LDAP and Active Directory authentication and permission ======================================================= The OpenSVC collector can delegate authentication to a tiers LDAP server, and map LDAP groups to local groups. If configured to do so, no user and group management is necessary on the collector. Login process ------------- * The user is presented a login form prompting for a user name instead of the default user email, and a password * The user (username, password) tuple is passed for authentication to the LDAP server * The LDAP server validates the tuple * The collector does not store the password * If the user does not exist locally it is created * If the first name, last name and email properties are found on the LDAP, this information is also stored locally If group management is activated and configured, the process continues: * The collector fetches the user's groups from the LDAP server * If a group mapping is configured, the LDAP group names are replaced with local group names * Missing groups are created * The user is added to all LDAP user's groups, or remapped LDAP user's groups Configuration ------------- The collector configuration file is ``init/modules/config.py`` User authentication +++++++++++++++++++ :: ldap_mode = "ad" ldap_server = "ad.my.corp.com" ldap_bind_dn = "CN=admin,OU=IT,OU=Service accounts,OU=Users,OU=Managed objects,DC=ad,DC=mycorp,DC=com" ldap_bind_pw = "mysecret" ldap_base_dn = "DC=ad,DC=mycorp,DC=com" Group management ++++++++++++++++ :: ldap_manage_groups = True ldap_group_dn = "OU=Applications,OU=Groups,OU=Managed objects,DC=ad,DC=mycorp,DC=com" ldap_group_member_attrib = "member" ldap_allowed_groups = ["OPENSVC_ADMIN", "OPENSVC_CONSULTATION", "OPENSVC_EP", "OPENSVC_DBA"] The group mapping is useful to: * limit the local group creation to those resulting from the mapping, even if a LDAP user is member of other LDAP groups * assign collector's privilege groups to the users based on their LDAP group ownership, with no need for the LDAP to know about these privilege groups :: ldap_group_mapping = { "OPENSVC_ADMIN": ["OPENSVC_ADMIN", "Manager", "CompManager", "NodeManager", "CheckManager", "CompExec", "ObsManager", "NetworkManager", "DnsManager", "StorageManager", "StorageExec", "ProvisioningManager", "CheckExec", "FormsManager", "CheckRefresh", "TagManager", "SafeUploader", "NodeExec", "UserManager", "Everybody"], "OPENSVC_RO": ["OPENSVC_RO", "Everybody"], "OPENSVC_DBA": ["OPENSVC_DBA", "Everybody"], } Logging ------- The login module logs in the web2py.log file. Example:: 2016-03-18 13:47:15,128 - web2py.auth.ldap_auth - DEBUG - Ldap bind connect... 2016-03-18 13:47:15,134 - web2py.auth.ldap_auth - DEBUG - User groups: ['OPENSVC_ADMIN'] 2016-03-18 13:47:15,134 - web2py.auth.ldap_auth - INFO - [ad.my.corp.com] Initialize ldap connection 2016-03-18 13:47:15,148 - web2py.auth.ldap_auth - INFO - [Opensvc] Manage user data 2016-03-18 13:47:15,149 - web2py.auth.ldap_auth - INFO - [Opensvc] Manage user groups 2016-03-18 13:47:15,149 - web2py.auth.ldap_auth - INFO - [Opensvc] Get user groups from ldap 2016-03-18 13:47:15,149 - web2py.auth.ldap_auth - INFO - [ad.my.corp.com] Initialize ldap connection 2016-03-18 13:47:15,150 - web2py.auth.ldap_auth - DEBUG - Username init: [Opensvc] 2016-03-18 13:47:15,156 - web2py.auth.ldap_auth - DEBUG - Ldap bind connect... 2016-03-18 13:47:15,162 - web2py.auth.ldap_auth - DEBUG - User groups: ['OPENSVC_ADMIN']