Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ldap backend to st2auth #1790

Closed
wants to merge 5 commits into from
Closed

Add ldap backend to st2auth #1790

wants to merge 5 commits into from

Conversation

ruslantum
Copy link

Backend which reads authentication information from a ldap server

@jfryman
Copy link
Contributor

jfryman commented Aug 4, 2015

Nice!

Thanks for the code. Please make sure that all tests are passing. We'll take a look and provide you some comments so we can merge this in.

Stay tuned!

@Kami
Copy link
Member

Kami commented Aug 4, 2015

Yep, what james said - thanks for your contribution :)

I will review it and add inline comments shortly.

self._group_dn = group_dn

def authenticate(self, username, password):
search_filter = "uniqueMember=uid=" + username + "," + self._base_dn
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not that familiar with Python ldap package, but it seems like this opens up a potential injection and security vulnerability if you pass in bad value for username argument.

Is there any safer way to do it (e.g. some way to bind the parameters in the string) or do we need to validate and sanitize the username ourselves?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The search filter should also allow specifying which attribute of an LDAP entry is queried against. sAMAccountName for Active Directory comes to mind

@Kami
Copy link
Member

Kami commented Aug 4, 2015

I've added some in-line comments.

The pull request looks like a good start - thanks.

After the comments are addressed, it would also be good to add some tests and documentation on how to use this backend (see docs/source/authentication.rst for an example).

@ruslantum
Copy link
Author

I didn't find anything how to make the bind safer. And about the tests: I can write a unit test for the backend, but it will work only with my ldap server. How do I write a test which will work everywhere?

@Kami
Copy link
Member

Kami commented Aug 4, 2015

@ruslantum I will research bind situation later on.

As far as the tests go - unit tests where we mock some of the LDAP client methods should be sufficient for now (integration / end to end tests would also be nice, but that's not a big priority right now).

@manasdk
Copy link
Contributor

manasdk commented Aug 4, 2015

Btw, if we do plan on using python-ldap then the system on which the build (pip install python-ldap) will need to satisfy http://www.python-ldap.org/doc/html/installing.html#prerequisites.

This might need some work to update all our dev environments etc. Also, perhaps some changes will be necessary to update the travis and scrutinizer scripts :)

def authenticate(self, username, password):
search_filter = "uniqueMember=uid=" + username + "," + self._base_dn
try:
connect = ldap.initialize(self._ldap_server)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've checked the LDAP package documentation and it would also be good if we supported TLS (we can make it a config option).

See http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.start_tls_s

@Kami
Copy link
Member

Kami commented Aug 11, 2015

@ruslantum Sorry for the delay.

There is more work which needs to be done on my side before this can get merged - I need to add support for per-backend requirements file. This requires quite a bit of work and right now I'm busy with other things so I can't promise an ETA.

In any case, in the mean time I will also try to come up with a quick work-around so we can get this merged without breaking the build and installation without requiring me to do per-backed requirements stuff.

Kami added a commit to StackStorm/st2-auth-backend-ldap that referenced this pull request Aug 26, 2015
Note: This backend was originally contributed by Ruslan Tumarkin
(StackStorm/st2#1790).
@Kami
Copy link
Member

Kami commented Aug 26, 2015

Sorry for the delay, but I finally have some good news :)

I starting working on the "package per backend" model which means this pull request is now superseded by https://github.com/StackStorm/st2-auth-backend-ldap.

You will be able to install this backend when this PR is merged - #1881 (either when a new release with this change is available or as soon as the PR is merged if you are OK with using "dev" packages).

Thanks again.

@Kami Kami closed this Aug 26, 2015
@Kami
Copy link
Member

Kami commented Aug 26, 2015

@ruslantum When you have some time it would also be great if you can add some unit tests and open a PR against this repo - https://github.com/StackStorm/st2-auth-backend-ldap

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants