udata-ldap

Release 0.3.6.dev61

LDAP authentification for udata with optional Kerberos suppport.

Homepage PyPI Python

Keywords
udata, LDAP
License
MIT
Install
pip install udata-ldap==0.3.6.dev61

Documentation

udata-ldap

LDAP authentification for udata with optionnal Kerberos suppport.

Requirements

To use LDAP only authentication, you only need the udata-ldap extension.

To use SASL and SPNEGO, you need a functional kerberos client environment.

On debian, you can install the requirements using:

apt-get install krb5-config krb5-user libkrb5-dev

You need to configure your domain in /etc/krb5.conf. Here's a sample configuration for DOMAIN.ORG:

[libdefaults]
    default_realm = DOMAIN.ORG

[realms]
    DATA.XPS = {
        #admin_server = ipa.data.xps
        # use "kdc = ..." if realm admins haven't put SRV records into DNS
        kdc = kdc.domain.org
        admin_server = kdc.domain.org:749
        default_domain = domain.org
        dns_lookup_realm = false
        dns_lookup_kdc = false
        rdns = false
    }

[domain_realm]
    domain.org = DOMAIN.ORG
    .domain.org = DOMAIN.ORG

Usage

Install the plugin package in you udata environement:

pip install udata-ldap

Then activate it in your udata.cfg:

PLUGINS = ['ldap']

NB: if using Kerberos SASL and/or SPNEGO, install it with:

pip install udata-ldap[kerberos]

Configuration

udata-ldap makes use of flask-ldap3-login and so use the same parameters as described here.

Some extra parameters are available:

Parameter Default value Notes
LDAP_DEBUG False Enable verbose/debug logging
LDAP_KERBEROS_KEYTAB None Path to an optionnal Kerberos keytab for this service
LDAP_KERBEROS_SERVICE_NAME 'HTTP' The service principal as configured in the keytab
LDAP_KERBEROS_SERVICE_HOSTNAME socket.getfqdn() The service hostname (ie. data.domain.com)
LDAP_KERBEROS_SPNEGO False Whether or not to enable passwordless authentication with SPNEGO
LDAP_KERBEROS_SPNEGO_NO_REALM True Automaticaly remove @REALM from SPNEGO/REMOTE_USER identifier
LDAP_REMOTE_USER_ATTR 'uid' The ldap attribute extracted from SPNEGO handshake to match the user
LDAP_USER_FIRST_NAME_ATTR 'givenName' The ldap attribute to extract the first name from
LDAP_USER_LAST_NAME_ATTR 'sn' The ldap attribute to extract the last name from

Testing configuration

udata-ldap provides two commands to help with the configuration:

  • udata ldap config will display the LDAP configuration seen by udata
  • udata ldap check will allow to quickly test your LDAP configuration.
  • udata ldap krbcheck will allow to quickly test your Kerberos configuration.

Testing localy with docker

An example docker-compose.yml is provided to test localy wiht a freeipa server.

To use it, you need to copy the file ipa-server-install-options.example to ipa-server-install-options and edit it with your own parameters.

ex:

--unattended
--realm=DOMAIN.ORG
--domain=DOMAIN.ORG
--ds-password=password
--admin-password=password

Stats

Dependencies
9
Dependent packages
0
Dependent repositories
0
Total releases
20
Latest release
First release
Stars
1
Forks
0
Watchers
0
Contributors
1
Repository size
53.7 KB
SourceRank
6

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

0.3.6.dev61
0.3.5
0.3.5.dev59
0.3.4.dev53
0.3.3
0.3.4.dev48
0.3.3.dev46
0.3.2
0.3.3.dev37
0.3.2.dev35
See all 20 releases

Contributors

Axel H.


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2021-02-23 02:35:58 UTC

Login to resync this project