Store Password and Set Admin

[benyanke]

Currently, LDAP users can't use the Django admin panel (/admin). Is there an option, or could there be, to store user's passwords, and perhaps even ability to specify an ldap query for admin?

[madmath03]

Actually, it is possible for LDAP users to access the Django admin panel, but the LDAP user must be a "super user" :

• go to Django admin panel with any admin (super user) account
• go to Users, and edit the user's "super user" check box

It is currently not possible to set a super user directly from LDAP but that is one of the items discussed in #15.
We can keep this issue opened to address how the super users could be managed from LDAP.

As a reminder, the proposal was to set an LDAP Taiga administration group:

# Taiga super users group id
LDAP_GROUP_ADMIN = 'OU=TaigaAdmin,DC=example,DC=net'

Everytime a user connects with the specified group, it is automatically set a super user.

Would that seem like a proper solution for you ?

[GryphonWorx]

I think that would be a good solution, at least for us. Would save a lot of headaches.

[benyanke]

That would also be a great solution - I agree that would make our life much easier.

I'd consider allowing a raw ldap query instead of / in addition to a group. Some places it's easier than others to adjust LDAP structure and groups, and a query (with an example for how to query group membership) would offer the most flexibility.

[madmath03]

For information, following this issue and #21, I finally had the time to implement the save of LDAP password to DB, thus allowing LDAP users to log to the admin console (if they were previously set as super user).

Though I'm still not comfortable enough to develop a full "Admin Group" functionality by myself (I'm not really a Python developer 😅), it's a little step toward that goal.

A new release with that functionality is available in pypi.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[a-ts]

I implemented something that solves this issue for the combination posixGroup and memberUid. Some refactoring was also required to avoid replicating code.
Please let me know if it makes sense to create a pull request for this rather limited solution. If some input is provided (and it does not take too much time) I could try to make it more generally applicable.

[madmath03]

Hi @a-ts

Thank you very much for offering a Pull Request. I do think it's a good idea to send a PR. We can work together to make it more generic after that.

[dsalgueiror]

From what I have been able to test and the same thing happens to me in our installation migrated from Taiga 5 to 6 latest version, the authentication works well for Taiga but in the login process it updates or modifies the password value of the users table and this prevents the access to the Django admin because the encryption is different, expecting to have data of type pbkdf2_sha256$xxxxxxxxx. In the case of using the option to recover password and indicating it manually, the data saved in the DB is correct but once I log in again in Taiga it is modified.

I'm using the taiga-contrib-ldap-auth-ext plugin and it supposedly has an option to disable this behavior via LDAP_SAVE_LOGIN_PASSWORD = False, but it doesn't work. In addition to this being the case, I understand that the Django admin would not be using LDAP validation if not the one stored at that moment in the DB.

Greetings!!