LDAP integration

Technical aspects, customization, code samples.
yama
Posts: 1
Joined: Mon Jun 10, 2019 10:23 am

LDAP integration

Post by yama »

Hello.
I am currently running the 3.2b1 version and I'd like to bind auth to our ldap server.
Problem is I can't find out where to put the https://gitlab.com/mayan-edms/mayan-edm ... ettings.py file to make the whole thing work.

My last try was to copy content of the file into production settings but still have an error "Module "mayan.settings" does not define a "EmailOrUsernameModelBackend". I changed this

Code: Select all

AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'mayan.settings.EmailOrUsernameModelBackend',
)
Is there a clean way to make this work ?

User avatar
rosarior
Developer
Developer
Posts: 505
Joined: Tue Aug 21, 2018 3:28 am
Location: Puerto Rico
Contact:

Re: LDAP integration

Post by rosarior »

This is a contributed example file and we need feedback from the community to fine tune it.

The file goes in the "mayan_settings" folder located in the "media" folder. For Docker this is the normal data volume.

The error:

Code: Select all

Module "mayan.settings" does not define a "EmailOrUsernameModelBackend"
means the setting is being picked up.

You can remove

Code: Select all

mayan.settings.EmailOrUsernameModelBackend
. My guess is that the original author of the file wanted Mayan to fallback to its default authentication system if the LDAP authentication attempt failed.

User avatar
rosarior
Developer
Developer
Posts: 505
Joined: Tue Aug 21, 2018 3:28 am
Location: Puerto Rico
Contact:

Re: LDAP integration

Post by rosarior »

After getting the communication between Mayan and LDAP working, you will still need to fine tune the mappings. These appear to change from vendor to vendor and organization to organization.

Turning on debug using

Code: Select all

ldap.set_option(ldap.OPT_DEBUG_LEVEL, 4095)
help diagnose the mapping.

mcrotsenburg
Posts: 4
Joined: Wed Sep 11, 2019 6:56 pm

Re: LDAP integration

Post by mcrotsenburg »

Active Directory Integration

I'm posting this just because there isn't a clean guide to getting Active Directory working with Mayan. Please note that the following steps are based off of the Direct Installation method where Mayan is dropped to the /opt/mayan-edms directory. If need be, maybe someone can post a guide to enable Active Directory for the Docker installation. All of the following steps were done as root so make sure you sudo as needed. Also, please bear with me if I miss a step; I'm doing this from memory but at least it's recent memory ;)

1. Get your secret key from

Code: Select all

/opt/mayan-edms/media/system/SECRET_KEY
2. Create a new file in /opt/mayan-edms/media/mayan_settings/:

Code: Select all

nano /opt/mayan-edms/media/mayan_settings/ldap.py
3. Paste the code into the new file:

Code: Select all

from __future__ import absolute_import

from mayan.settings.production import *

import ldap
from django_auth_ldap.config import LDAPSearch

from django.contrib.auth import get_user_model

SECRET_KEY = '<YOUR_SECRET_KEY>'

# makes sure this works in Active Directory
ldap.set_option(ldap.OPT_REFERRALS, 0)

# This is the default, but I like to be explicit.
AUTH_LDAP_ALWAYS_UPDATE_USER = True

LDAP_USER_AUTO_CREATION = "False"

LDAP_URL = "ldap://<SERVER>:389/"
LDAP_BASE_DN = "DC=company,DC=com"
LDAP_ADDITIONAL_USER_DN = "CN=Users"
LDAP_ADMIN_DN = "CN=<USER>,CN=Users,DC=company,DC=com"
LDAP_PASSWORD = "<PASSWORD>"

AUTH_LDAP_SERVER_URI = LDAP_URL
AUTH_LDAP_BIND_DN = LDAP_ADMIN_DN
AUTH_LDAP_BIND_PASSWORD = LDAP_PASSWORD

AUTH_LDAP_USER_SEARCH = LDAPSearch(
    '%s,%s' % (LDAP_ADDITIONAL_USER_DN, LDAP_BASE_DN),
    ldap.SCOPE_SUBTREE, '(samaccountname=%(user)s)'
)
AUTH_LDAP_USER_ATTR_MAP = {
    'first_name': 'givenName',
    'last_name': 'sn',
    'email': 'mail'
}
AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'mayan.media.mayan_settings.ldap.EmailOrUsernameModelBackend',
)


class EmailOrUsernameModelBackend(object):
    """
    This is a ModelBacked that allows authentication with either a username or $
    """
    def authenticate(self, username=None, password=None):
        if '@' in username:
            kwargs = {'email': username}
        else:
            kwargs = {'username': username}
        try:
            user = get_user_model().objects.get(**kwargs)
            if user.check_password(password):
                return user
        except get_user_model().DoesNotExist:

    def get_user(self, username):
        try:
            return get_user_model().objects.get(pk=username)
        except get_user_model().DoesNotExist:
            return None
4. Create a symlink to the media directory:

