LDAP integration

Technical aspects, customization, code samples.
msvabik
Posts: 14
Joined: Tue Sep 24, 2019 12:38 pm

Re: LDAP integration

Post by msvabik »

Hi,
my ldap.py

Code: Select all

from __future__ import absolute_import

from mayan.settings.production import *

import ldap
from django_auth_ldap.config import LDAPSearch

from django.contrib.auth import get_user_model

SECRET_KEY = 'j1_j&28e_9s$%=tll(ili8=)!*@76o+*-zj78h(5hzi1-^ar1c'

# makes sure this works in Active Directory
ldap.set_option(ldap.OPT_REFERRALS, 0)

# This is the default, but I like to be explicit.
AUTH_LDAP_ALWAYS_UPDATE_USER = True

LDAP_USER_AUTO_CREATION = "False"

LDAP_URL = "ldap://10.0.1.199:389/"
LDAP_BASE_DN = "DC=adip,DC=cz"
LDAP_ADDITIONAL_USER_DN = "CN=Users"
LDAP_ADMIN_DN = "CN=Administrator,CN=Users,DC=adip,DC=cz"
LDAP_PASSWORD = "password"

AUTH_LDAP_SERVER_URI = LDAP_URL
AUTH_LDAP_BIND_DN = LDAP_ADMIN_DN
AUTH_LDAP_BIND_PASSWORD = LDAP_PASSWORD

AUTH_LDAP_USER_SEARCH = LDAPSearch(
    '%s,%s' % (LDAP_ADDITIONAL_USER_DN, LDAP_BASE_DN),
    ldap.SCOPE_SUBTREE, '(samaccountname=%(user)s)'
)
AUTH_LDAP_USER_ATTR_MAP = {
    'first_name': 'givenName',
    'last_name': 'sn',
    'email': 'mail'
}
AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'mayan.media.mayan_settings.ldap.EmailOrUsernameModelBackend',
)


class EmailOrUsernameModelBackend(object):
    """
    This is a ModelBacked that allows authentication with either a username or $
    """
    def authenticate(self, username=None, password=None):
        if '@' in username:
            kwargs = {'email': username}
        else:
            kwargs = {'username': username}
        try:
            user = get_user_model().objects.get(**kwargs)
            if user.check_password(password):
                return user
        except get_user_model().DoesNotExist:
            return None

    def get_user(self, username):
        try:
            return get_user_model().objects.get(pk=username)
        except get_user_model().DoesNotExist:
            return None
error in /var/log/supervisor/

Code: Select all

[2020-01-06 14:28:10 +0000] [1625] [INFO] Starting gunicorn 19.9.0
[2020-01-06 14:28:10 +0000] [1625] [INFO] Listening at: http://0.0.0.0:8000 (1625)
[2020-01-06 14:28:10 +0000] [1625] [INFO] Using worker: sync
[2020-01-06 14:28:10 +0000] [1660] [INFO] Booting worker with pid: 1660
[2020-01-06 14:28:10 +0000] [1662] [INFO] Booting worker with pid: 1662
[2020-01-06 14:28:11 +0000] [1662] [ERROR] Exception in worker process
Traceback (most recent call last):
  File "/opt/mayan-edms/local/lib/python3.6/site-packages/gunicorn/arbiter.py", line 583, in spawn_worker
    worker.init_process()
  File "/opt/mayan-edms/local/lib/python3.6/site-packages/gunicorn/workers/base.py", line 129, in init_process
    self.load_wsgi()
  File "/opt/mayan-edms/local/lib/python3.6/site-packages/gunicorn/workers/base.py", line 138, in load_wsgi
    self.wsgi = self.app.wsgi()
  File "/opt/mayan-edms/local/lib/python3.6/site-packages/gunicorn/app/base.py", line 67, in wsgi
    self.callable = self.load()
  File "/opt/mayan-edms/local/lib/python3.6/site-packages/gunicorn/app/wsgiapp.py", line 52, in load
    return self.load_wsgiapp()
  File "/opt/mayan-edms/local/lib/python3.6/site-packages/gunicorn/app/wsgiapp.py", line 41, in load_wsgiapp
    return util.import_app(self.app_uri)
  File "/opt/mayan-edms/local/lib/python3.6/site-packages/gunicorn/util.py", line 350, in import_app
    __import__(module)
  File "/opt/mayan-edms/local/lib/python3.6/site-packages/mayan/wsgi.py", line 15, in <module>
    application = get_wsgi_application()
  File "/opt/mayan-edms/local/lib/python3.6/site-packages/django/core/wsgi.py", line 13, in get_wsgi_application
    django.setup(set_prefix=False)
  File "/opt/mayan-edms/local/lib/python3.6/site-packages/django/__init__.py", line 22, in setup
    configure_logging(settings.LOGGING_CONFIG, settings.LOGGING)
  File "/opt/mayan-edms/local/lib/python3.6/site-packages/django/conf/__init__.py", line 56, in __getattr__
    self._setup(name)
  File "/opt/mayan-edms/local/lib/python3.6/site-packages/django/conf/__init__.py", line 41, in _setup
    self._wrapped = Settings(settings_module)
  File "/opt/mayan-edms/local/lib/python3.6/site-packages/django/conf/__init__.py", line 110, in __init__
    mod = importlib.import_module(self.SETTINGS_MODULE)
  File "/opt/mayan-edms/lib/python3.6/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "/opt/mayan-edms/local/lib/python3.6/site-packages/mayan/media/mayan_settings/ldap.py", line 5, in <module>
    import ldap
  File "/opt/mayan-edms/media/mayan_settings/ldap.py", line 6, in <module>
    from django_auth_ldap.config import LDAPSearch
  File "/opt/mayan-edms/local/lib/python3.6/site-packages/django_auth_ldap/config.py", line 36, in <module>
    import ldap.filter
ModuleNotFoundError: No module named 'ldap.filter'; 'ldap' is not a package
[2020-01-06 14:28:11 +0000] [1662] [INFO] Worker exiting (pid: 1662)
[2020-01-06 14:28:11 +0000] [1660] [ERROR] Exception in worker process
Mayan-Edms Not Start.

