LDAP authentification for udata with optional Kerberos suppport.
Project description
udata-ldap
LDAP authentification for udata with optionnal Kerberos suppport.
Requirements
To use LDAP only authentication, you only need the udata-ldap
extension.
To use SASL
and SPNEGO
, you need a functional kerberos client environment.
On debian, you can install the requirements using:
apt-get install krb5-config krb5-user libkrb5-dev
You need to configure your domain in /etc/krb5.conf
.
Here's a sample configuration for DOMAIN.ORG
:
[libdefaults]
default_realm = DOMAIN.ORG
[realms]
DATA.XPS = {
#admin_server = ipa.data.xps
# use "kdc = ..." if realm admins haven't put SRV records into DNS
kdc = kdc.domain.org
admin_server = kdc.domain.org:749
default_domain = domain.org
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
}
[domain_realm]
domain.org = DOMAIN.ORG
.domain.org = DOMAIN.ORG
Usage
Install the plugin package in you udata environement:
pip install udata-ldap
Then activate it in your udata.cfg
:
PLUGINS = ['ldap']
NB: if using Kerberos SASL and/or SPNEGO, install it with:
pip install udata-ldap[kerberos]
Configuration
udata-ldap
makes use of flask-ldap3-login
and so use the same parameters as described here.
Some extra parameters are available:
Parameter | Default value | Notes |
---|---|---|
LDAP_DEBUG |
False |
Enable verbose/debug logging |
LDAP_KERBEROS_KEYTAB |
None |
Path to an optionnal Kerberos keytab for this service |
LDAP_KERBEROS_SERVICE_NAME |
'HTTP' |
The service principal as configured in the keytab |
LDAP_KERBEROS_SERVICE_HOSTNAME |
socket.getfqdn() |
The service hostname (ie. data.domain.com ) |
LDAP_KERBEROS_SPNEGO |
False |
Whether or not to enable passwordless authentication with SPNEGO |
LDAP_KERBEROS_SPNEGO_NO_REALM |
True |
Automaticaly remove @REALM from SPNEGO/REMOTE_USER identifier |
LDAP_REMOTE_USER_ATTR |
'uid' |
The ldap attribute extracted from SPNEGO handshake to match the user |
LDAP_USER_FIRST_NAME_ATTR |
'givenName' |
The ldap attribute to extract the first name from |
LDAP_USER_LAST_NAME_ATTR |
'sn' |
The ldap attribute to extract the last name from |
Testing configuration
udata-ldap
provides two commands to help with the configuration:
udata ldap config
will display the LDAP configuration seen byudata
udata ldap check
will allow to quickly test your LDAP configuration.udata ldap krbcheck
will allow to quickly test your Kerberos configuration.
Testing localy with docker
An example docker-compose.yml
is provided to test localy wiht a freeipa server.
To use it, you need to copy the file ipa-server-install-options.example
to ipa-server-install-options
and edit it with your own parameters.
ex:
--unattended
--realm=DOMAIN.ORG
--domain=DOMAIN.ORG
--ds-password=password
--admin-password=password
Changelog
Current (in progress)
- Nothing yet
0.3.5 (2018-11-23)
- Fix packaging
0.3.4 (2018-11-23)
- Fix negociate and REMOTE_USER email extraction
- Fix some command line encoding errors
0.3.3 (2018-11-09)
- Internal: extracted all Kerberos handling into its own module
- Kerberos: handle REALM removal from SPNEGO/REMOTE_USER identifier
0.3.2 (2018-10-16)
- Fix some console encoding error
- Fix LDAP values extraction
- Make all LDAP attributes mapping to user profile configurable
0.3.1 (2018-10-11)
- Renamed
LDAP_USER_SPNEGO_ATTR
intoLDAP_REMOTE_USER_ATTR
for consistency - Fix login form using SPNEGO attribute for login
0.3.0 (2018-10-09)
- Display errors on login form
- Force email into the login form
- Fix encoding errors in ldap commands
- Update user on login
- Start handling errors on negociate view
- Display a page when trying automatic login wihtout credentials
- Adds translations
0.2.1 (2018-10-08)
- Fix the "automatic login" link
- More logging
0.2.0
- More tests
- Hide debug log unless
LDAP_DEBUG = True
- Remove buggy default
LDAP_*
settings
0.1.0
Initial release
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for udata_ldap-0.3.6.dev61-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | d398e54ce241a3760bd7e94bc634f633651e271055484125671dca9f4565c60a |
|
MD5 | a83ac20b17845d77c9c0b4efcee70a31 |
|
BLAKE2b-256 | 9581fe9dba78a683632dd77910ac024e527c08411aa5abb57409ad728e0dba4f |