Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for LDAP Active Directory authentication. #20

Merged
merged 1 commit into from
Jun 7, 2022
Merged

Add support for LDAP Active Directory authentication. #20

merged 1 commit into from
Jun 7, 2022

Conversation

groldan
Copy link
Member

@groldan groldan commented Jun 7, 2022
edited
Loading

Multiple LDAP authorization services can be configured, in which case, when
doing HTTP Basic auth and Form login, each enabled LDAP service will be
probed for the authentication credentials in the order they appear in the
configuration, and the first successful authentication will be used.

If no georchestra.security.ldap.[name].enabled is true, the log-in page won't
even show the username/password form inputs, and HTTP Basic authentication won't be
enabled.

At application startup, the enabled configurations are validated. The application
will fail to start if there's a validation error.

Each LDAP authentication provider can be one of:

  • A standard LDAP provider, which provides provides basic authorization
    credentials in the form of a list of role names.
  • An extended LDAP provider, as traditionally used by geOrchestra's
    internal OpenLDAP database, which enriches the authentication principal
    object with additional user identity properties.
  • An Active Directory LDAP provider, which provides basicauthorization
    credentials in the form of a list of role names.

Here's a sample configuration with three LDAP services. The ldap.default.* properties are embedded
and match the ones of the ldap.ldap2 sample config, so it just need to be enabled in the <datadirectory>/gateway/security.yaml file.

georchestra:
  gateway:
    security:
      ldap:
        default:
          enabled: true
        ldap2:
          enabled: false
          extended: true
          url: ${ldapScheme}://${ldapHost}:${ldapPort}
          baseDn: ${ldapBaseDn:dc=georchestra,dc=org}
          users:
            rdn: ${ldapUsersRdn:ou=users}
            searchFilter: ${ldapUserSearchFilter:(uid={0})}
          roles:
            rdn: ${ldapRolesRdn:ou=roles}
            searchFilter: ${ldapRolesSearchFilter:(member={0})}
          orgs:
            rdn: ${ldapOrgsRdn:ou=orgs}
        activeDirSample:
          enabled: false
          url: ldap://test.activedirectory.com:389
          domain: test.georchestra.org
          baseDn: dc=georchestra,dc=org
          users.searchFilter: (&(objectClass=user)(userPrincipalName={0}))

@groldan groldan force-pushed the feature/activedirectory_authentication branch 3 times, most recently from 29412d0 to c82dd69 Compare June 7, 2022 02:30
@groldan
Add support for LDAP Active Directory authentication.
f4ccf41 
Multiple LDAP authorization services can be configured, in which case, when
doing HTTP Basic auth and Form login, each **enabled** LDAP service will be
probed for the authentication credentials in the order they appear in the
configuration, and the first successful authentication will be used.

If no `georchestra.security.ldap.[name].enabled` is `true`, the log-in page won't
even show the username/password form inputs, and HTTP Basic authentication won't be
enabled.

At application startup, the enabled configurations are validated. The application
will fail to start if there's a validation error.

Each LDAP authentication provider can be one of:

* A **standard** LDAP provider, which provides provides basic authorization
credentials in the form of a list of role names.
* An **extended** LDAP provider, as traditionally used by geOrchestra's
internal OpenLDAP database, which enriches the authentication principal
object with additional user identity properties.
* An **Active Directory** LDAP provider, which provides basicauthorization
credentials in the form of a list of role names.
@groldan groldan force-pushed the feature/activedirectory_authentication branch from c82dd69 to f4ccf41 Compare June 7, 2022 02:37
@groldan groldan marked this pull request as ready for review June 7, 2022 02:37
@groldan groldan merged commit 6879d38 into georchestra:main Jun 7, 2022
@groldan groldan deleted the feature/activedirectory_authentication branch June 7, 2022 02:40
pmauduit
pmauduit reviewed Jun 10, 2022
View reviewed changes
Makefile Show resolved Hide resolved
gateway/pom.xml
@@ -156,7 +156,7 @@
<configuration>
<rules>
<requireJavaVersion>
<version>[11,)</version>
<version>11</version>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did you have some trouble using a more recent version than jdk11 ? (just curious)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've Java 17 by default and it wouldn't complain until it's too late, so fixed it at 11 so I get the failure earlier

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmauduit pmauduit pmauduit left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@groldan @pmauduit