LDAP and Active Directory authentication and permission
=======================================================

The OpenSVC collector can delegate authentication to a tiers LDAP server, and map LDAP groups to local groups. If configured to do so, no user and group management is necessary on the collector.

Login process
-------------

* The user is presented a login form prompting for a user name instead of the default user email, and a password
* The user (username, password) tuple is passed for authentication to the LDAP server
* The LDAP server validates the tuple
* The collector does not store the password
* If the user does not exist locally it is created
* If the first name, last name and email properties are found on the LDAP, this information is also stored locally

If group management is activated and configured, the process continues:

* The collector fetches the user's groups from the LDAP server
* If a group mapping is configured, the LDAP group names are replaced with local group names
* Missing groups are created
* The user is added to all LDAP user's groups, or remapped LDAP user's groups

Configuration
-------------

The collector configuration file is ``init/modules/config.py``

User authentication
+++++++++++++++++++

::

	ldap_mode = "ad"
	ldap_server = "ad.my.corp.com"
	ldap_bind_dn = "CN=admin,OU=IT,OU=Service accounts,OU=Users,OU=Managed objects,DC=ad,DC=mycorp,DC=com"
	ldap_bind_pw = "mysecret"
	ldap_base_dn = "DC=ad,DC=mycorp,DC=com"

Group management
++++++++++++++++

::

	ldap_manage_groups = True
	ldap_group_dn = "OU=Applications,OU=Groups,OU=Managed objects,DC=ad,DC=mycorp,DC=com"
	ldap_group_member_attrib = "member"
	ldap_allowed_groups = ["OPENSVC_ADMIN", "OPENSVC_CONSULTATION", "OPENSVC_EP", "OPENSVC_DBA"]


The group mapping is useful to:

* limit the local group creation to those resulting from the mapping, even if a LDAP user is member of other LDAP groups
* assign collector's privilege groups to the users based on their LDAP group ownership, with no need for the LDAP to know about these privilege groups

::

	ldap_group_mapping = {
	 "OPENSVC_ADMIN": ["OPENSVC_ADMIN", "Manager", "CompManager", "NodeManager", "CheckManager", "CompExec", "ObsManager", "NetworkManager", "DnsManager", "StorageManager", "StorageExec", "ProvisioningManager", "CheckExec", "FormsManager", "CheckRefresh", "TagManager", "SafeUploader", "NodeExec", "UserManager", "Everybody"],
	 "OPENSVC_RO": ["OPENSVC_RO", "Everybody"],
	 "OPENSVC_DBA": ["OPENSVC_DBA", "Everybody"],
	}


Logging
-------

The login module logs in the web2py.log file.

Example::

	2016-03-18 13:47:15,128 - web2py.auth.ldap_auth - DEBUG - Ldap bind connect...
	2016-03-18 13:47:15,134 - web2py.auth.ldap_auth - DEBUG - User groups: ['OPENSVC_ADMIN']
	2016-03-18 13:47:15,134 - web2py.auth.ldap_auth - INFO - [ad.my.corp.com] Initialize ldap connection
	2016-03-18 13:47:15,148 - web2py.auth.ldap_auth - INFO - [Opensvc] Manage user data
	2016-03-18 13:47:15,149 - web2py.auth.ldap_auth - INFO - [Opensvc] Manage user groups
	2016-03-18 13:47:15,149 - web2py.auth.ldap_auth - INFO - [Opensvc] Get user groups from ldap
	2016-03-18 13:47:15,149 - web2py.auth.ldap_auth - INFO - [ad.my.corp.com] Initialize ldap connection
	2016-03-18 13:47:15,150 - web2py.auth.ldap_auth - DEBUG - Username init: [Opensvc]
	2016-03-18 13:47:15,156 - web2py.auth.ldap_auth - DEBUG - Ldap bind connect...
	2016-03-18 13:47:15,162 - web2py.auth.ldap_auth - DEBUG - User groups: ['OPENSVC_ADMIN']