Best regards, Michal

User avatar
rssfed23
Moderator
Moderator
Posts: 213
Joined: Mon Oct 14, 2019 1:18 pm
Location: United Kingdom
Contact:

Re: LDAP integration

Post by rssfed23 »

That error is happening because the python-ldap package isn't installed anymore after your upgrade.

As I mentioned above, you will need to run the "/opt/mayan-edms/bin/pip install python-ldap django-auth-ldap" steps again after upgrading to 3.3.x
Please bear with us during the current global situation. The team all have families and local communities to look after as well as the community here. Responses may be delayed during this time, but rest assured we will get to your query eventually.

msvabik
Posts: 14
Joined: Tue Sep 24, 2019 12:38 pm

Re: LDAP integration

Post by msvabik »

Hello,
I have done this several times and without success ...

Code: Select all

Requirement already satisfied: python-ldap in /opt/mayan-edms/lib/python3.6/site-packages (3.2.0)
Requirement already satisfied: django-auth-ldap in /opt/mayan-edms/lib/python3.6/site-packages (2.1.0)
Requirement already satisfied: pyasn1-modules>=0.1.5 in /opt/mayan-edms/lib/python3.6/site-packages (from python-ldap) (0.2.7)
Requirement already satisfied: pyasn1>=0.3.7 in /opt/mayan-edms/lib/python3.6/site-packages (from python-ldap) (0.4.8)
Requirement already satisfied: Django>=1.11 in /opt/mayan-edms/lib/python3.6/site-packages (from django-auth-ldap) (1.11.27)
Requirement already satisfied: pytz in /opt/mayan-edms/lib/python3.6/site-packages (from Django>=1.11->django-auth-ldap) (2019.1)
root@thor:~#

User avatar
rssfed23
Moderator
Moderator
Posts: 213
Joined: Mon Oct 14, 2019 1:18 pm
Location: United Kingdom
Contact:

Re: LDAP integration

Post by rssfed23 »

Can you try:

Code: Select all

sudo apt-get install -y libsasl2-dev python-dev libldap2-dev libssl-dev
/opt/mayan-edms/bin/pip install pyldap ldap3
See if that helps. Someone else reported similar on stackoverflow and needed pyldap (rather than python-ldap) to get it working.
Please bear with us during the current global situation. The team all have families and local communities to look after as well as the community here. Responses may be delayed during this time, but rest assured we will get to your query eventually.

msvabik
Posts: 14
Joined: Tue Sep 24, 2019 12:38 pm

Re: LDAP integration

Post by msvabik »

Thank you for your response and advice.
I performed a clean install and restored the data from the backup.
Mayan-edms works OK without ldap.
I installed python-ldap and django-auth-ldap, set the configuration to ldap.py (as above) and got into the same state as before the reinstallation.
I tried:
Can you try:

Code: Select all

sudo apt-get install -y libsasl2-dev python-dev libldap2-dev libssl-dev
/opt/mayan-edms/bin/pip install pyldap ldap3

See if that helps. Someone else reported similar on stackoverflow and needed pyldap (rather than python-ldap) to get it working.
Without success.

User avatar
rssfed23
Moderator
Moderator
Posts: 213
Joined: Mon Oct 14, 2019 1:18 pm
Location: United Kingdom
Contact:

Re: LDAP integration

Post by rssfed23 »

Thanks for trying that.

