Skip to main content

LDAP authentification for udata with optional Kerberos suppport.

Project description

udata-ldap

LDAP authentification for udata with optionnal Kerberos suppport.

Requirements

To use LDAP only authentication, you only need the udata-ldap extension.

To use SASL and SPNEGO, you need a functional kerberos client environment.

On debian, you can install the requirements using:

apt-get install krb5-config krb5-user libkrb5-dev

You need to configure your domain in /etc/krb5.conf. Here's a sample configuration for DOMAIN.ORG:

[libdefaults]
    default_realm = DOMAIN.ORG

[realms]
    DATA.XPS = {
        #admin_server = ipa.data.xps
        # use "kdc = ..." if realm admins haven't put SRV records into DNS
        kdc = kdc.domain.org
        admin_server = kdc.domain.org:749
        default_domain = domain.org
        dns_lookup_realm = false
        dns_lookup_kdc = false
        rdns = false
    }

[domain_realm]
    domain.org = DOMAIN.ORG
    .domain.org = DOMAIN.ORG

Usage

Install the plugin package in you udata environement:

pip install udata-ldap

Then activate it in your udata.cfg:

PLUGINS = ['ldap']

NB: if using Kerberos SASL and/or SPNEGO, install it with:

pip install udata-ldap[kerberos]

Configuration

udata-ldap makes use of flask-ldap3-login and so use the same parameters as described here.

Some extra parameters are available:

Parameter Default value Notes
LDAP_DEBUG False Enable verbose/debug logging
LDAP_KERBEROS_KEYTAB None Path to an optionnal Kerberos keytab for this service
LDAP_KERBEROS_SERVICE_NAME 'HTTP' The service principal as configured in the keytab
LDAP_KERBEROS_SERVICE_HOSTNAME socket.getfqdn() The service hostname (ie. data.domain.com)
LDAP_KERBEROS_SPNEGO False Whether or not to enable passwordless authentication with SPNEGO
LDAP_KERBEROS_SPNEGO_NO_REALM True Automaticaly remove @REALM from SPNEGO/REMOTE_USER identifier
LDAP_REMOTE_USER_ATTR 'uid' The ldap attribute extracted from SPNEGO handshake to match the user
LDAP_USER_FIRST_NAME_ATTR 'givenName' The ldap attribute to extract the first name from
LDAP_USER_LAST_NAME_ATTR 'sn' The ldap attribute to extract the last name from

Testing configuration

udata-ldap provides two commands to help with the configuration:

  • udata ldap config will display the LDAP configuration seen by udata
  • udata ldap check will allow to quickly test your LDAP configuration.
  • udata ldap krbcheck will allow to quickly test your Kerberos configuration.

Testing localy with docker

An example docker-compose.yml is provided to test localy wiht a freeipa server.

To use it, you need to copy the file ipa-server-install-options.example to ipa-server-install-options and edit it with your own parameters.

ex:

--unattended
--realm=DOMAIN.ORG
--domain=DOMAIN.ORG
--ds-password=password
--admin-password=password

Changelog

Current (in progress)

  • Fix negociate and REMOTE_USER email extraction

0.3.3 (2018-11-09)

  • Internal: extracted all Kerberos handling into its own module
  • Kerberos: handle REALM removal from SPNEGO/REMOTE_USER identifier

0.3.2 (2018-10-16)

  • Fix some console encoding error
  • Fix LDAP values extraction
  • Make all LDAP attributes mapping to user profile configurable

0.3.1 (2018-10-11)

  • Renamed LDAP_USER_SPNEGO_ATTR into LDAP_REMOTE_USER_ATTR for consistency
  • Fix login form using SPNEGO attribute for login

0.3.0 (2018-10-09)

  • Display errors on login form
  • Force email into the login form
  • Fix encoding errors in ldap commands
  • Update user on login
  • Start handling errors on negociate view
  • Display a page when trying automatic login wihtout credentials
  • Adds translations

0.2.1 (2018-10-08)

  • Fix the "automatic login" link
  • More logging

0.2.0

  • More tests
  • Hide debug log unless LDAP_DEBUG = True
  • Remove buggy default LDAP_* settings

0.1.0

Initial release

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

udata_ldap-0.3.4.dev53-py2.py3-none-any.whl (14.3 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file udata_ldap-0.3.4.dev53-py2.py3-none-any.whl.

File metadata

  • Download URL: udata_ldap-0.3.4.dev53-py2.py3-none-any.whl
  • Upload date:
  • Size: 14.3 kB
  • Tags: Python 2, Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.12.1 pkginfo/1.4.2 requests/2.20.1 setuptools/38.4.0 requests-toolbelt/0.8.0 tqdm/4.28.1 CPython/2.7.13

File hashes

Hashes for udata_ldap-0.3.4.dev53-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 aab7b909404ee9d3848c7f29f3975cb8ab4c6b095468c5fea5afaa1410e0bc03
MD5 f4f993febf57c71ad7bd659ccbaf74d9
BLAKE2b-256 ad11b909e73c59bafa8afa067af1953a5f71a0d52b013a40136718940e716198

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page