Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP Auth Option #198

Closed
smacktrace opened this issue Nov 6, 2018 · 6 comments
Closed

LDAP Auth Option #198

smacktrace opened this issue Nov 6, 2018 · 6 comments
Labels
feature

Comments

@smacktrace
Copy link

I'm sorry if this is the wrong place for this but after looking over all the open/closed issues for this project I have yet to see a request for an LDAP authentication option.

Would be fantastic for those of us that are plagued with the requirement to integrate with AD.

A great LDAP option for django would be django-auth-ldap

Local Settings Updates:

AUTHENTICATION_BACKENDS = [
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend',
]

Example Configuration:

import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType


# Baseline configuration.
AUTH_LDAP_SERVER_URI = 'ldap://ldap.example.com'

AUTH_LDAP_BIND_DN = 'cn=django-agent,dc=example,dc=com'
AUTH_LDAP_BIND_PASSWORD = 'phlebotinum'
AUTH_LDAP_USER_SEARCH = LDAPSearch(
    'ou=users,dc=example,dc=com',
    ldap.SCOPE_SUBTREE,
    '(uid=%(user)s)',
)
# Or:
# AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,ou=users,dc=example,dc=com'

# Set up the basic group parameters.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    'ou=django,ou=groups,dc=example,dc=com',
    ldap.SCOPE_SUBTREE,
    '(objectClass=groupOfNames)',
)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr='cn')

# Simple group restrictions
AUTH_LDAP_REQUIRE_GROUP = 'cn=enabled,ou=django,ou=groups,dc=example,dc=com'
AUTH_LDAP_DENY_GROUP = 'cn=disabled,ou=django,ou=groups,dc=example,dc=com'

# Populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
    'first_name': 'givenName',
    'last_name': 'sn',
    'email': 'mail',
}

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    'is_active': 'cn=active,ou=django,ou=groups,dc=example,dc=com',
    'is_staff': 'cn=staff,ou=django,ou=groups,dc=example,dc=com',
    'is_superuser': 'cn=superuser,ou=django,ou=groups,dc=example,dc=com',
}

# This is the default, but I like to be explicit.
AUTH_LDAP_ALWAYS_UPDATE_USER = True

# Use LDAP group membership to calculate group permissions.
AUTH_LDAP_FIND_GROUP_PERMS = True

# Cache distinguised names and group memberships for an hour to minimize
# LDAP traffic.
AUTH_LDAP_CACHE_TIMEOUT = 3600

# Keep ModelBackend around for per-user permissions and maybe a local
# superuser.
AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend',
)
@cuu508
Copy link
Member

cuu508 commented Nov 6, 2018

Hey @smacktrace,

thanks for the suggestion and the pointers. Am I correct in thinking that LDAP auth option would only make sense on self-hosted instances?

I'm thinking LDAP servers are often only accessible from inside intranet, not the public internet. And, looking at the above configuration, many of the configuration settings would be different from server to server.

I think we can add a wiki page or README section with example configuration and setup instructions (of course making sure they do work), but probably would not have LDAP support enabled by default, or available in the hosted service https://healthchecks.io

@nogweii nogweii mentioned this issue Nov 15, 2018
Closed
@gganeshan
Copy link

@cuu508 thanks a lot for this amazing tool!!!

I also have a use case where I want to setup a self-hosted instance of this app and integrate it with my org's LDAP so that all users in my org can login to it.

I think we can add a wiki page or README section with example configuration and setup instructions

Does the tool support LDAP integration by default??
Is this documentation already available??

@cuu508
Copy link
Member

cuu508 commented Apr 2, 2019

@gganeshan no, there's no LDAP integration available "officially" at the moment.
The above configuration examples look promising to me but I have not tested them personally.

@gganeshan gganeshan mentioned this issue Nov 4, 2019
Closed
@gganeshan
Copy link

@smacktrace thanks a lot for providing the above configuration.
I was able to successfully integrate my on-prem instance running in a container with on-prem LDAP.

However, now I want to take the next step and auto-assign projects to users based on their LDAP groups as documented in #299 .

Have you played around with this scenario and would you know how to implement it in this app??

@cuu508 cuu508 added the feature label Aug 27, 2021
@adocampo
Copy link

adocampo commented Dec 9, 2022

I'm also interested to see LDAP/AD integration. Is it in the roadmap or should I try to do it by myself? It would be painful if some update breaks my work

@cuu508
Copy link
Member

cuu508 commented Dec 9, 2022

I currently am not planning to work on a LDAP/AD integration.

Feel free to have a go at it. The authentication code changes infrequently, so breakages caused by upstream changes should also be infrequent.

@healthchecks healthchecks locked and limited conversation to collaborators Dec 16, 2022
@cuu508 cuu508 converted this issue into discussion #751 Dec 16, 2022

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cuu508 @gganeshan @adocampo @smacktrace