LDAP Authentication in 2.4

37 views
Skip to first unread message

Enrico Secco

unread,
Sep 18, 2019, 8:30:50 AM9/18/19
to TurboGears
Hi, I'm trying to implement a connection to the active directory system of my domain.
In the documentation I find the necessary change to the app_cgf.py file.
But it seems to me related to the old versions because it uses:
base_config.auth_backend = 'ldapauth'
without using the new method: base_config.update_blueprint
I tried to translate the code for 2.4, assuming I could transform (I don't know if it is correct ...):
base_config.sa_auth.cookie_secret = 'secret'
base_config
.auth_backend = 'ldapauth'

in:
base_config.update_blueprint ({
   
'sa_auth.cookie_secret': 'secret',
   
'auth_backend': 'ldapauth',
})


But when I go to define:
class ApplicationAuthMetadata (TGAuthMetadata):
     
def __init __ (self, sa_auth):
         
self.sa_auth = sa_auth

to then connect it to the configuration:
base_config.sa_auth.authmetadata = ApplicationAuthMetadata (
     base_config
.sa_auth)


with the update_blueprint method I cannot pass the sa_auth parameter which is not defined.

base_config.update_blueprint ({
   
'sa_auth.authmetadata': ApplicationAuthMetadata (?????????????)
})


I get the impression that there are also repoze.who problems because I had to modify repoze.who.plugins.sa (implements -> @implementer). So maybe python3 porting is not yet possible ...

Any advice is appreciated.
Thanks in advance.
Enrico

Alessandro Molina

unread,
Sep 25, 2019, 4:03:18 PM9/25/19
to TurboGears
Hi Enrico,

Newer versions of TG don't use the sqlalchemy plugin of repoze anymore, that was replace by the authenticate method in ApplicationAuthMetadata.

Regarding ApplicationAuthMetadata itself, you want to initialise it with the specific arguments it needs instead of passing the whole `sa_auth` object. You can of course pass base_config.get_blueprint_view("sa_auth") to do exactly what you were doing before, but I'd say it's just best to pass the explicit things that you want in __init__



--
You received this message because you are subscribed to the Google Groups "TurboGears" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turbogears+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/turbogears/cbe07668-6710-4ebc-8a30-6cd676161bcc%40googlegroups.com.

Enrico Secco

unread,
Sep 26, 2019, 5:32:33 AM9/26/19
to TurboGears
Hi Alessandro,
Thanks for the reply.
I tried to implement the proposed solution in the documentation: https://turbogears.readthedocs.io/en/latest/cookbook/ldap-auth.html
The page appears to be outdated. I thought it was up to date because the example uses the new approach:

from tg.configuration.auth import TGAuthMetadata
class ApplicationAuthMetadata (TGAuthMetadata):


But he doesn't use blueprints
. Is it a mix of old and new style?

But then, if I can't use repoze.who plugins, do I have to import a generic LDAP connection package and write my functions?

Best regards.
Enrico
To unsubscribe from this group and stop receiving emails from it, send an email to turbo...@googlegroups.com.

Alessandro Molina

unread,
Sep 28, 2019, 4:42:44 AM9/28/19
to TurboGears
You are correct. It wasn't updated to 2.4
I'll update that page as soon as I can.

You can use the plugins if you want. That's not going to be removed.

What changed is just that in most simple cases, instead of having to write a whole repoze plugin, you can just edit the `authenticate` method in ApplicationAuthMetadata and authenticate the user there.
To authenticate against a sqlalchemy/mongodb dataset the default quickstart now goes that way so it's easier for turbogears users to tweak the authentication as they wish. 
So generally the repoze.who plugins for sqlalchemy and mongo are now pointless (and are no longer needed nor installed by the quickstart).
But other kind of plugins, like the LDAP one, are still perfectly available and usable.


To unsubscribe from this group and stop receiving emails from it, send an email to turbogears+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/turbogears/4248a697-daf2-4e96-b97e-4f61ab0dceca%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages