Setting up LDAP support

-----------------------

Kallithea supports LDAP authentication. In order

to use LDAP, you have to install the python-ldap_ package. This package is

available via PyPI, so you can install it by running::

    pip install python-ldap

.. note:: ``python-ldap`` requires some libraries to be installed on

          your system, so before installing it check that you have at

          least the ``openldap`` and ``sasl`` libraries.

Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button

and then *Save*, to enable the LDAP plugin and configure its settings.

Here's a typical LDAP setup::

 Connection settings

 Enable LDAP          = checked

 Host                 = host.example.com

 Account              = <account>

 Password             = <password>

 Certificate Checks   = DEMAND

 Search settings

 Base DN              = CN=users,DC=host,DC=example,DC=org

 LDAP Filter          = (&(objectClass=user)(!(objectClass=computer)))

 LDAP Search Scope    = SUBTREE

 Attribute mappings

 Login Attribute      = uid

 First Name Attribute = firstName

 Last Name Attribute  = lastName

 Email Attribute      = mail

If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::

 Search settings

 Base DN              = DC=host,DC=example,DC=org

 LDAP Filter          = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))

 LDAP Search Scope    = SUBTREE

.. _enable_ldap:

Enable LDAP : required

    Whether to use LDAP for authenticating users.

      ProxyPass http://127.0.0.1:5000/someprefix

      ProxyPassReverse http://127.0.0.1:5000/someprefix

      SetEnvIf X-Url-Scheme https HTTPS=1

      AuthName "Kerberos Login"

      AuthType Kerberos

      Krb5Keytab /etc/apache2/http.keytab

      KrbMethodK5Passwd off

      KrbVerifyKDC on

      Require valid-user

      PythonFixupHandler ldapmetadata

      RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e

      RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e

      RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e

      RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e

    </Location>

.. code-block:: python

    from mod_python import apache

    import ldap

    LDAP_USER = ""

    LDAP_PASS = ""

    LDAP_ROOT = "dc=mydomain,dc=com"

    LDAP_FILTER = "sAMAccountName=%s"

    LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']

    def fixuphandler(req):

        if req.user is None:

            # no user to search for

            return apache.OK

        else:

            try:

                if('\\' in req.user):

                    username = req.user.split('\\')[1]

                elif('@' in req.user):

                    username = req.user.split('@')[0]

                else:

                    username = req.user

                l = ldap.initialize(LDAP_SERVER)

                l.simple_bind_s(LDAP_USER, LDAP_PASS)

                r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)

                req.subprocess_env['X_REMOTE_USER'] = username

                req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()

[default]

api_url = http://kallithea.example.com/_admin/api

api_user = admin

api_key = XXXXXXXXXXXX

ldap_user = cn=kallithea,dc=example,dc=com

ldap_key = XXXXXXXXX

base_dn = dc=example,dc=com

sync_users = True

import logging

import traceback

from kallithea.lib import auth_modules

from kallithea.lib.compat import hybrid_property

from kallithea.lib.utils2 import safe_unicode, safe_str

from kallithea.lib.exceptions import (

    LdapConnectionError, LdapUsernameError, LdapPasswordError, LdapImportError

)

from kallithea.model.db import User

log = logging.getLogger(__name__)

try:

    import ldap

    import ldap.filter

except ImportError:

    # means that python-ldap is not installed

    ldap = None

class AuthLdap(object):

    def __init__(self, server, base_dn, port=None, bind_dn='', bind_pass='',

                 ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',

                 search_scope='SUBTREE', attr_login='uid'):

        if ldap is None:

            raise LdapImportError

        self.ldap_version = ldap_version

        self.TLS_KIND = tls_kind

        OPT_X_TLS_DEMAND = 2

        self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert,

                                   OPT_X_TLS_DEMAND)

        self.cacertdir = cacertdir

        protocol = 'ldaps' if self.TLS_KIND == 'LDAPS' else 'ldap'

        if not port:

            port = 636 if self.TLS_KIND == 'LDAPS' else 389

        self.LDAP_SERVER = str(', '.join(

            "%s://%s:%s" % (protocol,

                            host.strip(),

                            port)

            for host in server.split(',')))

        self.LDAP_BIND_DN = safe_str(bind_dn)

        self.LDAP_BIND_PASS = safe_str(bind_pass)

                "description": "Port that the LDAP server is listening on. Defaults to 389 for PLAIN/START_TLS and 636 for LDAPS.",

                "default": "",

                "formname": "Custom LDAP Port"

            },

            {

                "name": "dn_user",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "User to connect to LDAP",

                "formname": "Account"

            },

            {

                "name": "dn_pass",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "password",

                "description": "Password to connect to LDAP",

                "formname": "Password"

            },

            {

                "name": "tls_kind",

                "validator": self.validators.OneOf(self._tls_kind_values),

                "type": "select",

                "values": self._tls_kind_values,

                "description": "TLS Type",

                "formname": "Connection Security"

            },

            {

                "name": "tls_reqcert",

                "validator": self.validators.OneOf(self._tls_reqcert_values),

                "type": "select",

                "values": self._tls_reqcert_values,

                "description": "Require Cert over TLS?",

                "formname": "Certificate Checks"

            },

            {

                "name": "cacertdir",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "Optional: Custom CA certificate directory for validating LDAPS",

                "formname": "Custom CA Certificates"

            },

            {

                "name": "base_dn",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "Base DN to search (e.g., dc=mydomain,dc=com)",

                "formname": "Base DN"

            },