPL is a copyleft license for server software.
So anyone that modifies the software and make it available (used) to others, must share the code and maintain the same license.
You must create an account on GitHub and when you make a fork of atom code you are copying exactly the same license.
When and if your pull request are included in the official release you will be automatically listed as a contributor.
By the way, AGPL has been created to solve a GPL problem when used on server software:
https://www.gnu.org/licenses/why-affero-gpl.html
But suppose the program is mainly useful on servers. When D modifies the program, he might very likely run it on his own server and never release copies. Then you would never get a copy of the source code of his version, so you would never have the chance to include his changes in your version. You may not like that outcome.
Using the GNU Affero GPL avoids that outcome. If D runs his version on a server that everyone can use, you too can use it. Assuming he has followed the license requirement to let the server's users download the source code of his version, you can do so, and then you can incorporate his changes into your version. (If he hasn't followed it, you have your lawyer complain to him.)
But suppose the program is mainly useful on servers. When D modifies the program, he might very likely run it on his own server and never release copies. Then you would never get a copy of the source code of his version, so you would never have the chance to include his changes in your version. You may not like that outcome.
Using the GNU Affero GPL avoids that outcome. If D runs his version on a server that everyone can use, you too can use it. Assuming he has followed the license requirement to let the server's users download the source code of his version, you can do so, and then you can incorporate his changes into your version. (If he hasn't followed it, you have your lawyer complain to him.)
Cheers,
Ricardo Pinho
--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-users+unsubscribe@googlegroups.com.
To post to this group, send email to ica-atom-users@googlegroups.com.
Visit this group at https://groups.google.com/group/ica-atom-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/8fe71704-3fac-4f33-bd8b-c95fb6e4b195%40googlegroups.com.
Ricardo Pinho
Anthony Sheehy
Jan 5, 2018, 8:20:39 AM1/5/18
to ica-ato...@googlegroups.com
Ricardo,
I read through the project's guidelines and they request that contributors sign a fairly harmless piece of paper, which I am very happy to do, I just need to know who to send it to. That's probably a question for Dan really.
I have created a pull request and so you can get to the files. The Link is above.
Thanks
Anthony
Ricardo Pinho
Jan 5, 2018, 9:30:10 AM1/5/18
to ica-ato...@googlegroups.com
Anthony,
Ok and sorry about my misunderstanding.
Nice to know that we must sign a piece of paper to contribute to a "no paper" software. LOL
Thank you for the link.
Cheers,
Ricardo
--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-users+unsubscribe@googlegroups.com.
To post to this group, send email to ica-atom-users@googlegroups.com.
Visit this group at https://groups.google.com/group/ica-atom-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/5871f0a9-f9bc-40c6-9ce4-804813247477%40googlegroups.com.
Ricardo Pinho
Dan Gillean
Jan 9, 2018, 12:21:39 PM1/9/18
to ICA-AtoM Users
Hi Ricardo and Anthony,
Thanks for the detailed explanation, Anthony! I'm going to ask one of our developers to look at this thread and your PR. If this breaks the existing AD integration however, that may prevent us from accepting the PR, because that work was previous sponsored development, and while we would love to see AtoM support LDAP more broadly, we would need to do so in a way that maintains existing functionality. A lot of what you've described is over my head as an archivist, however, so I'll let someone with a better understanding of the code involve review and reply in greater depth.
As to the question about registering new classes, again I'll need a developer to respond to you - but in the meantime, you might consider looking in the Symfony 1.x documentation? These slides might also help:
- https://www.slideshare.net/accesstomemory/get-to-know-atoms-codebase
- https://www.slideshare.net/accesstomemory/atom-feature-development
Re: the contributor's agreement - if you'd like, you can wait until we figure if we can even accept the PR, but you can send it to agree...@artefactual.com - or if you'd like, straight to me, since I'm usually the one that receives agreement emails first anyway :)
I'll update the Contribute code page to better reflect where these should be sent!
Ricardo, we have a brief explanation and some examples of other open source projects with agreements here:
You do not need to sign the agreement to work with AtoM code - you are correct that the project is licensed under an A-GPLv3 license, and you are free to study, modify, and redistribute it as you see fit under the terms of that license (namely, that you share your work using the same license). Anthony is definitely welcome to create a publicly available fork of the AtoM project that includes these modifications, and others can choose to use it instead of our publicly maintained branch. This is one of the strengths of open source and we would not want to hinder this in any way.
The contributor's agreement is for those who want to submit code to the public project we maintain, and we require this only to avoid possible legal battles in the future, if someone decides that they own copyright on code we've incorporated, and attempt to drag down the project that way. This is especially important when we have many contributors who work for institutions, who may view any work their employees do as part of their copyright. If we had to contend with ownership claims from dozens of different individuals and institutions it could destroy the AtoM project. This is merely a simple protection that allows the focus to stay on the project, and its community accessibility. The agreement really just states that you are the author of the code, the work is original, you have the rights to share it, and you are assigning a license for the project to freely use the work going forward by contributing. It in no way interferes with branches and forks, alternative distributions, or your rights to further modify the project in any way you see fit. Additionally, you retain copyright - but grant us a license for use in perpetuity but does not try to obfuscate your contributions.
