taiga-contrib-ldap-auth-ext
taiga-contrib-ldap-auth-ext copied to clipboard
Monogramm
If this plugin works with taiga6 please indicate
Have been working to get this to work with a taiga6 docker style installation.
Thought I saw that this was confirmed to work with taiga6 but at last check I did not see such an indication.
If this does work with taiga6 please have the version updated at the Taiga Resources page & on the github page somewhere.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
There is a problem with authentication fallback to "normal" in recent Taiga versions.
Please note that the plugin tries to implement a fallback to the default authentication implementation called "normal" (FALLBACK is "normal" by default) in https://github.com/Monogramm/taiga-contrib-ldap-auth-ext/blob/728f7747aef7b3d3a3bef664dc5470b02f3bba27/taiga_contrib_ldap_auth_ext/services.py#L68 but in recent Taiga versions get_auth_plugins() returns a dictionary with a single item "ldap" only.
Warning: Since this plugin cannot provide superusers at the moment superuser have to defined be "normal" users (e.g. the initial user). This kind of users are not able to login into recent Taiga versions any more when ldap auth is enable because the fallback implementation to "normal" users fails.
Nevertheless I wonder whether a fallback should by implemented by the plugin itself. I would suggest the core should query all registered plugins and implement multiple querying authentication providers and fallback itself.
I would love to update to Taiga6, but since LDAP breaks, that's not an option! Is there any update here?
I ended up using the https://github.com/robrotheram/taiga-contrib-openid-auth plugin, setting up keycloak and configuring keycloak to use ldap.
Work fine with Taiga 6.5.1. By the way, you can use settings/config.py instead settings/common.py. It's more convenient if you use ansible templating or something like that. Use LDAP_USERNAME_ATTRIBUTE = 'sAMAccountName' for Active Directory. Important: SMTP must be properly configured. E-mail fields of the AD account must be filled in.
@madmath03 many thanks for this plugin !
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Hello, I can confirm that it is actually working with Taiga 6.5.1.
- install the plug-in with PIP and add the config (we created a modified docker image for this)
- ensure that SMTP config works properly, otherwise the login fails when it tries to send the registration email
- modify the frontend config to use ldap as login
To debug if it's not working:
- set DEBUG=True to see why ldap login fails
- check the "post" request of the login that it has type "ldap"
Edit: here's my Dockerfile. It allows to set LDAP with env variables.
FROM taigaio/taiga-back:6.5.1
RUN pip install taiga-contrib-ldap-auth-ext==0.4.4
RUN sed -i /taiga-back/settings/config.py -e "s/^DEBUG = False/DEBUG = os.getenv('DEBUG', 'False') == 'True'/" && \
echo "" >> /taiga-back/settings/config.py && \
echo "#########################################" >> /taiga-back/settings/config.py && \
echo "## LDAP" >> /taiga-back/settings/config.py && \
echo "#########################################" >> /taiga-back/settings/config.py && \
echo "ENABLE_LDAP_AUTH = os.getenv('ENABLE_LDAP_AUTH', 'False') == 'True'" >> /taiga-back/settings/config.py && \
echo "if ENABLE_LDAP_AUTH:" >> /taiga-back/settings/config.py && \
echo " INSTALLED_APPS += ["taiga_contrib_ldap_auth_ext"]" >> /taiga-back/settings/config.py && \
echo " LDAP_START_TLS = os.getenv('LDAP_START_TLS', 'False') == 'True'" >> /taiga-back/settings/config.py && \
echo " LDAP_SERVER = os.getenv('LDAP_SERVER')" >> /taiga-back/settings/config.py && \
echo " LDAP_PORT = int(os.getenv('LDAP_PORT','389'))" >> /taiga-back/settings/config.py && \
echo " LDAP_BIND_DN = os.getenv('LDAP_BIND_DN')" >> /taiga-back/settings/config.py && \
echo " LDAP_BIND_PASSWORD = os.getenv('LDAP_BIND_PASSWORD')" >> /taiga-back/settings/config.py && \
echo " LDAP_SEARCH_BASE = os.getenv('LDAP_SEARCH_BASE')" >> /taiga-back/settings/config.py && \
echo " LDAP_GROUP_SEARCH_BASE = os.getenv('LDAP_GROUP_SEARCH_BASE')" >> /taiga-back/settings/config.py && \
echo " LDAP_GROUP_ADMIN = os.getenv('LDAP_GROUP_ADMIN')" >> /taiga-back/settings/config.py && \
echo " LDAP_USERNAME_ATTRIBUTE = os.getenv('LDAP_USERNAME_ATTRIBUTE','uid')" >> /taiga-back/settings/config.py && \
echo " LDAP_EMAIL_ATTRIBUTE = os.getenv('LDAP_EMAIL_ATTRIBUTE','mail')" >> /taiga-back/settings/config.py && \
echo " LDAP_FULL_NAME_ATTRIBUTE = os.getenv('LDAP_FULL_NAME_ATTRIBUTE','givenName')" >> /taiga-back/settings/config.py && \
echo " LDAP_USER_MEMBER_ATTRIBUTE = os.getenv('LDAP_USER_MEMBER_ATTRIBUTE','memberUid')" >> /taiga-back/settings/config.py && \
echo " LDAP_GROUP_MEMBER_ATTRIBUTE = os.getenv('LDAP_GROUP_MEMBER_ATTRIBUTE','memberUid')" >> /taiga-back/settings/config.py && \
echo " LDAP_FALLBACK = os.getenv('LDAP_FALLBACK','normal')" >> /taiga-back/settings/config.py && \
echo " LDAP_SAVE_LOGIN_PASSWORD = os.getenv('LDAP_SAVE_LOGIN_PASSWORD', 'False') == 'True'" >> /taiga-back/settings/config.py && \
echo " if DEBUG:" >> /taiga-back/settings/config.py && \
echo " print('LDAP auth is enabled')" >> /taiga-back/settings/config.py && \
echo "" >> /taiga-back/settings/config.py
I made our modified docker images public at https://github.com/brick4u/taiga-pm-docker.
