otterwiki icon indicating copy to clipboard operation
otterwiki copied to clipboard
verified publisher icon redimp

ldap provider

Open metallkopf opened this issue 1 year ago • 10 comments

Add ldap as an external authentication provider.

pending work in no specific order:

  • [ ] update documentation
  • [ ] include tests
  • [ ] database migration
  • [ ] whatever i forgot

metallkopf avatar Nov 24 '24 21:11 metallkopf

Hey @metallkopf thank you for this PR! I will take a look at it, set up a test environment and check whether everything works as intended. Unfortunately I'm currently swamped at work, will take care of this on the weekend.

redimp avatar Nov 26 '24 19:11 redimp

This is what am using:

  • to build: podman build -t ldap .
  • to run: podman run --rm -it -p 3890:389 ldap
  • settings.cfg:
    • LDAP_URI = 'ldap://localhost:3890'
    • LDAP_USERNAME = 'cn=Manager,dc=ldap,dc=local'
    • LDAP_PASSWORD = 'secret'
    • LDAP_BASE = 'dc=ldap,dc=local'
    • LDAP_SCOPE = 'subtree'
    • LDAP_DOMAIN = 'ldap.org'
  • user / password:

container.zip

metallkopf avatar Nov 29 '24 13:11 metallkopf

This looks promising! Unfortunately I did not get my example working ... can you check (and maybe fix) the example in docs/auth_examples/ldap-auth?

Things I want to check when we got this working:

  • [ ] Add an option to auto-create users existing in ldap
  • [ ] Consider to move LdapAuth in a seperate class (like ProxyHeaderAuth)

redimp avatar Dec 01 '24 20:12 redimp

i couldnt get those docker services to work, so i integrated them into one.

the problem: not all variables were defined in server.py, so they couldnt be read from the environment.

Add an option to auto-create users existing in ldap

you mean auto-register on login?, sure the common name can be recovered after binding

Consider to move LdapAuth in a seperate class (like ProxyHeaderAuth)

i was considering ldap as a secundary login, allowing both type of users. but we can work something out

ps: do you any preference on how to implement database migrations?

metallkopf avatar Dec 02 '24 15:12 metallkopf

i couldnt get those docker services to work, so i integrated them into one.

Looks good to me. Have not tested this yet.

you mean auto-register on login?

Yes, this should be an option.

do you any preference on how to implement database migrations?

I'm open for suggestions. I've used flask-migrate before.

redimp avatar Dec 02 '24 17:12 redimp

Got the example working! Have to think about the best way to integrate this.

But even with a seperate LdapAuth some work has to be done, like fetching information from ldap about the users, e.g. the Name. Or for future features groups ... ?

redimp avatar Dec 05 '24 10:12 redimp

...Have to think about the best way to integrate this.

you luck with that

...like fetching information from ldap about the users, e.g. the Name.

i've already added retrieving the -common- name of an user when he self-registers

...Or for future features groups ... ?

can you elaborate a bit more

metallkopf avatar Dec 06 '24 01:12 metallkopf

...Or for future features groups ... ?

can you elaborate a bit more

The request for more fine grained permissions exists for a long time. I think, that for a useful implementation a concept groups is necessary (For some more details, please see https://github.com/redimp/otterwiki/issues/54#issuecomment-2002195393).

But I think that this can be implemented easily on top of your ldap auth and is no case a blocker.

redimp avatar Dec 08 '24 18:12 redimp

Sorry, my time is very limited at the moment 😞 Please don't let this discourage you.

The example works as expected, wonderful!

Will be on vacation in a week, will spent time on this then.

redimp avatar Dec 08 '24 19:12 redimp

I chose to implement the database migrations myself. This works for sqlite, mariadb and postgres.

redimp avatar Jan 12 '25 22:01 redimp