LDAP authentification for udata with optional Kerberos suppport.
Project description
udata-ldap
LDAP authentification for udata with optionnal Kerberos suppport.
Requirements
To use LDAP only authentication, you only need the udata-ldap extension.
To use SASL and SPNEGO, you need a functional kerberos client environment.
On debian, you can install the requirements using:
apt-get install krb5-config krb5-user libkrb5-dev
Usage
Install the plugin package in you udata environement:
pip install udata-ldap
Then activate it in your udata.cfg:
PLUGINS = ['ldap']
NB: if using Kerberos SASL and/or SPNEGO, install it with:
pip install udata-ldap[kerberos]
Configuration
udata-ldap makes use of flask-ldap3-login and so use the same parameters as described here.
Some extra parameters are available:
| Parameter | Default value | Notes |
|---|---|---|
LDAP_DEBUG |
False |
Enable verbose/debug logging |
LDAP_KERBEROS_KEYTAB |
None |
Path to an optionnal Kerberos keytab for this service |
LDAP_KERBEROS_SERVICE_NAME |
'HTTP' |
The service principal as configured in the keytab |
LDAP_KERBEROS_SERVICE_HOSTNAME |
socket.getfqdn() |
The service hostname (ie. data.domain.com) |
LDAP_KERBEROS_SPNEGO |
False |
Whether or not to enable passwordless authentication with SPNEGO |
LDAP_REMOTE_USER_ATTR |
'uid' |
The ldap attribute extracted from SPNEGO handshake to match the user |
LDAP_USER_FIRST_NAME_ATTR |
'givenName' |
The ldap attribute to extract the first name from |
LDAP_USER_LAST_NAME_ATTR |
'sn' |
The ldap attribute to extract the last name from |
Testing configuration
udata-ldap provides two commands to help with the configuration:
udata ldap configwill display the LDAP configuration seen byudataudata ldap checkwill allow to quickly test your configuration.
Testing localy with docker
An example docker-compose.yml is provided to test localy wiht a freeipa server.
To use it, you need to copy the file ipa-server-install-options.example to ipa-server-install-options and edit it with your own parameters.
ex:
--unattended
--realm=DATA.XPS
--domain=data.xps
--ds-password=password
--admin-password=password
Changelog
Current (in progress)
- Fix some console encoding error
- Fix LDAP values extraction
- Make all LDAP attributes mapping to user profile configurable
0.3.1 (2018-10-11)
- Renamed
LDAP_USER_SPNEGO_ATTRintoLDAP_REMOTE_USER_ATTRfor consistency - Fix login form using SPNEGO attribute for login
0.3.0 (2018-10-09)
- Display errors on login form
- Force email into the login form
- Fix encoding errors in ldap commands
- Update user on login
- Start handling errors on negociate view
- Display a page when trying automatic login wihtout credentials
- Adds translations
0.2.1 (2018-10-08)
- Fix the "automatic login" link
- More logging
0.2.0
- More tests
- Hide debug log unless
LDAP_DEBUG = True - Remove buggy default
LDAP_*settings
0.1.0
Initial release
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for udata_ldap-0.3.2.dev35-py2.py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 7a7efae548d8d54c3a6ebf9ac0229f4c4f11f4defbbc67065b2ef60bf6992a9f |
|
| MD5 | b3f3c1f80129903360a2f2c5074b604e |
|
| BLAKE2b-256 | 93635f7c94b19f0ba6434e94a6e4d4420d555796d44618f951edf8c64612aad8 |
