[Studio] Visual way to identify "disabled" users

[Graham Leggett <mi...@sharp.fm>]

Hi all,

We have a directory containing current users, as well as historical accounts that are disabled but still present.

We’d like to be able to see at glance which accounts are “live” and which are “disabled” to stop people asking about disabled accounts.

Does Apache DIrectory Studio have a mechanism where objects in a “disabled” state are marked as such in the UI? (For example, maybe they’re displayed with a strikethrough, etc etc)

There are different icons for various objectclasses, but is there an icon for a disabled user?

Regards,
Graham
—

Re: [Studio] Visual way to identify "disabled" users

[Emmanuel Lécharny <el...@gmail.com>]

Le 04/10/2017 à 13:57, Shawn McKinney a écrit :
>> On Oct 4, 2017, at 2:25 AM, Radovan Semancik <ra...@evolveum.com> wrote:
>>
>> The problem is that there is no standard way how to disable a user in LDAP. Some LDAP servers have proprietary attributes for this. And some servers (such as OpenLDAP) have no good way to do this at all. Therefore there the studio has to support many algorithms and it may even need custom extensions to support this properly.
> I wouldn’t characterize adherence to an expired IETF draft — proprietary.  The main problem is LDAPv3 doesn’t include pw policies and the communities (us) have never bothered to ratify an extension as standard.
>
> I’d suggest there could be coverage of a limited set of servers.
>
> For example fortress supports extensions common to openldap and apacheds and studio could as well.

Actually, all those considerations are useless. As I said in another
mail, Studio does not have to knwo anything about the semantic of what
characterises a 'disabled' user : we just need to associated a filter
(that the Studio users will configure to fit their need) to a
presentation handler, leveraged by the Browser plugin when drawing an
entry. Simple, context-free, and does not take care of non-standard dead
draft that are not implemnted properly by many servers...


-- 

Emmanuel Lecharny

Symas.com
directory.apache.org

Re: [Studio] Visual way to identify "disabled" users

[Emmanuel Lécharny <el...@gmail.com>]

Le 04/10/2017 à 17:04, Radovan Semancik a écrit :
> On 10/04/2017 01:57 PM, Shawn McKinney wrote:
>>
>>> On Oct 4, 2017, at 2:25 AM, Radovan Semancik
>>> <ra...@evolveum.com> wrote:
>>>
>>> The problem is that there is no standard way how to disable a user
>>> in LDAP. Some LDAP servers have proprietary attributes for this. And
>>> some servers (such as OpenLDAP) have no good way to do this at all.
>>> Therefore there the studio has to support many algorithms and it may
>>> even need custom extensions to support this properly.
>> I wouldn’t characterize adherence to an expired IETF draft —
>> proprietary.  The main problem is LDAPv3 doesn’t include pw policies
>> and the communities (us) have never bothered to ratify an extension
>> as standard.
>
> Password expiration/disable is quite different from account disable. 
This was just an example. On AD, a filter like
(userAccountControl:1.2.840.113556.1.4.803:=2) will match disabled users
(note that we currently don't support extensible match in the API, so it
would require some work on the API). The real problem would be for LDAP
server that uses a group to mark a user as disabled (ie, the user is
disabled if it belongs to teh Disabled group).


> E.g. even if password is expired/disabled then the user can still log
> in using non-password authentication scheme, such as SSH keys on a
> UNIX system. Which is a big problem. Password might not be used at all
> for some usecases (e.g. X.509-based auth or federation) so there is no
> password policy that could be used. But account disable is usually
> still needed. Account disable should prohibit any authentication,
> regardless of the authentication method. And that is something that
> OpenLDAP does not have. Most other servers have it, although the
> mechanism is proprietary. This is getting really important with all
> that multi-factor, adaptive and token-based authentication schemes.
> But as far as I know there is no good solution for this in LDAP. There
> is no standard for LDAP account disable. Not even an expired one. (But
> please correct me if I'm wrong. I looked for that, but I might have
> overlooked something.)

You are plain correct, I'm not disputing that :-)
>
> Therefore this means that in practice the disable mechanism is
> implemented (read: worked around) by using various creative ways
> (read: hacks). There is no single unified way that works for
> everybody. Not even for majority of cases. It is different for every
> deployment.