I hope that clarifies things somewhat. If you look over the link above and still have questions, please let us know!
Anthony, I hope to have more responses for you soon - in the meantime, thank you in advance for your patience. We're a small shop with a lot of client projects that we must necessarily prioritize, but our team will get back to you as soon as possible!
Cheers,
On Fri, Jan 5, 2018 at 9:30 AM, Ricardo Pinho <ricardo...@gmail.com> wrote:
Anthony,Ok and sorry about my misunderstanding.Nice to know that we must sign a piece of paper to contribute to a "no paper" software. LOLThank you for the link.Cheers,Ricardo
2018-01-05 13:20 GMT+00:00 Anthony Sheehy <anthony...@gmail.com>:
Ricardo,I read through the project's guidelines and they request that contributors sign a fairly harmless piece of paper, which I am very happy to do, I just need to know who to send it to. That's probably a question for Dan really.I have created a pull request and so you can get to the files. The Link is above.ThanksAnthony
On Friday, 5 January 2018 12:44:34 UTC, Ricardo Pinho - CM Oliveira Azemeis wrote:Hi,Sooo... who gets the signed contributor license?Sorry, I don't understand your question.
--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-users+unsubscribe@googlegroups.com.
To post to this group, send email to ica-ato...@googlegroups.com.
Visit this group at https://groups.google.com/group/ica-atom-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/5871f0a9-f9bc-40c6-9ce4-804813247477%40googlegroups.com.
--Ricardo Pinho
--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-users+unsubscribe@googlegroups.com.
To post to this group, send email to ica-atom-users@googlegroups.com.
Visit this group at https://groups.google.com/group/ica-atom-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/CAOEx-n5nDV9WBHeWWR0%3DFttD1ZK5COk_u1rTEXtZE%2BrS9tepAg%40mail.gmail.com.
Dan Gillean
Jan 9, 2018, 2:56:41 PM1/9/18
to ICA-AtoM Users
Oops, slight amendment: the address to which you can send signed contributor agreements is: agre...@artefactual.com. I had previously accidentally listed that as "agreements" (pluralized).
Best,
Ricardo Pinho
Jan 10, 2018, 4:53:28 AM1/10/18
to ica-ato...@googlegroups.com
Thank you Dan for the detailed explanation.
> You do not need to sign the agreement to work with AtoM code - you are correct that the project is licensed under an A-GPLv3 license, and you are free to study, modify, and redistribute it as you see fit under the terms of that license (namely, that you share your work using the same license).
Understood. My point here was that A-GPLv3 also defines to AtoM users (that modify code) to be obligated to publish the code modifications.
I wasn't aware of your contributor's agreement, that Archivematica can and should establish, so that contributors could voluntary propose improvement's to the oficial version.
> The contributor's agreement is for those who want to submit code to the public project we maintain, and we require this only to avoid possible legal battles in the future, if someone decides that they own copyright on code we've incorporated, and attempt to drag down the project that way.
I understand, sometimes things are legally more complicated than what they should be!
Cheers,
Ricardo Pinho
To post to this group, send email to ica-atom-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/CAC1FhZKdbWoOox9XLDd0ZJUPjLfBXvcJK_E1z9tDfKatTSu6iw%40mail.gmail.com.
Ricardo Pinho
Dan Gillean
Jan 10, 2018, 11:05:55 AM1/10/18
to ICA-AtoM Users
Hi Ricardo,
Thanks for understanding!
I wasn't aware of your contributor's agreement, that Archivematica can and should establish, so that contributors could voluntary propose improvement's to the oficial version.
Archivematica already follows a very similar process - you can read more about it on the Archivematica wiki, here:
- https://wiki.archivematica.org/Contribute_code#Contributor.27s_Agreement
- https://wiki.archivematica.org/Contributor_Agreement
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/CAC1FhZKdbWoOox9XLDd0ZJUPjLfBXvcJK_E1z9tDfKatTSu6iw%40mail.gmail.com.
--Ricardo Pinho
--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-users+unsubscribe@googlegroups.com.
To post to this group, send email to ica-atom-users@googlegroups.com.
Visit this group at https://groups.google.com/group/ica-atom-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/CAOEx-n72%2B50eotrcH7WDO%3D7HAsRRQYa%2BJeK1ESMD7C06NYfAiw%40mail.gmail.com.
Message has been deleted
Message has been deleted
mi...@artefactual.com
Jan 16, 2018, 6:49:29 PM1/16/18
to AtoM Users
Hi Anthony,
This looks great! Having it be a separate class seems like a good approach.
Sorry for the delay in reviewing this... I did a quick look through your code and it looks good. I'll complete code review in Github by the end of tomorrow (there are a number of minor style tweaks to make, but other than that it looks good to go).
Cheers,
Mike Cantelon
Artefactual Systems, Inc.
Reply all
Reply to author
Forward
0 new messages