Code: Select all

ln -s /opt/mayan-edms/media /opt/mayan-edms/lib/python2.7/site-packages/mayan/media
5. Enter the virtualenv:

Code: Select all

source /opt/mayan-edms/bin/activate
6. Install the LDAP dependencies:

Code: Select all

pip install python-ldap
pip install django-auth-ldap


7. Leave the virtualenv:

Code: Select all

deactivate
8. Edit the supervisor include file located at /etc/supervisor/conf.d/mayan.conf. Change this line

Code: Select all

DJANGO_SETTINGS_MODULE=mayan.settings.production
to

Code: Select all

DJANGO_SETTINGS_MODULE=mayan.media.mayan_settings.ldap
9. Restart the Supervisor service:

Code: Select all

service supervisor restart
That should be it. Note that I placed the Users container in the LDAP_ADDITIONAL_USER_DN variable. This is probably not ideal (it should go in the BIND DN) but then the LDAPSearch throws an error because it is expecting an entry for ADDITIONAL. You can play around with this string once you are up and running if you want to limit the search to a certain container or a more complex filter.

msvabik
Posts: 14
Joined: Tue Sep 24, 2019 12:38 pm

Re: LDAP integration

Post by msvabik »

Hello,
in step 3 "Active Directory Integration" there is an error in the code:
under the

Code: Select all

except get_user_model().DoesNotExist:
missing:

Code: Select all

return None
good luck

mcrotsenburg
Posts: 4
Joined: Wed Sep 11, 2019 6:56 pm

Re: LDAP integration

Post by mcrotsenburg »

msvabik wrote:
Tue Sep 24, 2019 12:47 pm
Hello,
in step 3 "Active Directory Integration" there is an error in the code:
under the

Code: Select all

except get_user_model().DoesNotExist:
missing:

Code: Select all

return None
good luck
I am a little unclear. Are you saying that the

Code: Select all

return None
section should not be present?

nguyentronganhs
Posts: 1
Joined: Wed Nov 20, 2019 1:52 am

Re: LDAP integration

Post by nguyentronganhs »

mcrotsenburg wrote:
Thu Sep 12, 2019 8:19 pm
Active Directory Integration

I'm posting this just because there isn't a clean guide to getting Active Directory working with Mayan. Please note that the following steps are based off of the Direct Installation method where Mayan is dropped to the /opt/mayan-edms directory. If need be, maybe someone can post a guide to enable Active Directory for the Docker installation. All of the following steps were done as root so make sure you sudo as needed. Also, please bear with me if I miss a step; I'm doing this from memory but at least it's recent memory ;)

............
I followed the instructions and can work with Maya version 3.2 but with version 3.3 does not work.
Specifically, it is impossible to install python-ldap and django-auth-ldap; The reason is that when installing version 3.3, python3 is used, while python-ldap and django-auth-ldap use python2.
Can you help me fix this error;
thank you

msvabik
Posts: 14
Joined: Tue Sep 24, 2019 12:38 pm

Re: LDAP integration

Post by msvabik »

I am a little unclear. Are you saying that the

Code: Select all

return None
section should not be present?
This code is missing there

msvabik
Posts: 14
Joined: Tue Sep 24, 2019 12:38 pm

Re: LDAP integration

Post by msvabik »

nguyentronganhs wrote:
Wed Dec 18, 2019 4:13 am
I followed the instructions and can work with Maya version 3.2 but with version 3.3 does not work.
Specifically, it is impossible to install python-ldap and django-auth-ldap; The reason is that when installing version 3.3, python3 is used, while python-ldap and django-auth-ldap use python2.
Can you help me fix this error;
thank you
I have the same problem. Also, after upgrading to 3.3.x, ldap verification has stopped working.
Does anyone have a solution?
Thank Michal

User avatar
rssfed23
Moderator
Moderator
Posts: 213
Joined: Mon Oct 14, 2019 1:18 pm
Location: United Kingdom
Contact:

Re: LDAP integration

Post by rssfed23 »

What error messages do you get? I'm assuming you're using the same example LDAP file posted above?

If you're able to log a gitlab issue with the associated logs/errors and what troubleshooting you've done we can take a look for you there

Looking a couple of posts above it seems a user had issues installing python-ldap and django-auth-ldap with Python 3.
When you upgraded Mayan to 3.3.x we migrated from python 2 to 3. You will have to reinstall those 2 packages (and any others) on python3.

As per https://pypi.org/project/django-auth-ldap/ it is supported on python3 so that shouldn't be an issue. You will need the openldap headers installed though.
Please bear with us during the current global situation. The team all have families and local communities to look after as well as the community here. Responses may be delayed during this time, but rest assured we will get to your query eventually.

Post Reply