Agreed. But we can cover many simple use cases, at least, and leave the
more complex ones crumbling under their weight in the near/far future...
A la Darwin.


-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: [Studio] Visual way to identify "disabled" users

[Radovan Semancik <ra...@evolveum.com>]

On 10/04/2017 01:57 PM, Shawn McKinney wrote:
>
>> On Oct 4, 2017, at 2:25 AM, Radovan Semancik <ra...@evolveum.com> wrote:
>>
>> The problem is that there is no standard way how to disable a user in LDAP. Some LDAP servers have proprietary attributes for this. And some servers (such as OpenLDAP) have no good way to do this at all. Therefore there the studio has to support many algorithms and it may even need custom extensions to support this properly.
> I wouldn’t characterize adherence to an expired IETF draft — proprietary.  The main problem is LDAPv3 doesn’t include pw policies and the communities (us) have never bothered to ratify an extension as standard.

Password expiration/disable is quite different from account disable. 
E.g. even if password is expired/disabled then the user can still log in 
using non-password authentication scheme, such as SSH keys on a UNIX 
system. Which is a big problem. Password might not be used at all for 
some usecases (e.g. X.509-based auth or federation) so there is no 
password policy that could be used. But account disable is usually still 
needed. Account disable should prohibit any authentication, regardless 
of the authentication method. And that is something that OpenLDAP does 
not have. Most other servers have it, although the mechanism is 
proprietary. This is getting really important with all that 
multi-factor, adaptive and token-based authentication schemes. But as 
far as I know there is no good solution for this in LDAP. There is no 
standard for LDAP account disable. Not even an expired one. (But please 
correct me if I'm wrong. I looked for that, but I might have overlooked 
something.)

Therefore this means that in practice the disable mechanism is 
implemented (read: worked around) by using various creative ways (read: 
hacks). There is no single unified way that works for everybody. Not 
even for majority of cases. It is different for every deployment.

-- 
Radovan Semancik
Software Architect
evolveum.com

Re: [Studio] Visual way to identify "disabled" users

[Shawn McKinney <sm...@apache.org>]

> On Oct 4, 2017, at 2:25 AM, Radovan Semancik <ra...@evolveum.com> wrote:
> 
> The problem is that there is no standard way how to disable a user in LDAP. Some LDAP servers have proprietary attributes for this. And some servers (such as OpenLDAP) have no good way to do this at all. Therefore there the studio has to support many algorithms and it may even need custom extensions to support this properly.

I wouldn’t characterize adherence to an expired IETF draft — proprietary.  The main problem is LDAPv3 doesn’t include pw policies and the communities (us) have never bothered to ratify an extension as standard.

I’d suggest there could be coverage of a limited set of servers.

For example fortress supports extensions common to openldap and apacheds and studio could as well.

Shawn

Re: [Studio] Visual way to identify "disabled" users

[Emmanuel Lécharny <el...@gmail.com>]

Fall is the best time to get into stuff like this, I guess... :-)

>> There is no bad time to have fun on an OSS project :-)
> Except that every day with sun and light winds is better spend in the
> mountains, IMHO. Fall is consistently disappointing in that regard...

Sun is dead anyway ;-)

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: [Studio] Visual way to identify "disabled" users

[Lothar Haeger <lo...@brummelhook.com>]

Emmanuel Lécharny wrote:

> Well, that's not true, the problem is that we all have a day job, a
> familly, and little time to dedicate to an OSS project, so when we have
> some time, we do code, instead of writing doc, and we write doc, we
> don't code while other do, so the doc quickly becomes obsolete :-)

That's what I meant, basically. There's so much interesting or urgent stuff to
code that anyone is hardly ever bored enough to write docs.

> > Fall is the best time to get into stuff like this, I guess... :-)
> 
> There is no bad time to have fun on an OSS project :-)

Except that every day with sun and light winds is better spend in the
mountains, IMHO. Fall is consistently disappointing in that regard...

Re: [Studio] Visual way to identify "disabled" users

[Emmanuel Lécharny <el...@gmail.com>]

Le 04/10/2017 à 19:42, Lothar Haeger a écrit :
> Emmanuel Lécharny wrote:
>
>> There is no 'getting started' guide, sadly :/
> My opes were not too high, nobody likes writing documentation, it seems. Same
> issue here and everywhere...

