ReDBox-Mint: LDAP plugin queries

[Grant Jackson]

Hi all,

We are considering using LDAP for authentication only & managing roles internally within ReDBox-Mint 1.5.1 or 1.5.2.2. The intent is that the ReDBox-Mint app administrator does not need to update (or request someone else to update) LDAP attributes for roles. Hence we've configured home/system-config.json to use the ldap-authentication plugin but not the ldap-roles plugin. Please let me know if there is a better model we should use?

Once we enable LDAP, everyone at our institution can login (unless we enable some form of restriction outside the ReDBox-Mint app) but users who are not configured will have an 'empty' role.

1) Has anyone taken steps to limit the logins? Eg. Perhaps via ReDBox-Mint app, TCP Wrappers, Apache ModSecurity?

2) Is there a method to configure ReDBox-Mint to try 'internal' authentication first & if that fails try ldap auth next?

Thank you.

Cheers, Grant

[Andrew Brazzatti]

Hi Grant,

There shouldn't be any problem with using the LDAP authentication plugin with the internal roles plugin.

To answer your questions:

1) I'm not sure what others have done, but the simplest thing to do would be to edit the login script in your institutional build to add a check to it to see if any roles exist for the user and reject if the list is empty.

2) The order in which it tries the authentication methods is defined by the order you have specified them in your system-config.json. Here's the code that performs authentication

Thanks,

Andrew

 

--
You received this message because you are subscribed to the Google Groups "ReDBox Development" group.
To post to this group, send an email to redbo...@googlegroups.com.
To unsubscribe from this group, send email to redbox-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Grant Jackson]

Hi Andrew.

Excellent, thanks for the great info.


1) I notice that there is always 'guest' in the roles list even if home/security/roles.properties has no entry for the (ldap or internal) user, hence I reject the login if the roles list is empty or contains only 'guest' roles. I'm not a software developer nor very familiar with python, but have hacked changes as per the attachment (which appears to work for 1.5.1).


2) I confirm the following system-config.json gives both internal *and* LDAP authentication (after building 1.5.1 as per https://groups.google.com/forum/?fromgroups=&hl=en#!searchin/redbox-dev/ldap/redbox-dev/JieKUaM8CSo/Uekxkrv9_kAJ).

    "authentication": {
        "type": "internal,ldap",
        "internal": {
            "path": "${fascinator.home}/security/users.properties"
        },
        "ldap": {
                "baseURL": "...",
                "baseDN": "...",
                "idAttribute": "..."
        }
    },

Cheers, Grant

[Cyrus, Sio Fai Keong]

Hi I tried to use the LDAP with 1.6, with the configuration suggested by Grant

    "authentication": {
        "type": "ldap,internal",

        "internal": {
            "path": "${fascinator.home}/security/users.properties"
        },
        "ldap": {
                "baseURL": "...",
                "baseDN": "...",
                "idAttribute": "..."
        }
    },

the LDAP plugin is not working, therefore I tried to modified the source code to print more debug message and it seems that the username and password wasnt pass to LDAPAuthentication module at all..

do anyone try to use ReDBOX 1.6 with LDAP successfully?

[Charlie Ambrose]

Hi Keong / all,

 

The LDAP-plugin (https://github.com/the-fascinator-contrib/plugin-authentication-ldap) was modified to enable binding using an account.

(See README.md via the above URL for details.)

 

Because of the changes, you will probably need to add “ldapSecurityPrincipal” and “ldapSecurityCredentials” fields to your system-config.json

to get LDAP-binding to work. (Leave them blank to bind anonymously.)

 

Here’s a copy-paste from the system-config.json used at LTU:

 

--- snip : start ---

  49     "authentication": {

  50         "type": "internal,ldap",

  51         "internal": {  

  52             "path": "${fascinator.home}/security/users.properties"

  53         },

  54         "ldap": {

  55           "baseURL": "ldap://ltu.edu.au:389",

  56           "baseDN": "ou=*****,dc=****,dc=****,dc=***",

  57           "ldapSecurityPrincipal": "cn=*****,ou=*****,dc=*****,dc=*****,dc=*****",

  58           "ldapSecurityCredentials": "*****",

  59           "idAttribute": "cn",

  60           "ldapRoleAttribute": "primaryGroupID",

  61           "ldapRoleMap": [

  62              {

  63                  "ldapRoleAttrValue": "****"

  64                  "roles": ["researcher"]

  65              }

  66           ]

  67         }

  68     },

  69     "roles": {

  70         "type": "internal,ldap",

  71         "internal": {                                                                                                                                                                                                 

  72             "path": "${fascinator.home}/security/roles.properties"

  73         },

  74         "ldap": {

  75           "baseURL": "ldap://*****:389",

  76           "baseDN": "ou=*****,dc=***,dc=***,dc=***",

  77           "ldapSecurityPrincipal": "cn=***,ou=****,dc=***,dc=***,dc=***",

  78           "ldapSecurityCredentials": "***",

  79           "idAttribute": "cn",

  80           "ldapRoleAttribute": "primaryGroupID",

  81           "ldapRoleMap": [

  82              {

  83                  "ldapRoleAttrValue": "***"

  84                  "roles": ["researcher"]

  85              }

  86           ]

  87         }

  88     },

--- snip : stop ---

 

Regards,

 

--Charlie

 

--

Charlie Ambrose

Research Data Coordinator (Digital Infrastructure)

Library | La Trobe University | Bundoora Vic 3086 Australia
T: +613 9479 1571 | M: +61 416 793 456  | E: c.am...@latrobe.edu.au 

W: http://www.lib.latrobe.edu.au/

J Please kindly consider your environment before printing this e-mail

Warning to recipients:
This email and any attachments are confidential and subject to copyright. If you are not the intended recipient any use, disclosure or copying is unauthorised. If you have received this email in error please advise us immediately by reply email and delete all copies. It is your responsibility to examine this email and any attachments for viruses. Any personal information in this email must be handled in accordance with the Information Privacy Act 2000 (Vic).

--

You received this message because you are subscribed to the Google Groups "ReDBox Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to redbox-dev+...@googlegroups.com.

To post to this group, send an email to redbo...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/redbox-dev/6abec1a0-70b4-4cbc-b98d-c1f8bbb02112%40googlegroups.com.