Skip to content
This repository has been archived by the owner on Jun 4, 2021. It is now read-only.

opendatateam/udata-ldap

Repository files navigation

udata-ldap

LDAP authentification for udata with optionnal Kerberos suppport.

Requirements

To use LDAP only authentication, you only need the udata-ldap extension.

To use SASL and SPNEGO, you need a functional kerberos client environment.

On debian, you can install the requirements using:

apt-get install krb5-config krb5-user libkrb5-dev

You need to configure your domain in /etc/krb5.conf. Here's a sample configuration for DOMAIN.ORG:

[libdefaults]
    default_realm = DOMAIN.ORG

[realms]
    DATA.XPS = {
        #admin_server = ipa.data.xps
        # use "kdc = ..." if realm admins haven't put SRV records into DNS
        kdc = kdc.domain.org
        admin_server = kdc.domain.org:749
        default_domain = domain.org
        dns_lookup_realm = false
        dns_lookup_kdc = false
        rdns = false
    }

[domain_realm]
    domain.org = DOMAIN.ORG
    .domain.org = DOMAIN.ORG

Usage

Install the plugin package in you udata environement:

pip install udata-ldap

Then activate it in your udata.cfg:

PLUGINS = ['ldap']

NB: if using Kerberos SASL and/or SPNEGO, install it with:

pip install udata-ldap[kerberos]

Configuration

udata-ldap makes use of flask-ldap3-login and so use the same parameters as described here.

Some extra parameters are available:

Parameter Default value Notes
LDAP_DEBUG False Enable verbose/debug logging
LDAP_KERBEROS_KEYTAB None Path to an optionnal Kerberos keytab for this service
LDAP_KERBEROS_SERVICE_NAME 'HTTP' The service principal as configured in the keytab
LDAP_KERBEROS_SERVICE_HOSTNAME socket.getfqdn() The service hostname (ie. data.domain.com)
LDAP_KERBEROS_SPNEGO False Whether or not to enable passwordless authentication with SPNEGO
LDAP_KERBEROS_SPNEGO_NO_REALM True Automaticaly remove @REALM from SPNEGO/REMOTE_USER identifier
LDAP_REMOTE_USER_ATTR 'uid' The ldap attribute extracted from SPNEGO handshake to match the user
LDAP_USER_FIRST_NAME_ATTR 'givenName' The ldap attribute to extract the first name from
LDAP_USER_LAST_NAME_ATTR 'sn' The ldap attribute to extract the last name from

Testing configuration

udata-ldap provides two commands to help with the configuration:

  • udata ldap config will display the LDAP configuration seen by udata
  • udata ldap check will allow to quickly test your LDAP configuration.
  • udata ldap krbcheck will allow to quickly test your Kerberos configuration.

Testing localy with docker

An example docker-compose.yml is provided to test localy wiht a freeipa server.

To use it, you need to copy the file ipa-server-install-options.example to ipa-server-install-options and edit it with your own parameters.

ex:

--unattended
--realm=DOMAIN.ORG
--domain=DOMAIN.ORG
--ds-password=password
--admin-password=password