web2py[:]


If you benefit from web2py hope you feel encouraged to pay it forward by contributing back to society in whatever form you choose!

Ldap auth with allowed groups and manage groups
Recipe by Sz Gy (szimszon) on 2012-03-03 in Other

Now (1.99.6) you can restrict login access based on ldap groups where the user is a member and automatically manage ldap groups in web2py app's db.

Warning: The 1.99.6 and 1.99.7 implementation is broken if the user is not in app's db already :( Sorry for that.

Now (1.99.6) you can restrict login access based on ldap groups where the user is a member
You need just to specify allowed_groups:
 

auth.settings.login_methods=[ldap_auth(...as usual...,
  allowed_groups = [...],
  group_dn = 'ou=Groups,dc=domain,dc=com',
  group_name_attrib = 'cn',
  group_member_attrib = 'memberUid',
  group_filterstr = 'objectClass=*'
)]
Where:
allowed_groups - a list with allowed ldap group names like ['admin','user']
group_dn - the ldap branch of the groups like "ou=Groups,dc=domain,dc=com"
group_name_attrib - the attribute where the group name is stored like "CN"
group_member_attrib - the attibute containing the group members name like "memberUid"
group_filterstr - as the filterstr but for group select

You can now manage auth_groups and auth_membership automatically. You need to set manage_groups=True:

auth.settings.login_methods=[ldap_auth(...as usual...,
  manage_groups = True,
  db = db,
  group_dn = 'ou=Groups,dc=domain,dc=com',
  group_name_attrib = 'cn',
  group_member_attrib = 'memberUid',
  group_filterstr = 'objectClass=*'
)]
Where:
manage_groups - let web2py handle the groups from ldap
db - is the database object (need to have auth_user, auth_group, auth_membership)
group_dn - the ldap branch of the groups like "ou=Groups,dc=domain,dc=com", update above 1.99.7 defaults to base_dn
group_name_attrib - the attribute where the group name is stored like "cn"
group_member_attrib - the attibute containing the group members name like "memberUid"
group_filterstr - as the filterstr but for group select

If the user can log in then ldap_auth set up the corresponding groups and memberships in app's db so RBAC can work properly and you don't have to set group membership  in ldap and in app's db too. Ther "group_*" properties are shared by allowed_groups and manage_groups.

Update: 2012.03.12.

From now in trunk, so above 1.99.7 you can manage user attrs as first name, last name, e-mail:

        auth.settings.login_methods.append(ldap_auth(...as usual...,
            manage_user = True,
            user_firstname_attrib = 'cn:1',
            user_lastname_attrib = 'cn:2',
            user_mail_attrib = 'mail'
            ))

        
Where:
manage_user - let web2py handle user data from ldap
user_firstname_attrib - the attribute containing the user's first name
                                optionally you can specify parts.
                                Example: cn: "John Smith" - 'cn:1' = 'John'
user_lastname_attrib - the attribute containing the user's last name
                                optionally you can specify parts.
                                Example: cn: "John Smith" - 'cn:2' = 'Smith'
user_mail_attrib - the attribure containing the user's email address
 

If ldap is using GnuTLS then you need cert_file="..." instead cert_path because cert_path isn't implemented in GnuTLS

Update: 2012.04.02.

Up from 2012.04.19.
You can customize the search for user:
   

        auth.settings.login_methods.append(ldap_auth(
            mode='custom', server='my.ldap.server',
            base_dn='ou=Users,dc=domain,dc=com',
            username_attrib='uid',
            custom_scope='subtree'))
           
    the custom_scope can be: base, onelevel, subtree.
 

 

Tested only with OpenLdap (I have no AD and co.)

If somebody can test it with AD please give me a feedback.

ldap authentication auth rbac

Related slices

Comments (3)

  • Login to post



  • 0
    kcaswick 9 years ago

    With Active Directory, you need to set group_member_attrib='member' for only the groups the user is a directly a member of or group_member_attrib='member:1.2.840.113556.1.4.1941:' to search nested group membership. AD security is normally by nested group membership.


  • 0
    sz-gy-10510 12 years ago

    That is the problem about AD I face that I don't know how it exactly works :-o

    But with OpenLdap you have to specify:

    group_dn - the group branch of your db. Example: ou=Group,dc=mydomain,dc=com

    group_name_attrib - the attribute with the name of the group name. Attribute the 'HQ - IT' is stored. Like: cn

    group_member_attrib - the attribute the username is stored in like 'memberUid',

     

    the search filter for user groups is:

    '(&(%s=%s)(%s))' % (group_member_attrib, username, group_filterstr )

    where group_filterstr='objectClass=*'

     

    If it's not good for AD then could you please write a search for users group and let me know.

    Thanks for testing.


  • 0
    ochiba77 12 years ago

    I have AD in our environment. We have users belong to 'HQ - IT' and I trield to add 'allowed_groups' but doesn't work. Do I have to specify other parameter too ?

     

    from gluon.contrib.login_methods.ldap_auth import ldap_auth
    auth.settings.login_methods = [auth,ldap_auth(mode='ad',
       server='myserver',
       base_dn='dc=mydomain,dc=com',
       allowed_groups = ['HQ - IT'])]
Hosting graciously provided by:
Python Anywhere