Introduction
Didmos2-Core is a django based web-backend written in python for identity management which can be deployed inside a docker environment or as a debian package. The backend uses an OpenLdap directory as database and provides a Restful ScimV2 Api as an interface. Over this Api it is possible to create new resources like users, groups and other objects with predefined processes inside the metadirectory. Modification and deletion of such objects is also possible as well as implementation of complex workflows to provide asynchronous execution of modifications as well as e.g. notifications or execution of any other python code. From the beginning didmos2-core was developed to provide a high amount of flexibility and extensibility.
Modules
The backend is structured in modules which provide different functionality.
Ldap-Module
This module handles all requests against the metadirectory. It bundles requests where needed, caches data to avoid redundant data requests implements several OpenLdap server controls and many other things.
A strength of this module is the dynamic building of almost all needed ldap filters. This allows the developer to use complex ldap filter constructs even without deeper knowledge in ldap search filters. If necessary the module also provides many interceptor entry points, where modifications prior or after sending the request to the metadirectory is possible.
PDP-Module
All requests in didmos2-core are going through an authorization process to check, whether the requestor has sufficient rights for this request. The PDP-Module is mainly a wrapper around the didmos-rbac library which is a python implementation of role based access control. The library is capable of managing users, roles, permissions and sessions.
Further information about the didmos-rbac libary can be found here.
Task-Module
Not all accruing jobs inside an IdM can be done synchronously. This is especially true for every interaction of the IdM with other sources, let it be users or other servers. To cover all possible cases in which asynchronous are necessary, tasks are implemented quite generically in didmos2-core. This allows to implement the concept of user-requests with the same mechanism as lifecycle events or automatic role assignment.
Customer-Module
This module is not directly part of didmos2-core. But allows to override almost all functions used inside didmos2-core. This gives developers the freedom to both, relay on well tested functionality inside the core as well as the flexibility to implement own functions or even full custom endpoints.
Didmos2-core has a ready to use default configuration which allows to directly start working with didmos2. But since this might not fit for every project, all configuration parameters can be overwritten inside the customer module. This works in addition to your configuration implementation let it be configuration files or the usage of the didmos2-configserver.
OpenLdap as metadirectory
Didmos2-core is reliant on an openldap directory server as metadirectory. The backend is highly flexible regarding objectclasses, tree-structure and
Configuration parameter
A complete list of all configuration parameters can be found here.