LDAP plugin

16 views
Skip to first unread message

James Wettenhall

unread,
Oct 6, 2013, 8:38:51 AM10/6/13
to tardis...@googlegroups.com
Hi,

We've been using LDAP authentication in our MyTardis deployment for a while, but we haven't been using the standard LDAP auth plugin, because the LDAP server we were using up until now was behind a firewall, so some trickery was needed - thanks Steve A.

I have now given our MyTardis deployment the ability to authenticate against the CVL's LDAP server (in addition to our existing LDAP-behind-a-firewall auth provider), but I encountered 2 problems, so I had to make a few changes to the LDAP auth plugin to get it to work for me.

1. Firstly, I got this error:

TypeError at /login/
__init__() takes at least 10 arguments (1 given)
Request Method: POST
Django Version: 1.5.1
Exception Type: TypeError
Exception Value:
__init__() takes at least 10 arguments (1 given)
Exception Location: /opt/mytardis/releases/28d0c3e3957a97682ddc4f2736b9ce4be4a56c89/tardis/tardis_portal/auth/authservice.py in _safe_import, line 106
Python Executable: /opt/mytardis/releases/28d0c3e3957a97682ddc4f2736b9ce4be4a56c89/bin/uwsgi
Python Version: 2.7.3

which suggested to me that MyTardis was expecting something like this in ldap_auth.py :

class LDAPBackend(AuthProvider, UserProvider, GroupProvider):
    def __init__(self):
        self._name = "ldap"

        # Basic info
        self._url = settings.LDAP_URL
        self._base = settings.LDAP_BASE
        ...

instead of this:

class LDAPBackend(AuthProvider, UserProvider, GroupProvider):
    def __init__(self, name, url, base, login_attr, user_base,
                 user_attr_map, group_id_attr, group_base,
                 group_attr_map, admin_user='', admin_pass=''):
        self.name = name

        # Basic info
        self._url = url

2. The second problem I encountered was an:

ldap.INSUFFICIENT_ACCESS: {'desc': 'Insufficient access'}

exception, coming from ldap_auth.py's authenticate method, because it was using "self._base" instead of "self._user_base" in the simple_bind below:

    #
    # AuthProvider
    #
    def authenticate(self, request):
        ...
        l.simple_bind(userRDN + ',' + self._base, password)
        ldap_result = l.search_s(self._user_base, ldap.SCOPE_SUBTREE,
                                      userRDN, retrieveAttributes)

Some LDAP directories (inside Intranets) allow this type of search without binding first, but binding is required to search the CVL's LDAP, and you can't bind to our LDAP directory with "uid=username,dc=cvl,dc=massive,dc=org,dc=au", only with "uid=username,ou=People,dc=cvl,dc=massive,dc=org,dc=au", i.e. userRDN + "," + self._user_base.

Cheers,
James

Steve Androulakis

unread,
Oct 6, 2013, 8:51:03 AM10/6/13
to tardis...@googlegroups.com
Thanks James. It looks like we've been okay so far with search without binding, at least for the Monash Authcate which indeed doesn't represent every case (or even most cases). So thanks for pointing this out, and there needs to be support for "bind first, then search" indeed!

Steve


--
You received this message because you are subscribed to the Google Groups "tardis-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tardis-devel...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply all
Reply to author
Forward
0 new messages