Well, that's not true, the problem is that we all have a day job, a
familly, and little time to dedicate to an OSS project, so when we have
some time, we do code, instead of writing doc, and we write doc, we
don't code while other do, so the doc quickly becomes obsolete :-)

That being said, the code base is pretty stable, so once you start to
get use to it - and we are aroud  to provide some direction - what you
do will not break every 2 days because of some external code change :-)

>> So to speak, the only code base you need to understand (at least
>> partially) is the ldapbrowser.common. We are still talking about around
>> 23 000 SLOCS ;-)
> Fall is the best time to get into stuff like this, I guess... :-)

There is no bad time to have fun on an OSS project :-)

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: [Studio] Visual way to identify "disabled" users

[Lothar Haeger <lo...@brummelhook.com>]

Emmanuel Lécharny wrote:

> There is no 'getting started' guide, sadly :/

My opes were not too high, nobody likes writing documentation, it seems. Same
issue here and everywhere...

> First of all, you need to grok a bit about Eclipse development, if you
> don't know a thing about it, then this is clearly the first step...

I've written a few Eclipse plugins before and have a general understanding of
the framework. One step closer to the interesting part. :-)

> That being said, the part that 'decorates' the entries in the tree is in
> the ldapbrowser.common plugin, more specifically in the
> getImageByObjectClass class (see the getImageByObjectClass method). This
> is where we select the image to expose accordingly to some hard coded
> settings (see BrowserCommonPreferencesInitializer,
> initializeDefaultPreferences() method).
> 
> We should make those hard coded preferences part of the preferences,
> like the value editors, which are handled by the
> ValueEditorsPreferencePage class in the same plugin.

Thanks a lot for those pointers, I'll see how far I get from there.

> So to speak, the only code base you need to understand (at least
> partially) is the ldapbrowser.common. We are still talking about around
> 23 000 SLOCS ;-)

Fall is the best time to get into stuff like this, I guess... :-)

Re: [Studio] Visual way to identify "disabled" users

[Emmanuel Lécharny <el...@gmail.com>]

Le 04/10/2017 à 17:57, Lothar Haeger a écrit :
> Emmanuel Lécharny wrote:
>
>> Not that complicated to implement, but it requires a bit of work. If
>> someone wants to give it a try, we would be very please to add this code
>> to the server !
> I'd be happy to give this a try, I even got Studio to compile on my Macbook
> already. I'm a bit overwhelmed by the amount of code and could need a little
> help getting orientated. Is there something like a "Getting Started" guide for
> Studio development in particular, explaining the overall structure and approach
> etc a bit?

There is no 'getting started' guide, sadly :/

First of all, you need to grok a bit about Eclipse development, if you
don't know a thing about it, then this is clearly the first step...

That being said, the part that 'decorates' the entries in the tree is in
the ldapbrowser.common plugin, more specifically in the
getImageByObjectClass class (see the getImageByObjectClass method). This
is where we select the image to expose accordingly to some hard coded
settings (see BrowserCommonPreferencesInitializer,
initializeDefaultPreferences() method).

We should make those hard coded preferences part of the preferences,
like the value editors, which are handled by the
ValueEditorsPreferencePage class in the same plugin.

So to speak, the only code base you need to understand (at least
partially) is the ldapbrowser.common. We are still talking about around
23 000 SLOCS ;-)

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: [Studio] Visual way to identify "disabled" users

[Lothar Haeger <lo...@brummelhook.com>]

Emmanuel Lécharny wrote:

> Not that complicated to implement, but it requires a bit of work. If
> someone wants to give it a try, we would be very please to add this code
> to the server !

I'd be happy to give this a try, I even got Studio to compile on my Macbook
already. I'm a bit overwhelmed by the amount of code and could need a little
help getting orientated. Is there something like a "Getting Started" guide for
Studio development in particular, explaining the overall structure and approach
etc a bit?

