#11501: User authentication via LDAP
---------------------------+------------------------------------------------
Reporter: rmartinjak | Owner: jason, mpatel, was
Type: enhancement | Status: new
Priority: minor | Milestone:
Component: notebook | Keywords: notebook, auth, ldap
Work_issues: | Upstream: N/A
Reviewer: | Author: Robin Martinjak
Merged: | Dependencies:
---------------------------+------------------------------------------------
Comment(by rmartinjak):
Replying to [comment:3 ijstokes]:
> Copied over from discussion on sage-notebook. 1. Which python-ldap
instructions from Rado are you referring to? I had trouble
easy_installing python-ldap with Sage 4.7, and had to download it,
configure setup.cfg by hand, and compile it. I had to get a recent
version of OpenLDAP and BerkeleyDB for this to work. If those steps are
not required, I'd love to know what I did wrong.
My bad, the comment went horribly wrong.
I meant Rado's instruction for getting his flask notebook running (he also
uses easy_install from sage's ipython) on top of which my patch is based.
To get python-ldap easy_install'ed you need OpenLDAP's libldap but I can't
confirm if that suffices.
> 2. Why did you do: class !ExtAuthUserManager(OpenIDUserManager): It
would seem to me that this should be reversed. !ExtAuthUserManager should
be the generic class, and OpenIDUserManager should turn into an OpenIDAuth
otion in the _auth_methods dict.
You are right. I'm not experienced with OpenID so I have no idea if/how
this can be done.
> 3. I would suggest making a list of _auth_methods keys which can be
ordered so it is predictable which auth_method is being used first,
second, etc.
I'd favour that too but unfortunately lists of preset values can not be
configured in the UI (yet).
> 4. It doesn't seem very nice to have OpenID-specific references anywhere
inside !ExtAuthUserManager. (__init__ and a few OpenID specific methods).
Indeed. I didn't want to break functionality and OpenID seems to be a
quite special case. This should be changed if possible
> 5. Can you point me at some details of how the "conf" system works?
Where does this come from on disk? What is passed to the constructor?
A reference to a !ServerConfiguration (server_conf.py object is passed.
Configuration is done in the browser UI (settings -> notebook settings).
> 6. I would have the conf file specify the full URL to the LDAP host,
rather than have "host" and "port" configs. We use: !ldaps://hostname
Right! I will change that immediately, completely forgot about ldap'''s'''
> 7. Please can you provide an example configuration file? In particular,
I'm interested in: result = self._ldap_search ![...] 8. I think you should
just setup the LDAP connection once in the constructor. I *think* Python
LDAP will manage the connection intelligently.
> 9. check_password seems a bit convoluted -- it does two binds: once to
get the DN, and once to check the password. I'd prefer the model above.
The first bind is with a "generic" DN (i.e. a non-user account).[[BR]]
After the bind succeeds, LDAP is queried for an object which (italic ==
configurable item):
* is below ''ldap_basedn'' (this could be
cn=users,cn=portal,dc=nebiogrid,dc=org)
* attribute ''ldap_username_attribute'' exactly matches <username>
The generic DN is then unbound and either one ldap object or "None" is
returned. After unbinding the connection must be reset with
ldap.initialize
If a unique object is returned, we use that object's DN and the provided
<password> to try and bind with ldap. If that succeeds, the user has
successfully logged in.
See this screenshot for a config example:
!http://rmartinjak.de/notebooksettings.png
> 10. Sage stores a little bit of additional per-user state:
suspended/active and worksheet timeouts or auto-save (can't remember).
TTBOMK the OpenID system gets around this by creating a Sage user when
someone authenticates for the first time. Do you inherit the same
behavior? I can't see where this happens.
Done in ExtAuthUM's "_user()"
--
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/11501#comment:4>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sage-trac?hl=en.
