A Sentry extension to add an LDAP server as an authentication source.
Project description
sentry-auth-ldap
A Django custom authentication backend for Sentry. This module extends the functionality of django-auth-ldap with Sentry specific features.
Features
- Users created by this backend are managed users. Managed fields are not editable through the Sentry account page.
- Users may be auto-added to an Organization upon creation.
Prerequisites
- Sentry < 21.9.0 should work with sentry-ldap-auth==2.9.0 (which is another project for legacy support)
- Sentry >= 21.9.0 and Sentry < 23.6.0 should work with sentry-auth-ldap==21.9.11
- Sentry >= 23.6.0 should work with sentry-auth-ldap==23.6.0
Installation
To install, simply add sentry-auth-ldap
to your requirements.txt for your Sentry environment (or pip install sentry-auth-ldap
).
For container environment, because of the minimal base image, it may miss some dependencies.
You can easily enhance the image by sentry/enhance-image.sh
script (need getsentry/self-hosted 22.6.0 or higher):
#!/bin/bash
requirements=(
'sentry-auth-ldap>=21.9.0'
# You can add other packages here, just like requirements.txt
)
# Install the dependencies of ldap
apt-get update
apt-get install -y --no-install-recommends build-essential libldap2-dev libsasl2-dev
pip install ${requirements[@]}
# Clean up to shrink the image size
apt-get purge -y --auto-remove build-essential
rm -rf /var/lib/apt/lists/*
# Support ldap over tls (ldaps://) protocol
mkdir -p /etc/ldap && echo "TLS_CACERT /etc/ssl/certs/ca-certificates.crt" > /etc/ldap/ldap.conf
Configuration
This module extends the django-auth-ldap and all the options it provides are supported (up to v1.2.x, at least).
To configure Sentry to use this module, add sentry_auth_ldap.backend.SentryLdapBackend
to your AUTHENTICATION_BACKENDS
in your sentry.conf.py, like this:
AUTHENTICATION_BACKENDS = AUTHENTICATION_BACKENDS + (
'sentry_auth_ldap.backend.SentryLdapBackend',
)
Then, add any applicable configuration options. Depending on your environment, and especially if you are running Sentry in containers, you might consider using python-decouple so you can set these options via environment variables.
sentry-auth-ldap Specific Options
AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = u'My Organization Name'
Auto adds created user to the specified organization (matched by name) if it exists.
AUTH_LDAP_SENTRY_ORGANIZATION_ROLE_TYPE = 'member'
Role type auto-added users are assigned. Valid values in a default installation of Sentry are 'member', 'admin', 'manager' & 'owner'. However, custom roles can also be added to Sentry, in which case these are also valid.
AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = True
Whether auto-created users should be granted global access within the default organization.
AUTH_LDAP_SENTRY_SUBSCRIBE_BY_DEFAULT = False
Whether new users should be subscribed to any new projects by default. Disabling this is useful for large organizations where a subscription to each project might be spammy.
AUTH_LDAP_DEFAULT_EMAIL_DOMAIN = 'example.com'
Default domain to append to username as the Sentry user's e-mail address when the LDAP user has no mail
attribute.
WARNING: There is an obsoleted setting named
AUTH_LDAP_SENTRY_USERNAME_FIELD
.
It could be replaced byAUTH_LDAP_USER_QUERY_FIELD
andAUTH_LDAP_USER_ATTR_MAP
which django-auth-ldap built-in.
Sentry Options
SENTRY_MANAGED_USER_FIELDS = ('email', 'first_name', 'last_name', 'password', )
Fields which managed users may not modify through the Sentry accounts view. Applies to all managed accounts.
Example Configuration
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfUniqueNamesType
AUTH_LDAP_SERVER_URI = 'ldap://my.ldapserver.com'
AUTH_LDAP_BIND_DN = ''
AUTH_LDAP_BIND_PASSWORD = ''
AUTH_LDAP_USER_QUERY_FIELD = 'username'
AUTH_LDAP_USER_SEARCH = LDAPSearch(
'dc=domain,dc=com',
ldap.SCOPE_SUBTREE,
'(mail=%(user)s)',
)
AUTH_LDAP_USER_ATTR_MAP = {
'username': 'uid',
'name': 'cn',
'email': 'mail'
}
AUTH_LDAP_MAIL_VERIFIED = True
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
'',
ldap.SCOPE_SUBTREE,
'(objectClass=groupOfUniqueNames)'
)
AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType()
AUTH_LDAP_REQUIRE_GROUP = None
AUTH_LDAP_DENY_GROUP = None
AUTH_LDAP_FIND_GROUP_PERMS = False
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
AUTH_LDAP_SENTRY_DEFAULT_ORGANIZATION = 'organization-slug'
AUTH_LDAP_SENTRY_ORGANIZATION_ROLE_TYPE = 'member'
AUTH_LDAP_SENTRY_GROUP_ROLE_MAPPING = {
'owner': ['sysadmins'],
'admin': ['devleads'],
'member': ['developers', 'seniordevelopers']
}
AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = True
AUTHENTICATION_BACKENDS = AUTHENTICATION_BACKENDS + (
'sentry_auth_ldap.backend.SentryLdapBackend',
)
# Optional logging for diagnostics.
LOGGING['disable_existing_loggers'] = False
import logging
logger = logging.getLogger('django_auth_ldap')
logger.setLevel(logging.DEBUG)
Troubleshooting
Work with LDAPS protocol (SSL/TLS)
Put the below content into /etc/ldap/ldap.conf, otherwise the certificate won't be trusted.
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
If your certificate was issued by a private CA, you should change the path.
Don't use OCSP-Must-Staple certificate (SSL/TLS)
Please don't use OCSP-Must-Staple certificate with LDAPS.
Some ldap servers (eg. OpenLDAP) don't support stapling OCSP response. So it will cause the handshake failed.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file sgvn_sentry_auth_ldap-23.6.0.tar.gz
.
File metadata
- Download URL: sgvn_sentry_auth_ldap-23.6.0.tar.gz
- Upload date:
- Size: 9.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.6
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | f9a0285085a97fa3992865a2c68dcb4f179363e148bee4afb12f1dca8231ec3c |
|
MD5 | 44db29ff440a50a24d52227d35545c67 |
|
BLAKE2b-256 | 2a48489882364f74b788a63364e6eb23639dd0758cd92954c67c37fbf4329d45 |
File details
Details for the file sgvn_sentry_auth_ldap-23.6.0-py3-none-any.whl
.
File metadata
- Download URL: sgvn_sentry_auth_ldap-23.6.0-py3-none-any.whl
- Upload date:
- Size: 9.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.6
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | e2778f7d3ed7eb76c3dd164222630ecc8b00d0cab9141d4c37adda0003b2744e |
|
MD5 | 6f759cc6821d73b050db80daa64603a6 |
|
BLAKE2b-256 | a1ddd82d6f2c1776e6d2804ce4b904a3407197b98d5ab8d1ad0851712d2439b2 |