taiga-contrib-ldap-auth
taiga-contrib-ldap-auth copied to clipboard
ensky
Taiga plugin for LDAP authentication
Taiga contrib ldap auth
The Taiga plugin for ldap authentication.
Installation
Taiga Back
In your Taiga back python virtualenv install the pip package
taiga-contrib-ldap-auth with:
pip install taiga-contrib-ldap-auth
Modify your settings/local.py and include it on INSTALLED_APPS and add your
LDAP configuration:
INSTALLED_APPS += ["taiga_contrib_ldap_auth"]
LDAP_SERVER = 'ldap://ldap.example.com'
LDAP_PORT = 389
# Full DN of the service account use to connect to LDAP server and search for login user's account entry
# If LDAP_BIND_DN is not specified, or is blank, then an anonymous bind is attempated
LDAP_BIND_DN = 'CN=SVC Account,OU=Service Accounts,OU=Servers,DC=example,DC=com'
LDAP_BIND_PASSWORD = 'replace_me' # eg.
# Starting point within LDAP structure to search for login user
LDAP_SEARCH_BASE = 'OU=DevTeam,DC=example,DC=net'
# LDAP property used for searching, ie. login username needs to match value in sAMAccountName property in LDAP
LDAP_SEARCH_PROPERTY = 'sAMAccountName'
LDAP_SEARCH_SUFFIX = None # '@example.com'
# Names of LDAP properties on user account to get email and full name
LDAP_EMAIL_PROPERTY = 'mail'
LDAP_FULL_NAME_PROPERTY = 'name'
The logic of the code is such that a dedicated domain service account user performs a search on LDAP for an account that has a LDAP_SEARCH_PROPERTY value that matches the username the user typed in on the Taiga login form.
If the search is successful, then the code uses this value and the typed-in password to attempt a bind to LDAP using these credentials.
If the bind is successful, then we can say that the user is authorised to log in to Taiga.
Optionally LDAP_SEARCH_SUFFIX can be set to allow for the search to match only the beginning of a field containing e.g. an email address.
If the LDAP_BIND_DN configuration setting is not specified or is blank, then an anonymous bind is attempted to search for the login user's LDAP account entry.
RECOMMENDATION: Note that if you are using a service account for performing the LDAP search for the user that is logging on to Taiga, for security reasons, the service account user should be configured to only allow reading/searching the LDAP structure. No other LDAP (or wider network) permissions should be granted for this user because you need to specify the service account password in this file. A suitably strong password should be chosen, eg. VmLYBbvJaf2kAqcrt5HjHdG6
Taiga Front
Change in your dist/js/conf.json the loginFormType setting to "ldap":
...
"loginFormType": "ldap",
...
ensky