[Zope-dev] ZLDAPMethods propsal, input requested

Phillip J. Eby pje@telecommunity.com
Thu, 13 May 1999 14:21:50 -0500


At 02:46 PM 5/13/99 -0400, Chris Petrilli wrote:
>Gang,
>
>In order to get some new projects kicked off, we are going to be
>commissioning a ZLDAPMethods product that will provide OO access to the
>LDAP database world.  In order to get this as "right" as possible on the
>first round, attached you will find, a PDF overview of the architecture
>(VERY early, forgive me :-) here:
>
>	http://www.zope.org/Projects/ZLDAPMethods/ZLDAPMethods.pdf
>
>Please let me know (either directly, or via the list) of any input you
>might have.
>

It would be nice for a ZLDAPMethod to be able to override the default
binding name and password, using parameters to the LDAPMethod.  This would
be useful for applications which must modify data in the LDAP server, but
wish to use the LDAP server's security rules to determine whether the
current user can perform the modification(s).  It would also be useful for
performing authentication when the Zope server is not allowed a login ID of
its own on the LDAP server, but must use BIND operations to validate users.
 Granted, this is more relevant to an LDAPUserFolder type object.

Another "nice to have" would be caching control, and access to the various
other connection-oriented parameters which ldapmodule and most LDAP SDK's
usually provide.  In particular, the ability to specify when and whether
LDAP aliases will be dereferenced.

Some other notes, in no particular order...

* It seems to me the document spends a lot of time talking about LDAP
search filters, but not how to fill in parameters, which would be like ZSQL
docs talking about SQL syntax, but not explaining how to put in #sqlvar tags.

* LDAP is described as a connectionless protocol.  It isn't.  CLDAP is a
variant protocol which provides only limited functionality compared to the
full protocol.

* I notice there is a reference to LDAP over SSL - does this mean you will
be developing your own extension module for this instead of using the
(OpenLDAP-based) ldapmodule?  AFAIK, OpenLDAP and ldapmodule do not support
SSL at the present time.

* The subject of multi-valued attributes appears to have been completely
overlooked, as well as delete and modify-rdn operations.  I realize these
may all be outside the scope of your current project, but it might be good
to explicitly list what things are out-of-scope.

* There are some miscellaneous DTML errors; for example:

<!--#var result.c-->

Should be 

<!--#var "result.c"-->

And so on.


By the way, I've been actively hacking the contributed ZLDAP product to do
things like automatically re-connect the connection object upon errors,
make the returned results Acquisition.Implicit so they can have methods
wrapped around them, etc., and I was looking at adding some more features
to do some of the above.  If you guys are making a standard product for
this sometime soon, I'd be happy to help with testing or even coding
additional features.  Let me know.