Active directory, LDAP integration

[Roberto Rosario]

Just recently at work I had to get our Mayan EDMS instance to authenticate users against the main HQ Microsoft AD.  The process was not difficult, but it wasn't a breeze in the park either.  This is how I did it in case it's of help for anyone else.

I used these two libraries as they seemed the most maintained from the quick search I did.
http://www.python-ldap.org/
http://packages.python.org/django-auth-ldap/

After figuring out the corresponding OU, CN and such (which took quite a while since I'm not well versed in LDAP).  For configuration options, Mayan EDMS imports settings_local.py after importing settings.py to allow users to override the defaults without modifying any file tracked by Git, this makes upgrading by using Git's pull command extremely easy.  My settings_local.py file is as follows:


    import ldap
    from django_auth_ldap.config import LDAPSearch

    # makes sure this works in Active Directory
    ldap.set_option(ldap.OPT_REFERRALS, 0)

    AUTH_LDAP_SERVER_URI = "ldap://172.16.XX.XX:389"
    AUTH_LDAP_BIND_DN = 'cn=Roberto Rosario Gonzalez,ou=Aguadilla,ou=XX,ou=XX,dc=XX,dc=XX,dc=XX'
    AUTH_LDAP_BIND_PASSWORD = 'XXXXXXXXXXXXXX'
    AUTH_LDAP_USER_SEARCH = LDAPSearch('dc=XX,dc=XX,dc=XX', ldap.SCOPE_SUBTREE, '(SAMAccountName=%(user)s)')

    # Populate the Django user from the LDAP directory.
    AUTH_LDAP_USER_ATTR_MAP = {
        "first_name": "givenName",
        "last_name": "sn",
        "email": "mail"
    }

    # This is the default, but I like to be explicit.
    AUTH_LDAP_ALWAYS_UPDATE_USER = True

    AUTHENTICATION_BACKENDS = (
        'django_auth_ldap.backend.LDAPBackend',
        'django.contrib.auth.backends.ModelBackend',
    )

The AUTH_LDAP_BIND_DN and AUTH_LDAP_BIND_PASSWORD are required because anonymous queries are not allowed in out organization's tree, my user account is being used to do the query, but a dummy account will be created and used later on.  The AUTH_LDAP_USER_SEARCH = LDAPSearch('dc=XX,dc=XX,dc=X bit took some trial and error as it wasn't very intuitive to figure out, this is not an issue of the library, but of Active Directory and of our particular LDAP forrest.

For a more advanced example check this StackOverflow question:  http://stackoverflow.com/questions/6493985/django-auth-ldap

[Brian Dunnette]

Roberto-

Thanks - this was a huge help! I've gotten our install of Mayan authenticating against our LDAP server; however, I'm also seeing frequent errors in the logs, along the lines of:

ImproperlyConfigured: Error importing middleware common.middleware.login_required_middleware: "cannot import name models"

Any idea what the fix for this might be?

Thanks,

Brian Dunnette

[Daniel Pastusek]

Robert, Thanks for the great product. I am running into a similar issue now. We have another Django instance running django-auth-ldap and it serves as our CMS.

What I would like to do is be able to have a single sign on system (the CMS be the provider, and Mayan be a consumer), so users don't have to authenticate against both. I am trying to use https://github.com/Nitron/django-cas-consumer and https://github.com/Nitron/django-cas-provider but I am not sure Mayan is actually authenticating hitting the authentication backends, despite adding their config to the AUTHENTICATION_BACKENDS tuple. Does mayan do something else with the authentication mechanism that would explain why this module isn't being hit?

Thanks!

-Dan

[Daniel Pastusek]

Disregard. I simply didn't realize LOGIN_URL was defined further down in the settings file. This now works perfectly! (with some minor modifications to those 2 libraries to make them django 1.5+ compatible... I will submit a pull request with my changes shortly in case anyone is interested)

Thanks again for your dedication Robert.

-Dan Pastusek

On Friday, January 13, 2012 12:10:52 PM UTC-7, Roberto Rosario wrote:

[Pierluigi Tozzi]

Thank You very much !!!

Pierluigi

[bikerfreak714]

I can't seem to make this work.  Where doe this file needs to go?  Currently have 1.0rc3 installed.  I created a file under venv/lib/python2.6/site-packages/mayan/apps/main/conf/settings_local.py and it doesn't seem to be reading it.

Thanks

[Roberto Rosario]

It should go in venv/lib/python2.6/site-packages/mayan/settings/settings_local.py and then specify the settings module when launching Mayan with mayan-edms.py --settings=mayan.settings.setting_local 

http://mayan.readthedocs.org/en/latest/intro/installation.html#production-use

[bikerfreak714]

Thanks Roberto.  I was able to get LDAP authentication to work!  But when a new user logs in for the first time using LDAP, it creates a user account, but marks the user as not having a "usable password"  Is there a way to prevent this so full user creation can be automated?  At the moment, each user that logs in needs to wait for the admin to go in and reset the password.

On Friday, January 13, 2012 11:10:52 AM UTC-8, Roberto Rosario wrote:

[Victor Zele]

I can confirm this works for 2.0.2 LDAP authentication adding to the local.py settings file.  The usable password is marked red which is correct since the password is managed in LDAP/AD.

[Roberto Rosario]

Thank you for confirming that this still works!

[Subhash Pant]

Roberto,

I am adding the following code segment to local.py, with my LDAP setting. I have an older version of Mayan that has LDAP working, but looks like a few filenames have changed on the new releases.

I included the code in the local.py and ran mayan-edms.py initialsetup. However, I could not get the LDAP/AD to work. Am I missing anything?

Thanks.

[Victor Zele]

I ran the update to 2.1.1 and my Active Director/LDAP auth is still working as expected.

Below is what I had to set in my /usr/share/mayan-edms/local.py file after PIP installing the LDAP modules with:

pip install ldap

pip install python-ldap

pip install django-auth-ldap

Victor

========================

from __future__ import absolute_import

from .base import *

import ldap

from django_auth_ldap.config import LDAPSearch

#### ----cut ---
# End of file inserted

AUTH_LDAP_SERVER_URI = "ldap://AD-Servername:389"

AUTH_LDAP_BIND_DN = 'CN=BINDUSERNAME,CN=BINDUSERCN,DC=YOURDOMAIN,DC=com'

AUTH_LDAP_BIND_PASSWORD = 'BindPassword'

AUTH_LDAP_USER_SEARCH = LDAPSearch('OU=youruserOU,DC=yourdomain,DC=com', ldap.SCOPE_SUBTREE, '(SAMAccountName=%(user)s)')

# Populate the Django user from the LDAP directory.

AUTH_LDAP_USER_ATTR_MAP = {

"first_name": "givenName",

"last_name": "sn",

"email": "mail"

}

# This is the default, but I like to be explicit.

AUTH_LDAP_ALWAYS_UPDATE_USER = True

AUTHENTICATION_BACKENDS = (

'django_auth_ldap.backend.LDAPBackend',

'django.contrib.auth.backends.ModelBackend',

)

===========================

Then run,

supervisorctl stop all

mayan-edms.py collectstatic --noinput

supervisorctl start all

[Roberto Rosario]

I see a lot of value in including this in the documentation. Are you willing to maintain this part of the docs if included? How about adding a basic install step for a standalone OpenLDAP server?

[Victor Zele]

Sure.  But I find the documention build  process complex and hard to figure out.  Its easy for a novice to just post to this Google forum.  I don't use OpenLDAP just linked to our existing Corp AD.

:)

[Roberto Rosario]

How about switching documentation to something like http://www.mkdocs.org/? Uses markdown which simpler.

CONFIDENTIALITY NOTICE: 

This transmission may contain information which is Vimo, Inc. (DBA Getinsured) confidential and/or legally privileged. The information is intended only for the use of the individual or entity named on this transmission. If you are not the intended recipient, you are hereby notified that any disclosure, copying, or distribution of the contents of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify me by return e-mail and destroy all copies of the original message.

--

---
You received this message because you are subscribed to the Google Groups "Mayan EDMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mayan-edms+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Victor Zele]

I can try that if you think its easier.

On Thursday, June 16, 2016 at 4:10:28 PM UTC-7, Roberto Rosario wrote:

How about switching documentation to something like http://www.mkdocs.org/? Uses markdown which simpler.

On Jun 16, 2016 6:47 PM, "Victor Zele" <victo...@getinsured.com> wrote:

Sure.  But I find the documention build  process complex and hard to figure out.  Its easy for a novice to just post to this Google forum.  I don't use OpenLDAP just linked to our existing Corp AD.

:)

On Thursday, June 9, 2016 at 3:13:40 PM UTC-7, Roberto Rosario wrote:

I see a lot of value in including this in the documentation. Are you willing to maintain this part of the docs if included? How about adding a basic install step for a standalone OpenLDAP server?

[Roberto Rosario]

I gave it a try and it has too many shortcomings. Retaining the current custom setup of Sphinx for the time being.

[concasau]

Hi all,

I am using Mayan EDMS through Docker, how can and where I configure and
enable LDAP function on.

Thanks all,

Joe Nguyen



--
Sent from: http://mayan-edms.1003.x6.nabble.com/

[Roberto Rosario]

We are working on it: https://gitlab.com/mayan-edms/mayan-edms-docker/issues/16#note_40193691

Subscribe to the issue to get the latest updates.