feat(controller): Adding LDAP/AD auth support

deis · Mar 3, 2015 · b4a09a3 · b4a09a3
1 parent 71879d9
commit b4a09a3
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 8 deletions.
diff --git a/controller/build.sh b/controller/build.sh
@@ -16,7 +16,7 @@ DEBIAN_FRONTEND=noninteractive
 # HACK: install git so we can install bacongobbler's fork of django-fsm
 # install openssh-client for temporary fleetctl wrapper
 apt-get update && \
-    apt-get install -yq python-dev libffi-dev libpq-dev libyaml-dev git
+    apt-get install -yq python-dev libffi-dev libpq-dev libyaml-dev git libldap2-dev libsasl2-dev
 
 # install pip
 curl -sSL https://raw.githubusercontent.com/pypa/pip/6.0.8/contrib/get-pip.py | python -

diff --git a/controller/deis/settings.py b/controller/deis/settings.py
@@ -6,6 +6,10 @@
 import os.path
 import sys
 import tempfile
+import ldap
+
+from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
+
 
 PROJECT_ROOT = os.path.normpath(os.path.join(os.path.dirname(__file__), '..'))
 
@@ -136,6 +140,7 @@
     'django.contrib.sites',
     'django.contrib.staticfiles',
     # Third-party apps
+    'django_auth_ldap',
     'guardian',
     'json_field',
     'gunicorn',
@@ -149,6 +154,7 @@
 )
 
 AUTHENTICATION_BACKENDS = (
+    "django_auth_ldap.backend.LDAPBackend",
     "django.contrib.auth.backends.ModelBackend",
     "guardian.backends.ObjectPermissionBackend",
 )
@@ -318,6 +324,58 @@
 #  server       - Hostname based on CoreOS server hostname
 UNIT_HOSTNAME = 'default'
 
+# All values will be override by confd
+LDAP_ENDPOINT = ""
+BIND_DN = ""
+BIND_PASSWORD = ""
+USER_BASEDN = ""
+USER_FILTER = ""
+GROUP_BASEDN = ""
+GROUP_FILTER = ""
+GROUP_TYPE = ""
+
+# have confd_settings within container execution override all others
+# including local_settings (which may end up in the container)
+if os.path.exists('/templates/confd_settings.py'):
+    sys.path.append('/templates')
+    from confd_settings import *  # noqa
+
+LDAP_USER_SEARCH = LDAPSearch(
+    base_dn=USER_BASEDN,
+    scope=ldap.SCOPE_SUBTREE,
+    filterstr="(" + USER_FILTER + "=%(user)s)"
+)
+
+LDAP_GROUP_SEARCH = LDAPSearch(
+    base_dn=GROUP_BASEDN,
+    scope=ldap.SCOPE_SUBTREE,
+    filterstr="(%s=%s)" % (GROUP_FILTER, GROUP_TYPE)
+)
+
+AUTH_LDAP_SERVER_URI = LDAP_ENDPOINT
+AUTH_LDAP_BIND_DN = BIND_DN
+AUTH_LDAP_BIND_PASSWORD = BIND_PASSWORD
+
+AUTH_LDAP_USER_SEARCH = LDAP_USER_SEARCH
+AUTH_LDAP_GROUP_SEARCH = LDAP_GROUP_SEARCH
+AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
+
+AUTH_LDAP_USER_ATTR_MAP = {
+    "first_name": "givenName",
+    "last_name": "sn",
+    "email": "mail",
+    "username": USER_FILTER,
+}
+
+AUTH_LDAP_GLOBAL_OPTIONS = {
+    ldap.OPT_X_TLS_REQUIRE_CERT: False,
+    ldap.OPT_REFERRALS: False
+}
+AUTH_LDAP_ALWAYS_UPDATE_USER = True
+AUTH_LDAP_MIRROR_GROUPS = True
+AUTH_LDAP_FIND_GROUP_PERMS = True
+AUTH_LDAP_CACHE_GROUPS = False
+
 # Create a file named "local_settings.py" to contain sensitive settings data
 # such as database configuration, admin email, or passwords and keys. It
 # should also be used for any settings which differ between development
@@ -327,10 +385,3 @@
     from .local_settings import *  # noqa
 except ImportError:
     pass
-
-
-# have confd_settings within container execution override all others
-# including local_settings (which may end up in the container)
-if os.path.exists('/templates/confd_settings.py'):
-    sys.path.append('/templates')
-    from confd_settings import *  # noqa
diff --git a/controller/requirements.txt b/controller/requirements.txt
@@ -9,6 +9,7 @@ django-cors-headers==1.0.0
 django-fsm==2.2.0
 django-guardian==1.2.5
 django-json-field==0.5.7
+django-auth-ldap==1.2.5
 djangorestframework==3.0.5
 docker-py==0.7.2
 gunicorn==19.2.1
@@ -19,3 +20,4 @@ PyYAML==3.11
 setproctitle==1.1.8
 static==1.1.1
 South==1.0.2
+python-ldap==2.4.19
diff --git a/controller/templates/confd_settings.py b/controller/templates/confd_settings.py
@@ -46,3 +46,14 @@
 {{ end }}
 
 UNIT_HOSTNAME = '{{ or (.deis_controller_unitHostname) "default" }}'
+
+# AUTH
+# LDAP
+LDAP_ENDPOINT = '{{ .deis_controller_auth_ldap_endpoint }}'
+BIND_DN = '{{ .deis_controller_auth_ldap_bind_dn }}'
+BIND_PASSWORD = '{{ .deis_controller_auth_ldap_bind_password }}'
+USER_BASEDN = '{{ .deis_controller_auth_ldap_user_basedn }}'
+USER_FILTER = '{{ .deis_controller_auth_ldap_user_filter }}'
+GROUP_BASEDN = '{{ .deis_controller_auth_ldap_group_basedn }}'
+GROUP_FILTER = '{{ .deis_controller_auth_ldap_group_filter }}'
+GROUP_TYPE = '{{ .deis_controller_auth_ldap_group_type }}'