Skip to content

Instantly share code, notes, and snippets.

@phspagiari

phspagiari/README.md

Last active August 29, 2015 14:16
Show Gist options
  • Save phspagiari/76165b35bae1b8e5a891 to your computer and use it in GitHub Desktop.
Save phspagiari/76165b35bae1b8e5a891 to your computer and use it in GitHub Desktop.
Download ZIP
Patch for Deis use LDAP Authentication
Raw
README.md

PoC: Deis with LDAP/AD Authentication

Requirements

Step 1: Get the following info from your LDAP

  • Endpoint (Ex.: ldap://ldap.company.com or ldaps://ldap.secure.company.com)
  • Bind DN: Full user for bind. (Ex.: [email protected]. Allow blank for anonymous bind)
  • BIND Password: Password for bind. (Allow blank for anonymous bind)
  • Users Base DN: The base Distinguished Name where your LDAP users are placed. (Ex.: OU=TeamX,DC=Company,DC=org)
  • User Filter: The field that we will match with username of Deis. (In most cases is uuid, Windows AD users is sAMAccountName)
  • Group Base DN: Where the groups are located in your LDAP/AD. (Ex.: OU=Groups,OU=TeamX,DC=Company,DC=org)
  • Group Filter: The filter field to locate your groups with LDAPSearch. (In most cases is objectClass)
  • Group Type: The type of groups in LDAP. (Use groupOfNames if you don't know.)

Step 2: Clone and Patch your Deis

git clone [email protected]:deis/deis.git
patch deis_ldap_phspagiari_latest.patch

Step 3: Starting your environment with Vagrant

Installing Deis - Vagrant Setup

Step 4: Installing Deis

  • Follow the step-by-step here but set your ldap keys using deisctl when you set your domain.
deisctl config controller set auth/ldap/host=ldap.host.com
deisctl config controller set auth/ldap/bind/[email protected]
deisctl config controller set auth/ldap/bind/password=bindpassword
deisctl config controller set auth/ldap/user/basedn=OU=TEAMX,DC=dc1,DC=dc2
deisctl config controller set auth/ldap/user/filter=sAMAccountName
deisctl config controller set auth/ldap/group/basedn=OU=Groups,OU=TEAMX,DC=dc1,DC=dc2
deisctl config controller set auth/ldap/group/filter=objectClass
deisctl config controller set auth/ldap/group/type=groupOfNames
  • Proceed with normal installation

Step 5: After all installation, you will be able to login with deis client using your LDAP credentials:

deis login http://yourdeis.controller.com/
username: <your-LDAP-user>
password: <your-LDAP-password>
Logged in as <your-LDAP-user>
Raw
deis_ldap_auth.patch
diff --git a/controller/deis/settings.py b/controller/deis/settings.py
index d9d3aae..f6a0f0d 100644
--- a/controller/deis/settings.py
+++ b/controller/deis/settings.py
@@ -6,6 +6,9 @@ from __future__ import unicode_literals
import os.path
import sys
import tempfile
+import os
+import ldap
+
PROJECT_ROOT = os.path.normpath(os.path.join(os.path.dirname(__file__), '..'))
@@ -136,6 +139,7 @@ INSTALLED_APPS = (
'django.contrib.sites',
'django.contrib.staticfiles',
# Third-party apps
+ 'django_auth_ldap',
'django_fsm',
'guardian',
'json_field',
@@ -150,6 +154,7 @@ INSTALLED_APPS = (
)
AUTHENTICATION_BACKENDS = (
+ "django_auth_ldap.backend.LDAPBackend",
"django.contrib.auth.backends.ModelBackend",
"guardian.backends.ObjectPermissionBackend",
)
@@ -335,3 +340,41 @@ except ImportError:
if os.path.exists('/templates/confd_settings.py'):
sys.path.append('/templates')
from confd_settings import * # noqa
+
+# LDAP Authentication
+
+from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
+
+AUTH_LDAP_GLOBAL_OPTIONS = { ldap.OPT_X_TLS_REQUIRE_CERT: False, ldap.OPT_REFERRALS: False }
+
+LDAP_USER_SEARCH = LDAPSearch(
+ base_dn=USER_BASEDN,
+ scope=ldap.SCOPE_SUBTREE,
+ filterstr="(" + USER_FILTER + "=%(user)s)" # Placeholder problem, I didnt find a better way.
+)
+
+LDAP_GROUP_SEARCH = LDAPSearch(
+ base_dn=GROUP_BASEDN,
+ scope=ldap.SCOPE_SUBTREE,
+ filterstr="(%s=groupOfNames)" % GROUP_FILTER
+)
+
+AUTH_LDAP_SERVER_URI = "ldap://%s" % LDAP_HOST
+AUTH_LDAP_BIND_DN = BIND_DN
+AUTH_LDAP_BIND_PASSWORD = BIND_PASSWORD
+AUTH_LDAP_ALWAYS_UPDATE_USER = True
+
+AUTH_LDAP_USER_SEARCH = LDAP_USER_SEARCH
+AUTH_LDAP_GROUP_SEARCH = LDAP_GROUP_SEARCH
+AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
+
+AUTH_LDAP_USER_ATTR_MAP = {
+ "first_name": "givenName",
+ "last_name": "sn",
+ "email": "mail",
+ "username": USER_FILTER,
+}
+
+AUTH_LDAP_MIRROR_GROUPS = True
+AUTH_LDAP_FIND_GROUP_PERMS = True
+AUTH_LDAP_CACHE_GROUPS = False
diff --git a/controller/requirements.txt b/controller/requirements.txt
index d5893d7..5195986 100644
--- a/controller/requirements.txt
+++ b/controller/requirements.txt
@@ -9,6 +9,7 @@ git+https://github.com/deis/django-fsm@propagate-false
django-cors-headers==1.0.0
django-guardian==1.2.5
django-json-field==0.5.7
+django-auth-ldap==1.2.5
djangorestframework==3.0.5
docker-py==0.7.2
gunicorn==19.2.1
@@ -19,3 +20,4 @@ PyYAML==3.11
setproctitle==1.1.8
static==1.1.1
South==1.0.2
+python-ldap==2.4.19
diff --git a/controller/templates/confd_settings.py b/controller/templates/confd_settings.py
index 501c0c4..bdf78cd 100644
--- a/controller/templates/confd_settings.py
+++ b/controller/templates/confd_settings.py
@@ -46,3 +46,15 @@ WEB_ENABLED = bool({{ .deis_controller_webEnabled }})
{{ end }}
UNIT_HOSTNAME = '{{ or (.deis_controller_unitHostname) "default" }}'
+
+# AUTH
+# LDAP
+LDAP_HOST = '{{getv "/deis/controller/auth/ldap/host" }}'
+BIND_DN = '{{getv "/deis/controller/auth/ldap/bind/dn" }}'
+BIND_PASSWORD = '{{getv "/deis/controller/auth/ldap/bind/password" }}'
+USER_BASEDN = '{{getv "/deis/controller/auth/ldap/user/basedn" }}'
+USER_FILTER = '{{getv "/deis/controller/auth/ldap/user/filter" }}'
+GROUP_BASEDN = '{{getv "/deis/controller/auth/ldap/group/basedn" }}'
+GROUP_FILTER = '{{getv "/deis/controller/auth/ldap/group/filter" }}'
+GROUP_TYPE = '{{getv "/deis/controller/auth/ldap/group/type" }}'
+
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment