Active directory, LDAP integration

2,332 views
Skip to first unread message

Roberto Rosario

unread,
Jan 13, 2012, 2:10:52 PM1/13/12
to mayan...@googlegroups.com
Just recently at work I had to get our Mayan EDMS instance to authenticate users against the main HQ Microsoft AD.  The process was not difficult, but it wasn't a breeze in the park either.  This is how I did it in case it's of help for anyone else.

I used these two libraries as they seemed the most maintained from the quick search I did.
http://www.python-ldap.org/
http://packages.python.org/django-auth-ldap/

After figuring out the corresponding OU, CN and such (which took quite a while since I'm not well versed in LDAP).  For configuration options, Mayan EDMS imports settings_local.py after importing settings.py to allow users to override the defaults without modifying any file tracked by Git, this makes upgrading by using Git's pull command extremely easy.  My settings_local.py file is as follows:


    import ldap
    from django_auth_ldap.config import LDAPSearch

    # makes sure this works in Active Directory
    ldap.set_option(ldap.OPT_REFERRALS, 0)

    AUTH_LDAP_SERVER_URI = "ldap://172.16.XX.XX:389"
    AUTH_LDAP_BIND_DN = 'cn=Roberto Rosario Gonzalez,ou=Aguadilla,ou=XX,ou=XX,dc=XX,dc=XX,dc=XX'
    AUTH_LDAP_BIND_PASSWORD = 'XXXXXXXXXXXXXX'
    AUTH_LDAP_USER_SEARCH = LDAPSearch('dc=XX,dc=XX,dc=XX', ldap.SCOPE_SUBTREE, '(SAMAccountName=%(user)s)')

    # Populate the Django user from the LDAP directory.
    AUTH_LDAP_USER_ATTR_MAP = {
        "first_name": "givenName",
        "last_name": "sn",
        "email": "mail"
    }

    # This is the default, but I like to be explicit.
    AUTH_LDAP_ALWAYS_UPDATE_USER = True

    AUTHENTICATION_BACKENDS = (
        'django_auth_ldap.backend.LDAPBackend',
        'django.contrib.auth.backends.ModelBackend',
    )

The AUTH_LDAP_BIND_DN and AUTH_LDAP_BIND_PASSWORD are required because anonymous queries are not allowed in out organization's tree, my user account is being used to do the query, but a dummy account will be created and used later on.  The AUTH_LDAP_USER_SEARCH = LDAPSearch('dc=XX,dc=XX,dc=X bit took some trial and error as it wasn't very intuitive to figure out, this is not an issue of the library, but of Active Directory and of our particular LDAP forrest.

For a more advanced example check this StackOverflow question:  http://stackoverflow.com/questions/6493985/django-auth-ldap

Brian Dunnette

unread,
Jul 3, 2013, 9:35:01 AM7/3/13
to mayan...@googlegroups.com
Roberto-

Thanks - this was a huge help! I've gotten our install of Mayan authenticating against our LDAP server; however, I'm also seeing frequent errors in the logs, along the lines of:

ImproperlyConfigured: Error importing middleware common.middleware.login_required_middleware: "cannot import name models"

Any idea what the fix for this might be?

Thanks,
Brian Dunnette

Daniel Pastusek

unread,
Oct 18, 2013, 5:11:24 PM10/18/13
to mayan...@googlegroups.com
Robert, Thanks for the great product. I am running into a similar issue now. We have another Django instance running django-auth-ldap and it serves as our CMS.

What I would like to do is be able to have a single sign on system (the CMS be the provider, and Mayan be a consumer), so users don't have to authenticate against both. I am trying to use https://github.com/Nitron/django-cas-consumer and https://github.com/Nitron/django-cas-provider but I am not sure Mayan is actually authenticating hitting the authentication backends, despite adding their config to the AUTHENTICATION_BACKENDS tuple. Does mayan do something else with the authentication mechanism that would explain why this module isn't being hit?

Thanks!
-Dan

Daniel Pastusek

unread,
Oct 18, 2013, 5:18:00 PM10/18/13
to mayan...@googlegroups.com
Disregard. I simply didn't realize LOGIN_URL was defined further down in the settings file. This now works perfectly! (with some minor modifications to those 2 libraries to make them django 1.5+ compatible... I will submit a pull request with my changes shortly in case anyone is interested)

Thanks again for your dedication Robert.

-Dan Pastusek

On Friday, January 13, 2012 12:10:52 PM UTC-7, Roberto Rosario wrote:

Pierluigi Tozzi

unread,
Nov 25, 2013, 2:30:25 AM11/25/13
to mayan...@googlegroups.com
Thank You very much !!!
Pierluigi

bikerfreak714

unread,
Aug 7, 2014, 2:30:37 PM8/7/14
to mayan...@googlegroups.com
I can't seem to make this work.  Where doe this file needs to go?  Currently have 1.0rc3 installed.  I created a file under venv/lib/python2.6/site-packages/mayan/apps/main/conf/settings_local.py and it doesn't seem to be reading it.

Thanks

Roberto Rosario

unread,
Aug 7, 2014, 5:38:40 PM8/7/14
to mayan...@googlegroups.com
It should go in venv/lib/python2.6/site-packages/mayan/settings/settings_local.py and then specify the settings module when launching Mayan with mayan-edms.py --settings=mayan.settings.setting_local 

bikerfreak714

unread,
Aug 11, 2014, 10:07:39 PM8/11/14
to mayan...@googlegroups.com
Thanks Roberto.  I was able to get LDAP authentication to work!  But when a new user logs in for the first time using LDAP, it creates a user account, but marks the user as not having a "usable password"  Is there a way to prevent this so full user creation can be automated?  At the moment, each user that logs in needs to wait for the admin to go in and reset the password.