As that didn’t work, I’ve logged an issue on Gitlab for the team to investigate to see if this is a local environment issue or bug in Mayan itself: https://gitlab.com/mayan-edms/mayan-edms/issues/743
I recommend you subscribe to that issue (notifications on the right hand side) so you can be notified of updates but I will report back here when an update is known.

Thanks,
Rob
Please bear with us during the current global situation. The team all have families and local communities to look after as well as the community here. Responses may be delayed during this time, but rest assured we will get to your query eventually.

User avatar
rssfed23
Moderator
Moderator
Posts: 213
Joined: Mon Oct 14, 2019 1:18 pm
Location: United Kingdom
Contact:

Re: LDAP integration

Post by rssfed23 »

Msvabik, there is an update on the Gitlab issue. If you're able to sign up and comment on that it would be appreciated, but it does look like this isn't an issue with Mayan itself but a missing package on the system still.

Rob
Please bear with us during the current global situation. The team all have families and local communities to look after as well as the community here. Responses may be delayed during this time, but rest assured we will get to your query eventually.

msvabik
Posts: 14
Joined: Tue Sep 24, 2019 12:38 pm

Re: LDAP integration

Post by msvabik »

Fixed, ldap authentication is working.
Follow this link: https://stackoverflow.com/questions/386 ... nding-ldap
I renamed the ldap.py file in / opt / mayan-edms / media / mayan_settings / to ldaplogin.py. I edited the code in ldaplogin.py on line 41 and now everything is working.

Code: Select all

from __future__ import absolute_import

from mayan.settings.production import *

import ldap
from django_auth_ldap.config import LDAPSearch

from django.contrib.auth import get_user_model

SECRET_KEY = 'ln!&jmryilq!r_$ux=7py%b54(_z(xq@%0#@743t8u%$wt7%m!'

# makes sure this works in Active Directory
ldap.set_option(ldap.OPT_REFERRALS, 0)

# This is the default, but I like to be explicit.
AUTH_LDAP_ALWAYS_UPDATE_USER = True

LDAP_USER_AUTO_CREATION = "False"

LDAP_URL = "ldap://10.0.1.199:389/"
LDAP_BASE_DN = "DC=adip,DC=cz"
LDAP_ADDITIONAL_USER_DN = "CN=Users"
LDAP_ADMIN_DN = "CN=Administrator,CN=Users,DC=adip,DC=cz"
LDAP_PASSWORD = "password"

AUTH_LDAP_SERVER_URI = LDAP_URL
AUTH_LDAP_BIND_DN = LDAP_ADMIN_DN
AUTH_LDAP_BIND_PASSWORD = LDAP_PASSWORD

AUTH_LDAP_USER_SEARCH = LDAPSearch(
    '%s,%s' % (LDAP_ADDITIONAL_USER_DN, LDAP_BASE_DN),
    ldap.SCOPE_SUBTREE, '(samaccountname=%(user)s)'
)
AUTH_LDAP_USER_ATTR_MAP = {
    'first_name': 'givenName',
    'last_name': 'sn',
    'email': 'mail'
}
AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'mayan.media.mayan_settings.ldaplogin.EmailOrUsernameModelBackend',
)


class EmailOrUsernameModelBackend(object):
    """
    This is a ModelBacked that allows authentication with either a username or $
    """
    def authenticate(self, username=None, password=None):
        if '@' in username:
            kwargs = {'email': username}
        else:
            kwargs = {'username': username}
        try:
            user = get_user_model().objects.get(**kwargs)
            if user.check_password(password):
                return user
        except get_user_model().DoesNotExist:
            return None

    def get_user(self, username):
        try:
            return get_user_model().objects.get(pk=username)
        except get_user_model().DoesNotExist:
            return None

User avatar
rssfed23
Moderator
Moderator
Posts: 213
Joined: Mon Oct 14, 2019 1:18 pm
Location: United Kingdom
Contact:

Re: LDAP integration

Post by rssfed23 »

Glad to hear you got it resolved. I've submitted a MR to the FAQ so that it can be updated and point to the GitLab issue incase others experience the same: https://gitlab.com/mayan-edms/mayan-edm ... equests/71
Please bear with us during the current global situation. The team all have families and local communities to look after as well as the community here. Responses may be delayed during this time, but rest assured we will get to your query eventually.

ebotzki
Posts: 10
Joined: Fri May 01, 2020 2:26 pm

Re: LDAP integration

Post by ebotzki »

Hi,

I am having trouble getting the LDAP integration to work on a direct install. I don't see any errors in the supervisor log file for mayan but i don't see anything about the ldap connection to see if its binding let alone if I have the mappings right. Any help would be great. I'm not really sure what else to try on this. I have followed all the posts I can find as well as the guide that is on the forums for this and I'm still lost on this. Even just being pointed to where the logs should be would be helpful because the supervisor logs say its running fine.

