Using LDAP/Kerberos for Sentry's authentication

[Shashank Sahni]

Hi everyone,

I'm running a test setup of sentry. I couldn't find any instructions on using LDAP/Kerberos as backend for Sentry's authentication. Is this possible? If true, kindly point me to the correct documentation or suggest the steps needed.

Thanks,
Shashank Sahni

[David Cramer]

It’s possible to use django-ldap (or similar) with Sentry I believe:

http://pythonhosted.org/django-auth-ldap/

I don’t **guarantee** it works, as we made significant changes to auth, but the changes should be compatible with Django’s general authentication backends.

--
You received this message because you are subscribed to the Google Groups "sentry" group.
To unsubscribe from this group and stop receiving emails from it, send an email to getsentry+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Shashank Sahni]

Thank David. I'll check it out and get back to you.

--
Shashank Sahni

--
You received this message because you are subscribed to a topic in the Google Groups "sentry" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/getsentry/FMmGRgbTlRM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to getsentry+...@googlegroups.com.

[Wellington Fan]

Hi Shashank,

I'm just about to look into LDAP auth for Sentry -- so I eager to hear about your experiences.

Tell us!

--

Wellington

[Lance Chen]

Hello guys!

I have written a blog post about using ldap authentication with Sentry. Comments are very welcome.

Hope this helps.  http://blog.lance.tw/posts/2014/02/19/ldap-authentication-for-sentry/

Wellington Fan於 2014年2月19日星期三UTC+8上午4時42分14秒寫道：

[Shashank Sahni]

Hello Lance,

Thanks for the post. It works. I was able to successfully authenticate, but sentry prompted that the user isn't part of any team and can't make projects. What shall I do to fix this?

--
Shashank Sahni

--

[Tony Barbieri]

I believe that you need to log in as an admin user to either set the user to admin themselves or create teams to add them too.

--

You received this message because you are subscribed to the Google Groups "sentry" group.

To unsubscribe from this group and stop receiving emails from it, send an email to getsentry+...@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.

--
-tony

[Wellington Fan]

Hey Shashank,

Related: Though I have not tried it, looks like one may set the 'is_active', 'is_staff' and/or 'is_superuser' flags via LDAP group memebership.

This is the purview of the "AUTH_LDAP_USER_FLAGS_BY_GROUP" setting:

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": "cn=active,ou=django,ou=groups,dc=example,dc=com",
    "is_staff": "cn=staff,ou=django,ou=groups,dc=example,dc=com",
    "is_superuser": "cn=superuser,ou=django,ou=groups,dc=example,dc=com"
}

Pulled from the django-auth-ldap example page.

On Wed, Feb 19, 2014 at 9:49 AM, Shashank Sahni <shred...@gmail.com> wrote:

[Lance Chen]

Hello guys,

Setting up AUTH_LDAP_USER_FLAGS_BY_GROUP suggested by Wellington works. To be able to view projects, is_staff flag is needed. To be able to create projects and teams, is_superuser flag is needed. I think setting up SENTRY_ALLOW_PROJECT_CREATION and SENTRY_ALLOW_TEAM_CREATION should also do the job, though I have not tested this. If projects/teams is not frequently created, you could alternatively keep the original database authentication backend and add a local superuser by using sentry command.

References:

Sentry configuration http://sentry.readthedocs.org/en/latest/config/index.html

Lance

[Lance Chen]

Alternatively, you could use sentry(django) shell to apply flags to specific users manually.

$ sentry --config=sentry.conf.py shell

>> from sentry.models import User

>> user = User.objects.get(username='<username>')

>> user.is_superuser = True

>> user.save()

Lance

[Shashank Sahni]

Thank you everyone for the response. I used SENTRY_ALLOW* options to give access to the users.

--
Shashank Sahni