On Friday, January 13, 2012 11:10:52 AM UTC-8, Roberto Rosario wrote:
Message has been deleted

Victor Zele

unread,
Apr 22, 2016, 1:11:21 PM4/22/16
to Mayan EDMS
I can confirm this works for 2.0.2 LDAP authentication adding to the local.py settings file.  The usable password is marked red which is correct since the password is managed in LDAP/AD.

Roberto Rosario

unread,
Apr 26, 2016, 6:34:49 PM4/26/16
to Mayan EDMS
Thank you for confirming that this still works!

Subhash Pant

unread,
Jun 3, 2016, 2:01:05 PM6/3/16
to Mayan EDMS
Roberto,

I am adding the following code segment to local.py, with my LDAP setting. I have an older version of Mayan that has LDAP working, but looks like a few filenames have changed on the new releases.

I included the code in the local.py and ran mayan-edms.py initialsetup. However, I could not get the LDAP/AD to work. Am I missing anything?

Thanks.

Victor Zele

unread,
Jun 7, 2016, 5:08:37 PM6/7/16
to Mayan EDMS
I ran the update to 2.1.1 and my Active Director/LDAP auth is still working as expected.

Below is what I had to set in my /usr/share/mayan-edms/local.py file after PIP installing the LDAP modules with:

pip install ldap
pip install python-ldap
pip install django-auth-ldap

Victor
========================
from __future__ import absolute_import

from .base import *

import ldap
from django_auth_ldap.config import LDAPSearch

#### ----cut ---
# End of file inserted

AUTH_LDAP_SERVER_URI = "ldap://AD-Servername:389"
AUTH_LDAP_BIND_DN = 'CN=BINDUSERNAME,CN=BINDUSERCN,DC=YOURDOMAIN,DC=com'
AUTH_LDAP_BIND_PASSWORD = 'BindPassword'
AUTH_LDAP_USER_SEARCH = LDAPSearch('OU=youruserOU,DC=yourdomain,DC=com', ldap.SCOPE_SUBTREE, '(SAMAccountName=%(user)s)')

# Populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}

# This is the default, but I like to be explicit.
AUTH_LDAP_ALWAYS_UPDATE_USER = True

AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)

===========================
Then run,

supervisorctl stop all
mayan-edms.py collectstatic --noinput
supervisorctl start all

Roberto Rosario

unread,
Jun 9, 2016, 6:13:40 PM6/9/16
to Mayan EDMS
I see a lot of value in including this in the documentation. Are you willing to maintain this part of the docs if included? How about adding a basic install step for a standalone OpenLDAP server?

Victor Zele

unread,
Jun 16, 2016, 6:47:44 PM6/16/16
to Mayan EDMS
Sure.  But I find the documention build  process complex and hard to figure out.  Its easy for a novice to just post to this Google forum.  I don't use OpenLDAP just linked to our existing Corp AD.

:)

Roberto Rosario

unread,
Jun 16, 2016, 7:10:28 PM6/16/16
to mayan...@googlegroups.com

How about switching documentation to something like http://www.mkdocs.org/? Uses markdown which simpler.

CONFIDENTIALITY NOTICE: 

This transmission may contain information which is Vimo, Inc. (DBA Getinsured) confidential and/or legally privileged. The information is intended only for the use of the individual or entity named on this transmission. If you are not the intended recipient, you are hereby notified that any disclosure, copying, or distribution of the contents of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify me by return e-mail and destroy all copies of the original message.

--

---
You received this message because you are subscribed to the Google Groups "Mayan EDMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mayan-edms+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Victor Zele

unread,
Jun 22, 2016, 4:51:49 PM6/22/16
to Mayan EDMS
I can try that if you think its easier.


On Thursday, June 16, 2016 at 4:10:28 PM UTC-7, Roberto Rosario wrote:

How about switching documentation to something like http://www.mkdocs.org/? Uses markdown which simpler.

On Jun 16, 2016 6:47 PM, "Victor Zele" <victo...@getinsured.com> wrote:
Sure.  But I find the documention build  process complex and hard to figure out.  Its easy for a novice to just post to this Google forum.  I don't use OpenLDAP just linked to our existing Corp AD.

:)

On Thursday, June 9, 2016 at 3:13:40 PM UTC-7, Roberto Rosario wrote:
I see a lot of value in including this in the documentation. Are you willing to maintain this part of the docs if included? How about adding a basic install step for a standalone OpenLDAP server?

Roberto Rosario

unread,
Jul 5, 2016, 7:13:31 PM7/5/16
to Mayan EDMS
I gave it a try and it has too many shortcomings. Retaining the current custom setup of Sphinx for the time being.

concasau

unread,
Sep 15, 2017, 4:05:00 PM9/15/17
to mayan...@googlegroups.com
Hi all,

I am using Mayan EDMS through Docker, how can and where I configure and
enable LDAP function on.

Thanks all,

Joe Nguyen



--
Sent from: http://mayan-edms.1003.x6.nabble.com/

Roberto Rosario

unread,
Sep 15, 2017, 4:07:13 PM9/15/17
to Mayan EDMS
We are working on it: https://gitlab.com/mayan-edms/mayan-edms-docker/issues/16#note_40193691

Subscribe to the issue to get the latest updates.
Reply all
Reply to author
Forward
0 new messages