We have Sage 6.7 installed and are successfully using LDAP authentication for logins, however we would like to restrict access to a specific department. In our case the filter would be 'department=Math', so the login query would need to be something like (&(uid=username)(department=Math))
I've been poking around in local/lib/python2.7/site-packages/sagenb-0.11.4-py2.7.egg/sagenb/notebook/auth.py and added the following under _ldap_search:
query = "(&(" + query + ")(department=Math))"
I generated a new auth.pyc, but this doesn't seem to change which accounts can log in. I'm not sure if I'm just in the wrong bit of code, or I'm doing something else wrong (I'm not familiar with python). Could someone possibly point me to the correct file and perhaps provide an example of including a filter to limit the allowed users?
it's probably better to ask on sage-notebook. I cc there.
On Wednesday, 29 July 2015 18:37:28 UTC+1, Jeff Taylor wrote:We have Sage 6.7 installed and are successfully using LDAP authentication for logins, however we would like to restrict access to a specific department. In our case the filter would be 'department=Math', so the login query would need to be something like (&(uid=username)(department=Math))
I've been poking around in local/lib/python2.7/site-packages/sagenb-0.11.4-py2.7.egg/sagenb/notebook/auth.py and added the following under _ldap_search:
query = "(&(" + query + ")(department=Math))"
> Now I'm just down to fine-tuning my filter for the appropriate
> departments and confirming it work.
Can you write some manual after having this done? I guess that it would be
useful for many administrator.
Not exactly a manual, but I can certainly share how I made my changes...
Not exactly a manual, but I can certainly share how I made my changes...
Aha! What I meant was whether you could contribute a short-but-complete description that would expand upon https://github.com/sagemath/sagenb#ldap-authentication - unless that really is all there is to it?
--
You received this message because you are subscribed to the Google Groups "sage-notebook" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sage-noteboo...@googlegroups.com.
Visit this group at http://groups.google.com/group/sage-notebook.
For more options, visit https://groups.google.com/d/optout.
If you think this would be useful for other users, it should be fairly trivial to add a config option to extend the LDAP query in server_conf.py, and then use e.g.
query = filter_format(
'(&(%s=%s)(%s))', (self._conf['ldap_username_attrib'], username,
self._conf['ldap_custom_filter']))
Which is surely preferable over adding "modify some code here and here" to the documentation.
--
You received this message because you are subscribed to a topic in the Google Groups "sage-notebook" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sage-notebook/NcJD3PFYOYY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sage-noteboo...@googlegroups.com.
I'm probably not the best person to be giving a code review here. I don't actually know much about Sage and have never worked with python before. Someone else in our IT department set Sage up on the server, and I only got involved because of my experience with LDAP.
I'm probably not the best person to be giving a code review here. I don't actually know much about Sage and have never worked with python before. Someone else in our IT department set Sage up on the server, and I only got involved because of my experience with LDAP.
But at the very least you know whether something is working properly when it comes to LDAP...
--
You received this message because you are subscribed to the Google Groups "sage-notebook" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sage-noteboo...@googlegroups.com.
After much debugging, it turns out the LDAP bind account I was given didn't have the ability to read fields other than the uid. I was provided with another account and the full query filter is now working as intended. Now I'm just down to fine-tuning my filter for the appropriate departments and confirming it work.