Sorry guys, I'm not working on this anymore, so I have no idea if it still works with latest versions of Taiga.
Hi @rootbdfy @micw
I am struggling with taiga 6.5.1 to integrate with LDAP. I have enabled debug = true in taiga-backup/settings/config.py
Where logs are generated? I can see taiga related logs in /var/log/syslog. But it does not contain any ldap or login related logs
SMTP is properly working with my taiga..
I have enable ldap in frontend as below nano taiga-front-dist/dist/conf.json
#added following line "loginFormType": "ldap",
This is my taiga-back/settings/config.py LDAP config part is similar to below: (LDAP is configured on other VPS)
Please advice
If I had to take a shot in the dark, I would recommend to add the configuration
LDAP_MAP_USERNAME_TO_UID = None
At least this was a problem I encountered while setting up the plugin (I briefly mentioned it in the README of the fork I created).
If LDAP_MAP_USERNAME_TO_UID is not set, a default method is used (see the relevant code snippet), which has an incompatible signature (it also takes a model parameter), which causes the code to crash.
https://github.com/TuringTux/taiga-contrib-ldap-auth-ext-2
This worked for latest Taiga 6.5.1, thank you @TuringTux
I have some trouble setting this up with 6.7.
I don't get any error messages, login just fails even for "normal" accounts.
This is the relevant part in my config:
#########################################
## LDAP
#########################################
if os.getenv("LDAP_SERVER"):
INSTALLED_APPS += ["taiga_contrib_ldap_auth_ext"]
# Multiple LDAP servers are currently not supported, see
# https://github.com/Monogramm/taiga-contrib-ldap-auth-ext/issues/16
LDAP_SERVER = os.getenv("LDAP_SERVER")
LDAP_PORT = os.getenv("LDAP_PORT", 636)
LDAP_START_TLS = os.getenv('LDAP_START_TLS', 'false').lower() == 'true'
LDAP_BIND_DN = os.getenv("LDAP_BIND_DN", "CN=SVC Account,OU=Service Accounts,OU=Servers,DC=example,DC=com")
LDAP_BIND_PASSWORD = os.getenv("LDAP_BIND_PASSWORD")
LDAP_SEARCH_BASE = os.getenv("LDAP_SEARCH_BASE", 'OU=DevTeam,DC=example,DC=net')
LDAP_USERNAME_ATTRIBUTE = os.getenv("LDAP_USERNAME_ATTRIBUTE", "uid")
LDAP_EMAIL_ATTRIBUTE = os.getenv("LDAP_EMAIL_ATTRIBUTE", "mail")
LDAP_FULL_NAME_ATTRIBUTE = os.getenv("LDAP_FULL_NAME_ATTRIBUTE", "givenName")
LDAP_SAVE_LOGIN_PASSWORD = False
LDAP_MAP_USERNAME_TO_UID = None
if DEBUG:
print("LDAP extenstion enabled")
This is the dockerfile i use:
FROM python:3.9
RUN apt-get update -q && \
apt-get install -q -y \
gettext && \
apt-get clean
RUN git clone https://github.com/kaleidos-ventures/taiga-back.git /usr/src/back
WORKDIR /usr/src/back
RUN set -e; \
git checkout 6.7.0; \
pip install --no-cache-dir -r requirements.txt; \
pip install git+https://github.com/kaleidos-ventures/[email protected]#egg=taiga-contrib-protected;
# Taiga contrib ldap auth ext
RUN pip install taiga-contrib-ldap-auth-ext==0.5.0
COPY docker-entrypoint.sh .
COPY settings/local.py settings/local.py
ENV DJANGO_SETTINGS_MODULE=settings.local
EXPOSE 8001
ENTRYPOINT ["./docker-entrypoint.sh"]
CMD ["gunicorn", "taiga.wsgi:application", \
"--name", "taiga_api", \
"--bind", "0.0.0.0:8001", \
"--workers", "3", \
"--worker-tmp-dir", "/dev/shm", \
"--log-level", "info", \
"--access-logfile", "-"]
my entrypoint:
#!/bin/bash
# Inspired from: https://github.com/benhutchins/docker-taiga/blob/master/docker-entrypoint.sh
# Setup database automatically if needed
echo "Configuring initial database"
python manage.py migrate --noinput
python manage.py loaddata initial_project_templates
python manage.py compilemessages
echo "Database ready"
if [ ! -d "/usr/src/back/static" ]; then
echo "Look for static folder, if it does not exist, then generate it"
python manage.py collectstatic --noinput
fi
echo "Start Taiga backend Django server"
exec "$@"
Do you have any advice for me how to debug this thing? Setting DEBUG to True dos not seam to have any impact.
