Connect to LDAP

hd61 · July 31, 2023, 8:15am

Hello everybody,
I’ve got Mayan up and running on docker compose. Now I want to authenticate the users against LDAP.
I found the FAQ (FAQ — Mayan EDMS 4.4.8 documentation) and adapted the file ldap_connection_settings.py for my purposes. Now I can’t get any further with the implementation of the settings file. What is the Python settings file method. Where to put the file? Inside the docker container or outside on the server. Which directory should I use? How to read in the file? Sorry for the stupid question, but I can’t get any further. Thank you for your help in advance.

Zee · August 3, 2023, 11:28am

Hi,

In the docker compose file you can find that the path /var/lib/mayan is mapped to the app docker volume:

volumes:
- ${MAYAN_APP_VOLUME:-app}:/var/lib/mayan

so you can put your configuration file in the following path:

/var/lib/docker/volumes/mayan_app/_data/user_settings/

Note: if you changed the app name in the .env file you need yo revise the path

.env
COMPOSE_PROJECT_NAME=newappname

new path:
/var/lib/docker/volumes/newappname_app/_data/user_settings/

the example for the ldap configuration is good as mentioned in the .env file (Example Configuration — django-auth-ldap 4.4.1.dev1+g342c103.d20230722 documentation)

just a few notes to make your life easier:

1- is_superuser: will give all permissions without you seeing any role assignment in mayan (gave me hell to understand) so its not an admin privilege its like the name suggests a super admin
2- use ldap filters to limit your groups selection, for example, I used:

AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
‘OU=,DC=,DC=', ldap.SCOPE_SUBTREE, '(&(objectClass=group)(CN=GRP_MAYAN_*))’
)

3- use AUTH_LDAP_FIND_GROUP_PERMS = True and AUTH_LDAP_ALWAYS_UPDATE_USER = True to update users permissions

4- to allow both local authentication and ldap use:
AUTHENTICATION_BACKENDS = (
“django_auth_ldap.backend.LDAPBackend”,
“django.contrib.auth.backends.ModelBackend”,
)

5- ldap groups will be created with the same name in mayan but that will happen on user login so you can create them yourself before users login to design your security beforehand (group name in mayan should have the same as in ldap)

6- you may need to import or use additional methods as per your specific use case, for example I used:

from django_auth_ldap.config import LDAPGroupQuery, LDAPSearchUnion, NestedActiveDirectoryGroupType, NestedGroupOfNamesType

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
‘is_active’: (
LDAPGroupQuery(‘XXXXXXXX’)
| LDAPGroupQuery(‘XXXXXXXX’)

AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
LDAPSearch(
‘XXXXXXXXXX’, ldap.SCOPE_SUBTREE,
‘(sAMAccountName=%(user)s)’
),
LDAPSearch(
‘XXXXXXXXX’,
ldap.SCOPE_SUBTREE, ‘(sAMAccountName=%(user)s)’
),
)

Hope this helps

hd61 · August 7, 2023, 1:06pm

Hi Zee, please excuse my late reply. Thank you very much for the detailed answer. I will try to establish a connection to our LDAP server in the next few days and hope for the excellent support if I have any further questions. I appreciate the good notes that you provide.

Thank you