[Python Wpg] LdapFS initial spec

Thu Apr 13 16:32:34 EDT 2006

Hello Stuart, and others:

Well, I did have other stuff to do, but after our lunch, I was too
geeked up to do "boring" work, and instead, wrote down an initial spec
for LdapFS, a python + fuse + ldap filesystem that Stuart proposed
working on together.  Here's the text of the spec, and (for prettier
formatting), an ODT document.

Cheers!

To:     Stuart Williams, WinniPUG
From:   Scott Balneaves
Date:   April 13, 2006
Re:     LdapFS spec

Introduction:

LdapFS will be a FUSE based file system written in Python.  It's
function to be providing access to an LDAP based directory tree via
standard file system semantics.

Scope:

For the initial release, LdapFS should focus on a top-down tree.  The
base Distinguished Name that is passed to the LdapFS should be made
available in some manner to the program, and the file system should be
read/write for a privileged user, and read-only otherwise.  The various
OU's of the tree will be the base of the mount point.  A fully qualified
DN will be the last level of directory.  Within that directory, the
various attributes will appear to be files, with the attribute name
being the name of the file.  The value of the attribute will be the
contents of the file.  Creating a new file (if one has privilege to do
so) will create a new attribute, with the value of the attribute set to
the contents of the file.  Removing a file will, of course, delete the
attribute, and deleting the directory will, naturally remove that DN
from the LDAP database.   This leads to the horrific possibility of
wiping out the entire corporate LDAP database with a stray rm -rf *,
however the price of systems administration is eternal vigilance.  The
interesting possibility of backup and restore of the LDAP database using
tar becomes possible too.

Implementation:

  * The FUSE base LdapFS file system will be written in Python for maximum
    portability.  The LdapFS file system will be multi-threaded for
    performance. 
  * The Base Distinguished Name (BDN) and server address could be passed in
    on the command line, either via two separate switches (-s & -dn), or via
    a URL (ldap://server/dn...).   The login password and userid for the
    LDAP database should probably either have to be stored in a
    root-only-readable file (/etc/ldapfs.conf), or perhaps better, both
    could be gotten by parsing the ldap config files (/etc/ldap/ldap.conf
    and /etc/ldap.secret on Debian/Ubuntu).
  * By default The mount point for the file system is also passed on the
    command line, per standard FUSE semantics, as well as any fuse specific
    command line options.
  * Files within the file system should probably appear to be owned by root,
    and group owned by ldap, and chmod 664.  That way, root and users within
    the ldap group would have read/write access, and other users would have
    read access only.
  * Most attribute/value pairs within LDAP don't have a trailing '\n',
    however, for readability purposes, one should be added when a fuse read
    option is used, and when a value is written, the trailing '\n' will have
    to be stripped off before being stored in the LDAP database.
  * It is unknown at this point if it would be better to use the ldap, or
    the curl library for connection via Python.  This should be investigated
    further to determine which would be the best fit for read/write access
    to an LDAP database.

Use Cases:

John Smallberries is a systems administrator at YoYoDyne industries.
His Base DN for his LDAP tree is dc=yoyodyne,dc=com.  He needs to change
the gecos field for  userid jbigboot from John Bigbootie to John
Bigbootay.  His LDAP server has 3 Organizational Units (OU's), namely
users, groups, and aliases.

After mounting the LdapFS file system on /ldap, he cd's into /ldap, and
sees three directories:

aliases/   groups/   users/

He cd's into users, and does an ls, and sees the users for OU=users:

drlizard/  jbigboot/  jsmallbe/  jyayas/

He cd's into jbigboot/, which corresponds to the DN
uid=jbigboot,ou=users,dc=yoyodyne,dc=com, and sees the following files
(not in order, I'm too lazy):

uid  objectClass  userid  description  seeAlso  ...  gecos

He cat's the gecos file, which returns:

John Bigbootie

John Smallberries has found what he needs, and fixes the problems with:

echo John Bigbootay > gecos

Problems likely to be encountered:

Editing a file, as opposed to rewriting it may cause problems, as we'll
somehow have to handle writing substrings at offsets, as opposed to
simply re-writing the whole attribute.  It will be something to keep in
mind during implementation.

Scott Balneaves

-- 
Scott L. Balneaves | "Looking beyond the embers of bridges glowing behind us
Systems Department |  To a glimpse of how green it was on the other side..."
Legal Aid Manitoba |    -- Pink Floyd "High Hopes"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: LdapFSspec.odt
Type: application/vnd.oasis.opendocument.text
Size: 19314 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/winnipeg/attachments/20060413/863960be/attachment.odt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://mail.python.org/pipermail/winnipeg/attachments/20060413/863960be/attachment.sig>