Skip to main content

A Sentry extension to add an LDAP server as an authentication source.

Project description

sentry-auth-ldap

GitHub Workflow Status PyPI License

A Django custom authentication backend for Sentry. This module extends the functionality of django-auth-ldap with Sentry specific features.

Features

  • Users created by this backend are managed users. Managed fields are not editable through the Sentry account page.
  • Users may be auto-added to an Organization upon creation.

Prerequisites

  • Sentry < 21.9.0 should work with sentry-ldap-auth==2.9.0 (which is another project for legacy support)
  • Sentry >= 21.9.0 and Sentry < 23.6.0 should work with sentry-auth-ldap==21.9.11
  • Sentry >= 23.6.0 should work with sentry-auth-ldap==23.6.0

Installation

To install, simply add sentry-auth-ldap to your requirements.txt for your Sentry environment (or pip install sentry-auth-ldap).

For container environment, because of the minimal base image, it may miss some dependencies.

You can easily enhance the image by sentry/enhance-image.sh script (need getsentry/self-hosted 22.6.0 or higher):

#!/bin/bash

requirements=(
'sentry-auth-ldap>=21.9.0'
# You can add other packages here, just like requirements.txt
)

# Install the dependencies of ldap
apt-get update
apt-get install -y --no-install-recommends build-essential libldap2-dev libsasl2-dev

pip install ${requirements[@]}

# Clean up to shrink the image size
apt-get purge -y --auto-remove build-essential
rm -rf /var/lib/apt/lists/*

# Support ldap over tls (ldaps://) protocol
mkdir -p /etc/ldap && echo "TLS_CACERT /etc/ssl/certs/ca-certificates.crt" > /etc/ldap/ldap.conf

Configuration

This module extends the django-auth-ldap and all the options it provides are supported (up to v1.2.x, at least).

To configure Sentry to use this module, add sentry_auth_ldap.backend.SentryLdapBackend to your AUTHENTICATION_BACKENDS in your sentry.conf.py, like this:

AUTHENTICATION_BACKENDS = AUTHENTICATION_BACKENDS + (
    'sentry_auth_ldap.backend.SentryLdapBackend',
)

Then, add any applicable configuration options. Depending on your environment, and especially if you are running Sentry in containers, you might consider using python-decouple so you can set these options via environment variables.

sentry-auth-ldap Specific Options

AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = u'My Organization Name'

Auto adds created user to the specified organization (matched by name) if it exists.

AUTH_LDAP_SENTRY_ORGANIZATION_ROLE_TYPE = 'member'

Role type auto-added users are assigned. Valid values in a default installation of Sentry are 'member', 'admin', 'manager' & 'owner'. However, custom roles can also be added to Sentry, in which case these are also valid.

AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = True

Whether auto-created users should be granted global access within the default organization.

AUTH_LDAP_SENTRY_SUBSCRIBE_BY_DEFAULT = False

Whether new users should be subscribed to any new projects by default. Disabling this is useful for large organizations where a subscription to each project might be spammy.

AUTH_LDAP_DEFAULT_EMAIL_DOMAIN = 'example.com'

Default domain to append to username as the Sentry user's e-mail address when the LDAP user has no mail attribute.

WARNING: There is an obsoleted setting named AUTH_LDAP_SENTRY_USERNAME_FIELD.
It could be replaced by AUTH_LDAP_USER_QUERY_FIELD and AUTH_LDAP_USER_ATTR_MAP which django-auth-ldap built-in.

Sentry Options

SENTRY_MANAGED_USER_FIELDS = ('email', 'first_name', 'last_name', 'password', )

Fields which managed users may not modify through the Sentry accounts view. Applies to all managed accounts.

Example Configuration

import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfUniqueNamesType

AUTH_LDAP_SERVER_URI = 'ldap://my.ldapserver.com'
AUTH_LDAP_BIND_DN = ''
AUTH_LDAP_BIND_PASSWORD = ''
AUTH_LDAP_USER_QUERY_FIELD = 'username'

AUTH_LDAP_USER_SEARCH = LDAPSearch(
    'dc=domain,dc=com',
    ldap.SCOPE_SUBTREE,
    '(mail=%(user)s)',
)

AUTH_LDAP_USER_ATTR_MAP = {
    'username': 'uid',
    'name': 'cn',
    'email': 'mail'
}

AUTH_LDAP_MAIL_VERIFIED = True

AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    '',
    ldap.SCOPE_SUBTREE,
    '(objectClass=groupOfUniqueNames)'
)

AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType()
AUTH_LDAP_REQUIRE_GROUP = None
AUTH_LDAP_DENY_GROUP = None
AUTH_LDAP_FIND_GROUP_PERMS = False
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

AUTH_LDAP_SENTRY_DEFAULT_ORGANIZATION = 'organization-slug'
AUTH_LDAP_SENTRY_ORGANIZATION_ROLE_TYPE = 'member'
AUTH_LDAP_SENTRY_GROUP_ROLE_MAPPING = {
    'owner': ['sysadmins'],
    'admin': ['devleads'],
    'member': ['developers', 'seniordevelopers']
}
AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = True

AUTHENTICATION_BACKENDS = AUTHENTICATION_BACKENDS + (
    'sentry_auth_ldap.backend.SentryLdapBackend',
)

# Optional logging for diagnostics.
LOGGING['disable_existing_loggers'] = False
import logging
logger = logging.getLogger('django_auth_ldap')
logger.setLevel(logging.DEBUG)

Troubleshooting

Work with LDAPS protocol (SSL/TLS)

Put the below content into /etc/ldap/ldap.conf, otherwise the certificate won't be trusted.

TLS_CACERT /etc/ssl/certs/ca-certificates.crt

If your certificate was issued by a private CA, you should change the path.

Don't use OCSP-Must-Staple certificate (SSL/TLS)

Please don't use OCSP-Must-Staple certificate with LDAPS.

Some ldap servers (eg. OpenLDAP) don't support stapling OCSP response. So it will cause the handshake failed.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sgvn_sentry_auth_ldap-1.0.0.tar.gz (9.4 kB view details)

Uploaded Source

Built Distribution

sgvn_sentry_auth_ldap-1.0.0-py3-none-any.whl (9.6 kB view details)

Uploaded Python 3

File details

Details for the file sgvn_sentry_auth_ldap-1.0.0.tar.gz.

File metadata

  • Download URL: sgvn_sentry_auth_ldap-1.0.0.tar.gz
  • Upload date:
  • Size: 9.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.9.6

File hashes

Hashes for sgvn_sentry_auth_ldap-1.0.0.tar.gz
Algorithm Hash digest
SHA256 949400c0160609470d1d1948b57b4b23ce65201e43b1e4895a2d5f9d948d672e
MD5 4cdb88acbd47257bda9363648c6e9c2b
BLAKE2b-256 c1afe19b0b1db214633faae4d51cf8b32ec6defca47f5507d1273cb25ffaea78

See more details on using hashes here.

File details

Details for the file sgvn_sentry_auth_ldap-1.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for sgvn_sentry_auth_ldap-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 e53281f12847e47f0526e2ec9793a44c459017821fe95df167c4977ed7bdbe5a
MD5 379e532196dd63695cd6a79f1fac31fb
BLAKE2b-256 a05f8ec7d7e92a5241378b67e9c205a945b13e1bd9b7ea737061eb7454895bc1

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page