Here is my mayan.conf

Code: Select all

[supervisord]
environment=
    PYTHONPATH="/opt/mayan-edms/media/mayan_settings", 
    DJANGO_SETTINGS_MODULE=mayan.media.mayan_settings.ldap_connection_settings,
    MAYAN_MEDIA_ROOT="/opt/mayan-edms/media",
    MAYAN_ALLOWED_HOSTS="['*']",
    MAYAN_CELERY_RESULT_BACKEND="redis://:REDACTED@127.0.0.1:6379/1",
    MAYAN_CELERY_BROKER_URL="redis://:REDACTED@127.0.0.1:6379/0",
    MAYAN_DATABASES="{default: {ENGINE: django.db.backends.postgresql, HOST: 127.0.0.1, NAME: REDACTED, PASSWORD: REDAXTED
    MAYAN_PIP_INSTALLS="python-ldap django_auth_ldap pyldap ldap3",
    MAYAN_APT_INSTALLS="libsasl2-dev python3-dev libldap2-dev libssl-dev libgle3 build-essential autoconf libtool pkg-confi$
    MAYAN_SETTINGS_MODULE=mayan_settings.ldap_connection_settings,


[program:mayan-gunicorn]
autorestart = true
autostart = true
command = /opt/mayan-edms/bin/gunicorn -w 2 mayan.wsgi --max-requests 500 --max-requests-jitter 50 --worker-class sync --bi$
user = mayan


[program:mayan-worker-fast]
autorestart = true
autostart = true
command = nice -n 1 /opt/mayan-edms/bin/celery worker -A mayan -Ofair -l ERROR -Q document_states_fast,converter,sources_fa$
killasgroup = true
numprocs = 1
priority = 998
startsecs = 10
stopwaitsecs = 1
user = mayan

[program:mayan-worker-medium]
autorestart = true
autostart = true
command = nice -n 18 /opt/mayan-edms/bin/celery worker -A mayan -Ofair -l ERROR -Q default,checkouts_periodic,indexing,sign$
killasgroup = true
numprocs = 1
priority = 998
startsecs = 10
stopwaitsecs = 1
stopwaitsecs = 1
user = mayan

[program:mayan-worker-slow]
autorestart = true
autostart = true
command = nice -n 19 /opt/mayan-edms/bin/celery worker -A mayan -Ofair -l ERROR -Q statistics,tools,common_periodic,parsing$
killasgroup = true
numprocs = 1
priority = 998
startsecs = 10
stopwaitsecs = 1
user = mayan

[program:mayan-celery-beat]
autorestart = true
autostart = true
command = nice -n 1 /opt/mayan-edms/bin/celery beat -A mayan --pidfile= -l ERROR
killasgroup = true
numprocs = 1
priority = 998
startsecs = 10
stopwaitsecs = 1
user = mayan
Here is my ldap_connection_settings.py which is in the opt/mayan-edms/media/mayan_settings/ directory

Code: Select all

from __future__ import absolute_import

import ldap

from django_auth_ldap.config import (
    LDAPSearch, LDAPSearchUnion, NestedActiveDirectoryGroupType
)

from mayan.settings.production import *  # NOQA

# Makes sure this works in Active Directory
ldap.set_option(ldap.OPT_REFERRALS, False)

# Turn of debug output, turn this off when everything is working as expected
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 4095)

# Default: True
AUTH_LDAP_ALWAYS_UPDATE_USER = False
SECRET_KEY = '*REDACTED'

AUTH_LDAP_START_TLS = False

LDAP_ADMIN_DN = 'REDACTED'
LDAP_BASE_DN = 'OU=REDACTED,DC=REDACTED,DC=REDACTED'
LDAP_PASSWORD = 'REDACTED'
LDAP_USER_AUTO_CREATION = 'False'
LDAP_URL = 'ldap://IP REDACTED:389/'

AUTH_LDAP_BIND_DN = LDAP_ADMIN_DN
AUTH_LDAP_BIND_PASSWORD = LDAP_PASSWORD
AUTH_LDAP_SERVER_URI = LDAP_URL

# Simple search
AUTH_LDAP_USER_SEARCH = LDAPSearch(
   "ou='OU=REDACTED,DC=REDACTED,DC=REDACTED', ldap.SCOPE_SUBTREE, '(uid=%(user)s')


AUTH_LDAP_USER_ATTR_MAP = {
    'user': 'uid',
    'first_name': 'cn',
    'last_name': 'sn',
    'email': 'mail'
}

AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
)



and here is my

Post Reply