django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard

Published 20 hours ago verified publisher icon DefectDojo

LDAP Integration not working

Open de-adshot opened this issue 2 years ago • 8 comments

Team,

The ldap integration for Defect Dojo is not working.

Ref - https://github.com/DefectDojo/django-DefectDojo/issues/3981

Any suggestion?

If possible can we have it as officially part of defect dojo for ldap integration?

de-adshot avatar Jul 24 '22 08:07 de-adshot

At my company we use LDAP, I made the following code changes for it to work:

To Dockerfile.django and Dockerfile.nginx, added the following dependencies to apt-get install steps:

libldap2-dev \
libsasl2-dev \
ldap-utils \

To requirements.txt added:

python-ldap==3.4.2
django-auth-ldap==4.1.0

To settings.dist.py added the following at the top of the file:

import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType

Then further down added LDAP settings to env dict:

# LDAP
DD_LDAP_SERVER_URI=(str, 'ldap://ldap.mycompany.domain'),
DD_LDAP_BIND_DN=(str, ''),
DD_LDAP_BIND_PASSWORD=(str, ''),

Then under the env dict I added:

AUTH_LDAP_SERVER_URI = env('DD_LDAP_SERVER_URI')
AUTH_LDAP_BIND_DN = env('DD_LDAP_BIND_DN')
AUTH_LDAP_BIND_PASSWORD = env('DD_LDAP_BIND_PASSWORD')
AUTH_LDAP_USER_SEARCH = LDAPSearch(
    "DC=mycompany,DC=com", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"
)

# Set up the basic group parameters.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    "DC=mycompany,DC=com",
    ldap.SCOPE_SUBTREE,
    "(objectClass=groupOfNames)",
)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")

# Simple group restrictions
AUTH_LDAP_REQUIRE_GROUP = "CN=DD_USER_ACTIVE,DC=mycompany,DC=com"

AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail",
}

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": "CN=DD_USER_ACTIVE,DC=mycompany,DC=com",
    "is_staff": "CN=DD_USER_STAFF,DC=mycompany,DC=com",
    "is_superuser": "CN=DD_USER_ADMIN,DC=mycompany,DC=com",
}

I also changed the AUTHENTICATION_BACKENDS variable to just be:

AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.RemoteUserBackend',
    'django.contrib.auth.backends.ModelBackend',
)

Please bare in mind that I have also set-up access controls with different groups here, you can simplify this if you wish. Read the docs for Django Authentication with LDAP here: https://django-auth-ldap.readthedocs.io/en/latest/

underrobyn avatar Jul 28 '22 19:07 underrobyn

@jake-cryptic By any chance will this setting requires ldap to be reachable while just deploying and will mysql connection fails if ldap is not reachable?

image

de-adshot avatar Jul 30 '22 05:07 de-adshot

@de-adshot I think your error message is not linked to LDAP configuration. It seems a bad configuration of the DB parameter in the celery containers (beat and worker)

damiencarol avatar Jul 30 '22 08:07 damiencarol

By any chance, AUTH_LDAP_USER_FLAGS_BY_GROUP = { "is_active": "CN=DD_USER_ACTIVE,DC=mycompany,DC=com", "is_staff": "CN=DD_USER_STAFF,DC=mycompany,DC=com", "is_superuser": "CN=DD_USER_ADMIN,DC=mycompany,DC=com", }

The above CN bolded groups are mandatory?

And as the name states what is the staff and superuser roles are designated for in dd?

de-adshot avatar Sep 11 '22 12:09 de-adshot

Dear @damiencarol and @jake-cryptic,

Any inputs for the above query will be helpful.

And as per the best practices we cannot have the below creds in a plain text, AUTH_LDAP_BIND_PASSWORD = env('DD_LDAP_BIND_PASSWORD')

Any way would you suggest to comply with the policies?

de-adshot avatar Sep 18 '22 11:09 de-adshot