WebUI installation requires OpenLDAP - breaks with workaround on RHEL 8, breaks completely on RHEL 9 #135
Comments
|
The webui uses openldap to store its users (so it doesn't just need a client). It's available in EPEL for RHEL9 |
|
But why does it have to be openldap? Couldn't it store it's users in ANY LDAP? It just seems a really weird thing to hardwire into an installation, especially when there's a page in the UI for configuring LDAP - what is that actually used for? |
|
The WebUI has a local database of users allowed to login to the webui. It has to be something specific as the means of configuring, starting, stopping an ldap instance is obviously different between different servers. There is a page in the WebUI for configuring the LDAP connection of the server - the server is just an LDAP client, the WebUI uses a local LDAP server. |
|
Wow - for me that would be even more reason to not hard code the LDAP server. Most organisations will have an existing directory server they would want to use across their IT team - many would want to use some form of SSO as well. This is being deployed into Liberty, which offers all these things and does it so well! My suggestion would be to do what pretty much every other app I've seen in Liberty does, and that is deploy in Liberty with the default Basic User Registry, and then let the end user configure Liberty for other directory systems, SSO, etc. The Basic User Registry would let you set up the initial admin/admin user, and would then remove the need for any LDAP components in the web UI installation. Have a look at IBM Engineering Lifecycle Management tools on jazz.net - this is a perfect example of what I am talking about. IBM's Maximo is another example |
|
Yes, having the WebUI optionally use an external LDAP would be a nice feature. I'm not aware of any person or organisation who is currently working on that (or planning to work on that). |
|
If I worked on this to remove all explicit LDAP dependencies and go with the default Basic User Registry as the out of the box option would this be of interest? Then the documentation could refer to the Liberty online help for people who want to configure a directory. Then you could optionally provide a separate package to install and set up openldap using the scripts in this distro, including a prepopulated XML registry file that would connect Liberty |
|
By default it should do what it does today. The user should not have to know anything about LDAP to run the WebUI on their laptop. If you wanted to add a way of optionally configuring it to use an external LDAP provider instead that would be welcome as long as it doesn't change default behaviour and break the existing users. |
|
Well, that's really just an XML file, and anybody who knows enough about Liberty will be able to do that themselves so not really worth doing. They'll just have to go through the install first to extract the good bits ;-) From what I can see, the Web UI is a nicely contained JSP app in a war - you remove all the encumbrances around it and it'll just run anywhere Liberty does. Windows, Linux, any sort of containers - even a Pi. The way it is right now it's the installer wrapped tightly around it that makes it non-transportable, and yet that was one of the things I heard the project calling out for help with in the talks and slides I've looked at. As I mentioned, I was a big user of the WIoTP and was looking for an alternative - I had hoped the Web UI also included the device management UI that is in IBM Cloud, so either way I'm up for a bunch of web development before I get to the same functionality. It may end up I use the server component (which is one of the best around) and build my own UI completely. If you ever decide to move down a simplification path and to strip the WebUI installer back to something like I've mentioned - I'll always be very keen to help |
And of course, the best way to have the user "not have to know anything about LDAP" would be to not use it at all by default :-). Just use the Basic User Registry instead |
|
There are lots of existing users. Any switch away from openldap would need well-tested automatic migration. If you would like to work on that or on an extra, differently packaged version of the WebUI, either would be welcomed if sufficiently unlikely to break the current user base :) |
I've been a long time user of the Watson IoT Platform and am investigating options now that IBM has deprecated it.
I've been able to install the Amlen server but an hitting an issue with the Web UI requiring LDAP, and it appears that it requires package openldap-servers.
RHEL deprecated OpenLDAP in version 7, and has now completely removed any access to it in RHEL 9 unless you set up the CodeReady repo in RHEL 8 and upgrade.
What is the dependency on the OpenLDAP server package? Isn't the Web UI just an LDAP client?
The text was updated successfully, but these errors were encountered: