#11501: User authentication via LDAP
---------------------------+------------------------------------------------
   Reporter:  rmartinjak   |          Owner:  jason, mpatel, was  
       Type:  enhancement  |         Status:  new                 
   Priority:  minor        |      Milestone:                      
  Component:  notebook     |       Keywords:  notebook, auth, ldap
Work_issues:               |       Upstream:  N/A                 
   Reviewer:               |         Author:  Robin Martinjak     
     Merged:               |   Dependencies:                      
---------------------------+------------------------------------------------

Comment(by rmartinjak):

 Replying to [comment:3 ijstokes]:

 > Copied over from discussion on sage-notebook. 1. Which python-ldap
 instructions from Rado are you referring to?  I had trouble
 easy_installing python-ldap with Sage 4.7, and had to download it,
 configure setup.cfg by hand, and compile it.  I had to get a recent
 version of OpenLDAP and BerkeleyDB for this to work.  If those steps are
 not required, I'd love to know what I did wrong.

 My bad, the comment went horribly wrong.

 I meant Rado's instruction for getting his flask notebook running (he also
 uses easy_install from sage's ipython) on top of which my patch is based.

 To get python-ldap easy_install'ed you need OpenLDAP's libldap but I can't
 confirm if that suffices.

 > 2. Why did you do: class !ExtAuthUserManager(OpenIDUserManager): It
 would seem to me that this should be reversed.  !ExtAuthUserManager should
 be the generic class, and OpenIDUserManager should turn into an OpenIDAuth
 otion in the _auth_methods dict.

 You are right. I'm not experienced with OpenID so I have no idea if/how
 this can be done.

 > 3. I would suggest making a list of _auth_methods keys which can be
 ordered so it is predictable which auth_method is being used first,
 second, etc.

 I'd favour that too but unfortunately lists of preset values can not be
 configured in the UI (yet).

 > 4. It doesn't seem very nice to have OpenID-specific references anywhere
 inside !ExtAuthUserManager. (__init__ and a few OpenID specific methods).

 Indeed. I didn't want to break functionality and OpenID seems to be a
 quite special case. This should be changed if possible

 > 5. Can you point me at some details of how the "conf" system works?
 Where does this come from on disk?  What is passed to the constructor?

 A reference to a !ServerConfiguration (server_conf.py object is passed.
 Configuration is done in the browser UI (settings -> notebook settings).

 > 6. I would have the conf file specify the full URL to the LDAP host,
 rather than have "host" and "port" configs.  We use: !ldaps://hostname

 Right! I will change that immediately, completely forgot about ldap'''s'''

 > 7. Please can you provide an example configuration file?  In particular,
 I'm interested in: result = self._ldap_search ![...] 8. I think you should
 just setup the LDAP connection once in the constructor.  I *think* Python
 LDAP will manage the connection intelligently.

 > 9. check_password seems a bit convoluted -- it does two binds: once to
 get the DN, and once to check the password.  I'd prefer the model above.

 The first bind is with a "generic" DN (i.e. a non-user account).[[BR]]
 After the bind succeeds, LDAP is queried for an object which (italic ==
 configurable item):

  * is below ''ldap_basedn'' (this could be
 cn=users,cn=portal,dc=nebiogrid,dc=org)
  * attribute ''ldap_username_attribute'' exactly matches <username>

 The generic DN is then unbound and either one ldap object or "None" is
 returned. After unbinding the connection must be reset with
 ldap.initialize

 If a unique object is returned, we use that object's DN and the provided
 <password> to try and bind with ldap. If that succeeds, the user has
 successfully logged in.

 See this screenshot for a config example:
 !http://rmartinjak.de/notebooksettings.png

 > 10. Sage stores a little bit of additional per-user state:
 suspended/active and worksheet timeouts or auto-save (can't remember).
 TTBOMK the OpenID system gets around this by creating a Sage user when
 someone authenticates for the first time.  Do you inherit the same
 behavior?  I can't see where this happens.

 Done in ExtAuthUM's "_user()"

-- 
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/11501#comment:4>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica, 
and MATLAB

-- 
You received this message because you are subscribed to the Google Groups 
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/sage-trac?hl=en.

Reply via email to