Re: [Studio] Visual way to identify "disabled" users

[Emmanuel Lécharny <el...@gmail.com>]

Le 04/10/2017 à 13:47, Lothar Haeger a écrit :
> Radovan Semancik wrote:
>
>> The problem is that there is no standard way how to disable a user in 
>> LDAP. Some LDAP servers have proprietary attributes for this. And some 
>> servers (such as OpenLDAP) have no good way to do this at all. Therefore 
>> there the studio has to support many algorithms and it may even need 
>> custom extensions to support this properly.
> A general solution (solving a lot of other use cases as a side effect) would be
> to implement a generic color/font/format coding feature. Let users define ldap
> searches and assign formatting styles to those objects that match. Could be
> strikethrough font, font/background color, object icon, watever.
>
> In a second step, pre-defined filter/formatting sets implementing common useful
> scenario's (like the one Graham posted) could be delivered with Studio so user
> can just enable them if needed. Those delivered sets would also double as
> example code and templates for custom needs.

That could work. Note that the user would just have to define a filter
to match entries, something like :
(&(objectClass=posixAccount)(|pwdAccountLockedTime=*)) which will be
valid if the entry is a PosixAccount and the account is locked (that is
when you use passwordPolicy). We can imagine other filters, typically
when working with AD.

The logic would be to associated such a filter to a entry handler in
charge of the entry presentation (color, police, style, etc) so that
when the browser expose the entries, it calls the handler and knows what
to do accordingly to the filter.
|

Not that complicated to implement, but it requires a bit of work. If
someone wants to give it a try, we would be very please to add this code
to the server !

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: [Studio] Visual way to identify "disabled" users

[Emmanuel Lécharny <el...@gmail.com>]

Le 04/10/2017 à 16:44, Radovan Semancik a écrit :
> On 10/04/2017 01:47 PM, Lothar Haeger wrote:
>>
>> A general solution (solving a lot of other use cases as a side
>> effect) would be
>> to implement a generic color/font/format coding feature. Let users
>> define ldap
>> searches and assign formatting styles to those objects that match.
>> Could be
>> strikethrough font, font/background color, object icon, watever.
>>
>> In a second step, pre-defined filter/formatting sets implementing
>> common useful
>> scenario's (like the one Graham posted) could be delivered with
>> Studio so user
>> can just enable them if needed. Those delivered sets would also
>> double as
>> example code and templates for custom needs.
>
> Well, that would be only a partial solution anyway. Displaying
> disabled users using a different style is not that useful if you
> cannot enable or disable them. And that won't be easy to implement
> unless Studio really understands how the enable/disable mechanism works.
Indeed.
>
> However, as far as I understand, Studio is LDAP editor. It is not a
> replacement for identity management system. 
Actualy, I do have a plugin that manages users and groups :-) I just
have to contribute it to teh code base, something I may do after LDAP
Con when I have a bit of more time...


> What we usually do is that we manage LDAP content from a real IDM
> system. IDM can understand how the users are enabled, disabled, when
> to create them, delete them, disable them, assign to groups and so on.
> I do not think that Studio will ever have an ambition to do this. E.g.
> there are at least three different ways how to manage groups in LDAP.
> All of them are standard, but they are mutually incompatible. And
> there are even more non-standard ways how to manage groups,
> organizations, roles, etc. Managing content of generic LDAP directory
> is really a job for quite a sophisticated system.

Indeed. But there is no reason not to start thinking about adding such
features to Studio :-)

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: [Studio] Visual way to identify "disabled" users

[Lothar Haeger <lo...@brummelhook.com>]

Radovan Semancik wrote:

> Well, that would be only a partial solution anyway. 

Depends on what your problem is.

> Displaying disabled users
> using a different style is not that useful if you cannot enable or disable
> them. 

Sorry, I have to disagree. This might be the case for you, but being able to
easy visualize aspects of LDAP data that are intereting to a user would be a
great feature just by itself.

Of cource Studio could implement standard lifecycle procedures like
"enable/disable account" as well, but that's a next step and not a prerequisite
for conditional formatting in the browser and editor views, IMHO.

Re: [Studio] Visual way to identify "disabled" users

[Radovan Semancik <ra...@evolveum.com>]

On 10/04/2017 01:47 PM, Lothar Haeger wrote:
>
> A general solution (solving a lot of other use cases as a side effect) would be
> to implement a generic color/font/format coding feature. Let users define ldap
> searches and assign formatting styles to those objects that match. Could be
> strikethrough font, font/background color, object icon, watever.
>
> In a second step, pre-defined filter/formatting sets implementing common useful
> scenario's (like the one Graham posted) could be delivered with Studio so user
> can just enable them if needed. Those delivered sets would also double as
> example code and templates for custom needs.

Well, that would be only a partial solution anyway. Displaying disabled 
users using a different style is not that useful if you cannot enable or 
disable them. And that won't be easy to implement unless Studio really 
understands how the enable/disable mechanism works.

However, as far as I understand, Studio is LDAP editor. It is not a 
replacement for identity management system. What we usually do is that 
we manage LDAP content from a real IDM system. IDM can understand how 
the users are enabled, disabled, when to create them, delete them, 
disable them, assign to groups and so on. I do not think that Studio 
will ever have an ambition to do this. E.g. there are at least three 
different ways how to manage groups in LDAP. All of them are standard, 
but they are mutually incompatible. And there are even more non-standard 
ways how to manage groups, organizations, roles, etc. Managing content 
of generic LDAP directory is really a job for quite a sophisticated system.

-- 
Radovan Semancik
Software Architect
evolveum.com

Re: [Studio] Visual way to identify "disabled" users

[Lothar Haeger <lo...@brummelhook.com>]

Radovan Semancik wrote:

> The problem is that there is no standard way how to disable a user in 
> LDAP. Some LDAP servers have proprietary attributes for this. And some 
> servers (such as OpenLDAP) have no good way to do this at all. Therefore 
> there the studio has to support many algorithms and it may even need 
> custom extensions to support this properly.

A general solution (solving a lot of other use cases as a side effect) would be
to implement a generic color/font/format coding feature. Let users define ldap
searches and assign formatting styles to those objects that match. Could be
strikethrough font, font/background color, object icon, watever.

In a second step, pre-defined filter/formatting sets implementing common useful
scenario's (like the one Graham posted) could be delivered with Studio so user
can just enable them if needed. Those delivered sets would also double as
example code and templates for custom needs.

Re: [Studio] Visual way to identify "disabled" users

[Radovan Semancik <ra...@evolveum.com>]

Hi,

The problem is that there is no standard way how to disable a user in 
LDAP. Some LDAP servers have proprietary attributes for this. And some 
servers (such as OpenLDAP) have no good way to do this at all. Therefore 
there the studio has to support many algorithms and it may even need 
custom extensions to support this properly.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 10/03/2017 03:23 PM, Graham Leggett wrote:
> Hi all,
>
> We have a directory containing current users, as well as historical accounts that are disabled but still present.
>
> We’d like to be able to see at glance which accounts are “live” and which are “disabled” to stop people asking about disabled accounts.
>
> Does Apache DIrectory Studio have a mechanism where objects in a “disabled” state are marked as such in the UI? (For example, maybe they’re displayed with a strikethrough, etc etc)
>
> There are different icons for various objectclasses, but is there an icon for a disabled user?
>
> Regards,
> Graham
> —
>

Re: [Studio] Visual way to identify "disabled" users

[Stefan Seelmann <ma...@stefan-seelmann.de>]

On 10/03/2017 03:23 PM, Graham Leggett wrote:
> We have a directory containing current users, as well as historical accounts that are disabled but still present.
> 
> We’d like to be able to see at glance which accounts are “live” and which are “disabled” to stop people asking about disabled accounts.
> 
> Does Apache DIrectory Studio have a mechanism where objects in a “disabled” state are marked as such in the UI? (For example, maybe they’re displayed with a strikethrough, etc etc)
> 
> There are different icons for various objectclasses, but is there an icon for a disabled user?

I assume those "disabled" users have a specific attribute set? Or do
they get another objectclass assigned? I know "userAccountControl" in AD
or the pwdLockout attribute.

But anyway, currently that is not possible. The icons are selected based
on the entry's objectclasses only. The reason is that while browsing
(expanding nodes in the LDAP Browser view) we only fetch the objectclass
attributes but not all attributes of the entries, only if you click on a
particular entry all attributes are fetched and shown. Also the mapping
from OC to icon is currently hardcoded.

Technically everything you want is possible, just lot of work :)

But maybe you can use a filter to filter out the disabled users on the
server side?

Kind Regards,
Stefan