Metadata-Version: 2.1
Name: udata-ldap
Version: 0.3.5.dev59
Summary: LDAP authentification for udata with optional Kerberos suppport.
Home-page: https://github.com/opendatateam/udata-ldap
Author: Open Data Team
Author-email: contact@opendata.team
License: MIT
Keywords: udata LDAP
Platform: UNKNOWN
Classifier: Development Status :: 3 - Alpha
Classifier: Programming Language :: Python
Classifier: Environment :: Web Environment
Classifier: Operating System :: OS Independent
Classifier: Intended Audience :: Developers
Classifier: Topic :: System :: Software Distribution
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 2
Classifier: Programming Language :: Python :: 2.7
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Requires-Python: ==2.7.*
Description-Content-Type: text/markdown
Requires-Dist: udata (>=1.4.0.dev)
Requires-Dist: flask-ldap3-login (==0.9.15)
Provides-Extra: kerberos
Requires-Dist: gssapi (==1.5.0) ; extra == 'kerberos'
Provides-Extra: test
Requires-Dist: httpretty (==0.9.5) ; extra == 'test'
Requires-Dist: mock (==2.0.0) ; extra == 'test'
Requires-Dist: pytest (==3.10.0) ; extra == 'test'
Requires-Dist: pytest-flask (==0.14.0) ; extra == 'test'
Requires-Dist: pytest-mock (==1.10.0) ; extra == 'test'
Requires-Dist: pytest-sugar (==0.9.2) ; extra == 'test'

# udata-ldap

LDAP authentification for udata with optionnal Kerberos suppport.

## Requirements

To use LDAP only authentication, you only need the `udata-ldap` extension.

To use [`SASL`](https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer) and [`SPNEGO`](https://en.wikipedia.org/wiki/SPNEGO), you need a functional kerberos client environment.

On debian, you can install the requirements using:

```bash
apt-get install krb5-config krb5-user libkrb5-dev
```

You need to configure your domain in `/etc/krb5.conf`.
Here's a sample configuration for `DOMAIN.ORG`:

```ini
[libdefaults]
    default_realm = DOMAIN.ORG

[realms]
    DATA.XPS = {
        #admin_server = ipa.data.xps
        # use "kdc = ..." if realm admins haven't put SRV records into DNS
        kdc = kdc.domain.org
        admin_server = kdc.domain.org:749
        default_domain = domain.org
        dns_lookup_realm = false
        dns_lookup_kdc = false
        rdns = false
    }

[domain_realm]
    domain.org = DOMAIN.ORG
    .domain.org = DOMAIN.ORG
```

## Usage

Install the plugin package in you udata environement:

```bash
pip install udata-ldap
```

Then activate it in your `udata.cfg`:

```python
PLUGINS = ['ldap']
```

**NB**: if using Kerberos SASL and/or SPNEGO, install it with:

```bash
pip install udata-ldap[kerberos]
```

## Configuration

`udata-ldap` makes use of [`flask-ldap3-login`](https://flask-ldap3-login.readthedocs.io/en/latest/index.html) and so use the same parameters as described [here](https://flask-ldap3-login.readthedocs.io/en/latest/configuration.html).

Some extra parameters are available:

| Parameter | Default value | Notes |
|-----------|---------------|-------|
| `LDAP_DEBUG` | `False` | Enable verbose/debug logging |
| `LDAP_KERBEROS_KEYTAB` | `None` | Path to an optionnal Kerberos keytab for this service |
| `LDAP_KERBEROS_SERVICE_NAME` | `'HTTP'` | The service principal as configured in the keytab |
| `LDAP_KERBEROS_SERVICE_HOSTNAME` | `socket.getfqdn()` | The service hostname (ie. `data.domain.com`) |
| `LDAP_KERBEROS_SPNEGO` | `False` | Whether or not to enable passwordless authentication with SPNEGO |
| `LDAP_KERBEROS_SPNEGO_NO_REALM` | `True` | Automaticaly remove @REALM from SPNEGO/REMOTE_USER identifier |
| `LDAP_REMOTE_USER_ATTR` | `'uid'` | The ldap attribute extracted from SPNEGO handshake to match the user |
| `LDAP_USER_FIRST_NAME_ATTR` | `'givenName'` | The ldap attribute to extract the first name from |
| `LDAP_USER_LAST_NAME_ATTR` | `'sn'` | The ldap attribute to extract the last name from |

## Testing configuration

`udata-ldap` provides two commands to help with the configuration:

- `udata ldap config` will display the LDAP configuration seen by `udata`
- `udata ldap check` will allow to quickly test your LDAP configuration.
- `udata ldap krbcheck` will allow to quickly test your Kerberos configuration.

## Testing localy with docker

An example `docker-compose.yml` is provided to test localy wiht a freeipa server.

To use it, you need to copy the file `ipa-server-install-options.example` to `ipa-server-install-options` and edit it with your own parameters.

**ex:**

```
--unattended
--realm=DOMAIN.ORG
--domain=DOMAIN.ORG
--ds-password=password
--admin-password=password
```

# Changelog

## Current (in progress)

- Fix packaging

## 0.3.4 (2018-11-23)

- Fix negociate and REMOTE_USER email extraction
- Fix some command line encoding errors

## 0.3.3 (2018-11-09)

- Internal: extracted all Kerberos handling into its own module
- Kerberos: handle REALM removal from SPNEGO/REMOTE_USER identifier

## 0.3.2 (2018-10-16)

- Fix some console encoding error
- Fix LDAP values extraction
- Make all LDAP attributes mapping to user profile configurable

## 0.3.1 (2018-10-11)

- Renamed `LDAP_USER_SPNEGO_ATTR` into `LDAP_REMOTE_USER_ATTR` for consistency
- Fix login form using SPNEGO attribute for login

## 0.3.0 (2018-10-09)

- Display errors on login form
- Force email into the login form
- Fix encoding errors in ldap commands
- Update user on login
- Start handling errors on negociate view
- Display a page when trying automatic login wihtout credentials
- Adds translations

## 0.2.1 (2018-10-08)

- Fix the "automatic login" link
- More logging

## 0.2.0

- More tests
- Hide debug log unless `LDAP_DEBUG = True`
- Remove buggy default `LDAP_*` settings

## 0.1.0

Initial release



