Active Directory Integration
I'm posting this just because there isn't a clean guide to getting Active Directory working with Mayan. Please note that the following steps are based off of the Direct Installation method where Mayan is dropped to the /opt/mayan-edms directory. If need be, maybe someone can post a guide to enable Active Directory for the Docker installation. All of the following steps were done as root so make sure you sudo as needed. Also, please bear with me if I miss a step; I'm doing this from memory but at least it's recent memory
1. Get your secret key from
Code: Select all
/opt/mayan-edms/media/system/SECRET_KEY
2. Create a new file in /opt/mayan-edms/media/mayan_settings/:
Code: Select all
nano /opt/mayan-edms/media/mayan_settings/ldap.py
3. Paste the code into the new file:
Code: Select all
from __future__ import absolute_import
from mayan.settings.production import *
import ldap
from django_auth_ldap.config import LDAPSearch
from django.contrib.auth import get_user_model
SECRET_KEY = '<YOUR_SECRET_KEY>'
# makes sure this works in Active Directory
ldap.set_option(ldap.OPT_REFERRALS, 0)
# This is the default, but I like to be explicit.
AUTH_LDAP_ALWAYS_UPDATE_USER = True
LDAP_USER_AUTO_CREATION = "False"
LDAP_URL = "ldap://<SERVER>:389/"
LDAP_BASE_DN = "DC=company,DC=com"
LDAP_ADDITIONAL_USER_DN = "CN=Users"
LDAP_ADMIN_DN = "CN=<USER>,CN=Users,DC=company,DC=com"
LDAP_PASSWORD = "<PASSWORD>"
AUTH_LDAP_SERVER_URI = LDAP_URL
AUTH_LDAP_BIND_DN = LDAP_ADMIN_DN
AUTH_LDAP_BIND_PASSWORD = LDAP_PASSWORD
AUTH_LDAP_USER_SEARCH = LDAPSearch(
'%s,%s' % (LDAP_ADDITIONAL_USER_DN, LDAP_BASE_DN),
ldap.SCOPE_SUBTREE, '(samaccountname=%(user)s)'
)
AUTH_LDAP_USER_ATTR_MAP = {
'first_name': 'givenName',
'last_name': 'sn',
'email': 'mail'
}
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'mayan.media.mayan_settings.ldap.EmailOrUsernameModelBackend',
)
class EmailOrUsernameModelBackend(object):
"""
This is a ModelBacked that allows authentication with either a username or $
"""
def authenticate(self, username=None, password=None):
if '@' in username:
kwargs = {'email': username}
else:
kwargs = {'username': username}
try:
user = get_user_model().objects.get(**kwargs)
if user.check_password(password):
return user
except get_user_model().DoesNotExist:
def get_user(self, username):
try:
return get_user_model().objects.get(pk=username)
except get_user_model().DoesNotExist:
return None
4. Create a symlink to the media directory:
Code: Select all
ln -s /opt/mayan-edms/media /opt/mayan-edms/lib/python2.7/site-packages/mayan/media
5. Enter the virtualenv:
Code: Select all
source /opt/mayan-edms/bin/activate
6. Install the LDAP dependencies:
Code: Select all
pip install python-ldap
pip install django-auth-ldap
7. Leave the virtualenv:
8. Edit the supervisor include file located at /etc/supervisor/conf.d/mayan.conf. Change this line
Code: Select all
DJANGO_SETTINGS_MODULE=mayan.settings.production
to
Code: Select all
DJANGO_SETTINGS_MODULE=mayan.media.mayan_settings.ldap
9. Restart the Supervisor service:
That should be it. Note that I placed the Users container in the LDAP_ADDITIONAL_USER_DN variable. This is probably not ideal (it should go in the BIND DN) but then the LDAPSearch throws an error because it is expecting an entry for ADDITIONAL. You can play around with this string once you are up and running if you want to limit the search to a certain container or a more complex filter.