WebUI installation requires OpenLDAP - breaks with workaround on RHEL 8, breaks completely on RHEL 9 about amlen HOT 10 CLOSED

The webui uses openldap to store its users (so it doesn't just need a client).

It's available in EPEL for RHEL9
https://docs.fedoraproject.org/en-US/epel/#_el9

from amlen.

But why does it have to be openldap? Couldn't it store it's users in ANY LDAP? It just seems a really weird thing to hardwire into an installation, especially when there's a page in the UI for configuring LDAP - what is that actually used for?

from amlen.

The WebUI has a local database of users allowed to login to the webui. It has to be something specific as the means of configuring, starting, stopping an ldap instance is obviously different between different servers.

There is a page in the WebUI for configuring the LDAP connection of the server - the server is just an LDAP client, the WebUI uses a local LDAP server.

from amlen.

Wow - for me that would be even more reason to not hard code the LDAP server. Most organisations will have an existing directory server they would want to use across their IT team - many would want to use some form of SSO as well.

This is being deployed into Liberty, which offers all these things and does it so well! My suggestion would be to do what pretty much every other app I've seen in Liberty does, and that is deploy in Liberty with the default Basic User Registry, and then let the end user configure Liberty for other directory systems, SSO, etc.

The Basic User Registry would let you set up the initial admin/admin user, and would then remove the need for any LDAP components in the web UI installation.

Have a look at IBM Engineering Lifecycle Management tools on jazz.net - this is a perfect example of what I am talking about. IBM's Maximo is another example

from amlen.

Yes, having the WebUI optionally use an external LDAP would be a nice feature. I'm not aware of any person or organisation who is currently working on that (or planning to work on that).

from amlen.

If I worked on this to remove all explicit LDAP dependencies and go with the default Basic User Registry as the out of the box option would this be of interest? Then the documentation could refer to the Liberty online help for people who want to configure a directory.

Then you could optionally provide a separate package to install and set up openldap using the scripts in this distro, including a prepopulated XML registry file that would connect Liberty

from amlen.

By default it should do what it does today. The user should not have to know anything about LDAP to run the WebUI on their laptop.

If you wanted to add a way of optionally configuring it to use an external LDAP provider instead that would be welcome as long as it doesn't change default behaviour and break the existing users.

from amlen.

Well, that's really just an XML file, and anybody who knows enough about Liberty will be able to do that themselves so not really worth doing. They'll just have to go through the install first to extract the good bits ;-)

From what I can see, the Web UI is a nicely contained JSP app in a war - you remove all the encumbrances around it and it'll just run anywhere Liberty does. Windows, Linux, any sort of containers - even a Pi. The way it is right now it's the installer wrapped tightly around it that makes it non-transportable, and yet that was one of the things I heard the project calling out for help with in the talks and slides I've looked at.

As I mentioned, I was a big user of the WIoTP and was looking for an alternative - I had hoped the Web UI also included the device management UI that is in IBM Cloud, so either way I'm up for a bunch of web development before I get to the same functionality. It may end up I use the server component (which is one of the best around) and build my own UI completely.

If you ever decide to move down a simplification path and to strip the WebUI installer back to something like I've mentioned - I'll always be very keen to help

from amlen.

By default it should do what it does today. The user should not have to know anything about LDAP to run the WebUI on their laptop.

And of course, the best way to have the user "not have to know anything about LDAP" would be to not use it at all by default :-). Just use the Basic User Registry instead

from amlen.

There are lots of existing users. Any switch away from openldap would need well-tested automatic migration. If you would like to work on that or on an extra, differently packaged version of the WebUI, either would be welcomed if sufficiently unlikely to break the current user base :)

from amlen.