DjangoCon 2015

Gestionando las identidades de los usuarios con LDAP, Google Directory y Django

Scott Hacker  · 

Presentación

HTML (pincha para descargar)

Vídeo

Transcripción

Extracto de la transcripción automática del vídeo realizada por YouTube.

good to see you guys it's been fun at the copy's and lunches and dinners discovering how many of you work with Janko and academia it's you know it's something that I sort of came into by default in academia but in other roles have had to champion

and push for so seeing how many of you have had success getting django to the enterprise is pretty exciting so I work at the California College of Arts currently working on big portal system but before I could build that I had to build a big identity management

system and I'll get to what that means exactly in a minute these slides are at this URL if you want to track them down later so California oh yeah so quick note first so when I gave this talk at SF paisa Python beat up one of the pieces of feedback I got

was that there was too much code walkthrough and so you know it's gonna eliminate a lot of code and other people say well yeah but when you find the slides on Google six months from now you want the code in there a good point so what I've done is moved

most of the code samples into the end of the slideshow so they're there for future Google searches and I'll just sort of touch on those briefly here so California College of Arts two campuses Oakland in San Francisco relatively small campus about 2,200

students hundreds of faculty and staff and as a lot of you are probably familiar with IT systems spread across decades and dozens and dozens of systems that all need to talk to each other some of the modern some of them legacy some of them with api's some

with no api's but somehow you've got to glue it all together and you know like most campuses we have lots of external and internally hosted web systems everything from Moodle learning management system to voicethread for collaborating on our projects

in real time simplicity for selecting housing papercut for the art students to print their work MediaCorp for sharing large razor's edge vault WebAdvisor 4 course selection and one way or another everybody needs to get into these systems needs to be able

to find them and needs to have a central and unified identity so you know we have to get this right so you know there's a lot of mission-critical weight leaning on this project so you know it all comes down to LDAP in the end we had traditional LDAP server

which we recently migrated to fedora 389 we're also Google Apps school so everybody has you know Google Mail and Docs and calendar and then there's the SIS the student information system which is currently in data tell from colleague which is a very

old and cranky legacy system which I found a really elegant way to talk to and then recently the introduction of workday which is the Human Resources system and will later replace our student information system so when people log into all of these external

systems you never want to go through the process of making them register or sign up for an account instead we hook up to something called Casa centralized authentication service common on campuses casts interns talks to LDAP so you know as soon as you try

to log into Moodle or a WordPress site or whatever you're taking straight off to cast cast checks LDAP LDAP says you are who you say you are sends a token back so you know these systems are set up like whoever LDAP says it's ok go ahead and create

an internal account for them here on WordPress or Moodle or whatever it is so the system that we needed to build needed to by the way is that familiar to anybody Daniel Johnson just over around the block is this mural on the corner of a restaurant called ty

how are you so this system we needed to build would do things like activate new student accounts so you've been accepted by the campus you're given an ID now you need to create this account that's going to follow you throughout your campus experience

we also have you know newly hired faculty and staff we're coming in through workday they need to do the same thing staff people need to change their own passwords staffers need to be able to change passwords for people contractors need accounts we need

to set LDAP entitlement so so-and-so can use the big fancy printer we have to set Google organizational units because we're using the Google admin API as well the super users need to be able to edit raw LDAP fields enabling disabling accounts email aliases

delegated accounts in Google LDAP groups all kinds of crazy stuff and it all had to be done through this one central place so the the experience of this for a student is that they can change the password or they can activate an account and the experience of

it for a logged in user is they can change a known password but the experience for helpdesk is a whole bunch of powerful tools and utilities and for super users even more of them now because when you authenticate through cast it's going to create a shadow

account in that system that's kind of the caste standard you need to be mindful that whatever usernames that are going to be created and LDAP need to conform to the lowest common denominator of systems so while Google may allow a 48 character username

the old datatel system is not going to allow user name data searching you need to shrink it down and same with you diacritical characters in foreign characters so you need to sort of survey all of your campus systems and say what are the lowest common denominators

because that's what we're going to allow into into LDAP passwords not an issue because those are all handled and LDAP your so log in through casts and and we're not going to store a usable password in that system anyway so just a quick workflow

of the process of activation so this is the Django based system over here so the hire didn't work day we need and they they come in they're gonna verify their account against workday it says you're verified and that step will create the Elder well

they create select a username and password create an LDAP account create a Google account and then meanwhile need to get their newly chosen email back into workday or back into colleague depending on the type of user that it is so a lot of a lot of steps that

we need to keep track of and and then we have various permission levels so yeah that's a little bit of what the system ends up looking like so yes so the activation paths for students versus staff and faculty they start differently so students are validated

against the student information system the legacy system staff and faculty against workday but they both do the same username and password selection so two different forms funneling it into one shared form that ends up doing all of this stuff so username so

previously we went with the old first initial last name thing but the namespace is running out we've been around for 80 years and and people want more flexibility but we don't want to give them infinite flexibility because people can find innumerable

ways to create offensive words so what we wanted to do was if you you know said that if your name is Django Reinhardt we would provide you with a prefab list of usernames that are guaranteed to exist in LDAP so I've written some some some Python code to

come up with these these variants and if you have a nickname we allow you to put that in there as well so I've been working on Django project force ever since 0.96 you know I've worked on a dozen major ones and the one thing they all have in common

and the thing that most of us love about Django is how amazing it is at managing data and you know I sorta have this philosophy that start with your data model and get it right and everything flows nicely from there the really big difference with this system

is that it didn't store any data internally it's all about talking to external systems and so there's the first big Django project I've worked on that really wasn't about internal data management at all or just minimal we use Django's

off the system and then I put dotted lines around these TMI is a semi exception I'll talk about it in a minute and and same with logs but you know the systems that we're talking to you we're talking to api's we're talking XML we're

[ ... ]

Nota: se han omitido las otras 4.101 palabras de la transcripción completa para cumplir con las normas de «uso razonable» de YouTube.