Icon: didmos Core

Core

didmos structure

didmos Core consists of several components which manage objects, users, groups as well as their respective configuration, potential deletion and changes of such objects. As most other didmos modules, Core is written in Python entirely while relying on the contemporary and popular Django framework. This way, developers are able to partially automise the writing process for app codes, which not only simplifies development but also significantly speeds up the process – without loss of quality.

Core comes with SCIM-v2 endpoints for administration and retrieval of access control information (Policy Decision Point) as well as an implementation of multi-level workflows which were realised as REST APIs.
As data back-end, didmos Core uses an LDAP server, which functions as metadirectory. Ultimately, this makes didmos Core a webservice interface to write in and read the metadirectory. The advantage over direct LDAP access is that additional business logic can be implemented. As SCIM is significantly easier to implement vis-à-vis LDAP, it is also possible to access lean JavaScript-based front-ends with didmos Core.

Structure and Features

This illustration depicts the different components of didmos Core and how they interact with the metadirectory and didmos authenticator.

Structure didmos LUI

PDP (Policy Decision Point): By assigning certain roles which are indicative of the appropriate access rights, the single PDP manages centrally access control for resources. Here, the corresponding roles can also be defined and maintained.

LUI2 Back-End: This back-end communicates via a SCIM-v2 REST interface with the LUI front-end while implementing and coordinating the business logic.

Tasks: The tasks app allows the implementation of multi-level request and approval processes within didmos Core. A request is saved as LDAP object and forwarded to the decision circuit, which will either approve or decline the request. It is possible to define a two-man-rule at this point. After a decision has been made, the respective automised process will be initiated.
A request can be used for the following issues and more:

  • New user account
  • Group membership
  • Role
  • Mail-alias

LDAP Metadirectory: The metadirectory, which is also the persistence layer, stores all relevant data of the IAM system. Due to the highly flexible LDAP data-model, it is possible to manage any data object with didmos Core. Even the overall configuration of didmos is maintained as LDAP object in the metadirectory.

Menu