LDAP integration

Technical aspects, customization, code samples.
Post Reply
yama
Posts: 1
Joined: Mon Jun 10, 2019 10:23 am

LDAP integration

Post by yama » Wed Jun 26, 2019 8:15 am

Hello.
I am currently running the 3.2b1 version and I'd like to bind auth to our ldap server.
Problem is I can't find out where to put the https://gitlab.com/mayan-edms/mayan-edm ... ettings.py file to make the whole thing work.

My last try was to copy content of the file into production settings but still have an error "Module "mayan.settings" does not define a "EmailOrUsernameModelBackend". I changed this

Code: Select all

AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'mayan.settings.EmailOrUsernameModelBackend',
)
Is there a clean way to make this work ?

User avatar
rosarior
Posts: 393
Joined: Tue Aug 21, 2018 3:28 am

Re: LDAP integration

Post by rosarior » Tue Jul 02, 2019 1:24 pm

This is a contributed example file and we need feedback from the community to fine tune it.

The file goes in the "mayan_settings" folder located in the "media" folder. For Docker this is the normal data volume.

The error:

Code: Select all

Module "mayan.settings" does not define a "EmailOrUsernameModelBackend"
means the setting is being picked up.

You can remove

Code: Select all

mayan.settings.EmailOrUsernameModelBackend
. My guess is that the original author of the file wanted Mayan to fallback to its default authentication system if the LDAP authentication attempt failed.

User avatar
rosarior
Posts: 393
Joined: Tue Aug 21, 2018 3:28 am

Re: LDAP integration

Post by rosarior » Tue Jul 02, 2019 1:29 pm

After getting the communication between Mayan and LDAP working, you will still need to fine tune the mappings. These appear to change from vendor to vendor and organization to organization.

Turning on debug using

Code: Select all

ldap.set_option(ldap.OPT_DEBUG_LEVEL, 4095)
help diagnose the mapping.

mcrotsenburg
Posts: 4
Joined: Wed Sep 11, 2019 6:56 pm

Re: LDAP integration

Post by mcrotsenburg » Thu Sep 12, 2019 8:19 pm

Active Directory Integration

I'm posting this just because there isn't a clean guide to getting Active Directory working with Mayan. Please note that the following steps are based off of the Direct Installation method where Mayan is dropped to the /opt/mayan-edms directory. If need be, maybe someone can post a guide to enable Active Directory for the Docker installation. All of the following steps were done as root so make sure you sudo as needed. Also, please bear with me if I miss a step; I'm doing this from memory but at least it's recent memory ;)

1. Get your secret key from

Code: Select all

/opt/mayan-edms/media/system/SECRET_KEY
2. Create a new file in /opt/mayan-edms/media/mayan_settings/:

Code: Select all

nano /opt/mayan-edms/media/mayan_settings/ldap.py
3. Paste the code into the new file:

Code: Select all

from __future__ import absolute_import

from mayan.settings.production import *

import ldap
from django_auth_ldap.config import LDAPSearch

from django.contrib.auth import get_user_model

SECRET_KEY = '<YOUR_SECRET_KEY>'

# makes sure this works in Active Directory
ldap.set_option(ldap.OPT_REFERRALS, 0)

# This is the default, but I like to be explicit.
AUTH_LDAP_ALWAYS_UPDATE_USER = True

LDAP_USER_AUTO_CREATION = "False"

LDAP_URL = "ldap://<SERVER>:389/"
LDAP_BASE_DN = "DC=company,DC=com"
LDAP_ADDITIONAL_USER_DN = "CN=Users"
LDAP_ADMIN_DN = "CN=<USER>,CN=Users,DC=company,DC=com"
LDAP_PASSWORD = "<PASSWORD>"

AUTH_LDAP_SERVER_URI = LDAP_URL
AUTH_LDAP_BIND_DN = LDAP_ADMIN_DN
AUTH_LDAP_BIND_PASSWORD = LDAP_PASSWORD

AUTH_LDAP_USER_SEARCH = LDAPSearch(
    '%s,%s' % (LDAP_ADDITIONAL_USER_DN, LDAP_BASE_DN),
    ldap.SCOPE_SUBTREE, '(samaccountname=%(user)s)'
)
AUTH_LDAP_USER_ATTR_MAP = {
    'first_name': 'givenName',
    'last_name': 'sn',
    'email': 'mail'
}
AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'mayan.media.mayan_settings.ldap.EmailOrUsernameModelBackend',
)


class EmailOrUsernameModelBackend(object):
    """
    This is a ModelBacked that allows authentication with either a username or $
    """
    def authenticate(self, username=None, password=None):
        if '@' in username:
            kwargs = {'email': username}
        else:
            kwargs = {'username': username}
        try:
            user = get_user_model().objects.get(**kwargs)
            if user.check_password(password):
                return user
        except get_user_model().DoesNotExist:

    def get_user(self, username):
        try:
            return get_user_model().objects.get(pk=username)
        except get_user_model().DoesNotExist:
            return None
4. Create a symlink to the media directory:

Code: Select all

ln -s /opt/mayan-edms/media /opt/mayan-edms/lib/python2.7/site-packages/mayan/media
5. Enter the virtualenv:

Code: Select all

source /opt/mayan-edms/bin/activate
6. Install the LDAP dependencies:

Code: Select all

pip install python-ldap
pip install django-auth-ldap


7. Leave the virtualenv:

Code: Select all

deactivate
8. Edit the supervisor include file located at /etc/supervisor/conf.d/mayan.conf. Change this line

Code: Select all

DJANGO_SETTINGS_MODULE=mayan.settings.production
to

Code: Select all

DJANGO_SETTINGS_MODULE=mayan.media.mayan_settings.ldap
9. Restart the Supervisor service:

Code: Select all

service supervisor restart
That should be it. Note that I placed the Users container in the LDAP_ADDITIONAL_USER_DN variable. This is probably not ideal (it should go in the BIND DN) but then the LDAPSearch throws an error because it is expecting an entry for ADDITIONAL. You can play around with this string once you are up and running if you want to limit the search to a certain container or a more complex filter.

msvabik
Posts: 1
Joined: Tue Sep 24, 2019 12:38 pm

Re: LDAP integration

Post by msvabik » Tue Sep 24, 2019 12:47 pm

Hello,
in step 3 "Active Directory Integration" there is an error in the code:
under the

Code: Select all

except get_user_model().DoesNotExist:
missing:

Code: Select all

return None
good luck

mcrotsenburg
Posts: 4
Joined: Wed Sep 11, 2019 6:56 pm

Re: LDAP integration

Post by mcrotsenburg » Tue Sep 24, 2019 4:58 pm

msvabik wrote:
Tue Sep 24, 2019 12:47 pm
Hello,
in step 3 "Active Directory Integration" there is an error in the code:
under the

Code: Select all

except get_user_model().DoesNotExist:
missing:

Code: Select all

return None
good luck
I am a little unclear. Are you saying that the

Code: Select all

return None
section should not be present?

Post Reply