LDAP and Active Directory authentication and permission

The OpenSVC collector can delegate authentication to a tiers LDAP server, and map LDAP groups to local groups. If configured to do so, no user and group management is necessary on the collector.

Login process

  • The user is presented a login form prompting for a user name instead of the default user email, and a password

  • The user (username, password) tuple is passed for authentication to the LDAP server

  • The LDAP server validates the tuple

  • The collector does not store the password

  • If the user does not exist locally it is created

  • If the first name, last name and email properties are found on the LDAP, this information is also stored locally

If group management is activated and configured, the process continues:

  • The collector fetches the user’s groups from the LDAP server

  • If a group mapping is configured, the LDAP group names are replaced with local group names

  • Missing groups are created

  • The user is added to all LDAP user’s groups, or remapped LDAP user’s groups

Configuration

The collector configuration file is init/modules/config.py

User authentication

ldap_mode = "ad"
ldap_server = "ad.my.corp.com"
ldap_bind_dn = "CN=admin,OU=IT,OU=Service accounts,OU=Users,OU=Managed objects,DC=ad,DC=mycorp,DC=com"
ldap_bind_pw = "mysecret"
ldap_base_dn = "DC=ad,DC=mycorp,DC=com"

Group management

ldap_manage_groups = True
ldap_group_dn = "OU=Applications,OU=Groups,OU=Managed objects,DC=ad,DC=mycorp,DC=com"
ldap_group_member_attrib = "member"
ldap_allowed_groups = ["OPENSVC_ADMIN", "OPENSVC_CONSULTATION", "OPENSVC_EP", "OPENSVC_DBA"]

The group mapping is useful to:

  • limit the local group creation to those resulting from the mapping, even if a LDAP user is member of other LDAP groups

  • assign collector’s privilege groups to the users based on their LDAP group ownership, with no need for the LDAP to know about these privilege groups

ldap_group_mapping = {
 "OPENSVC_ADMIN": ["OPENSVC_ADMIN", "Manager", "CompManager", "NodeManager", "CheckManager", "CompExec", "ObsManager", "NetworkManager", "DnsManager", "StorageManager", "StorageExec", "ProvisioningManager", "CheckExec", "FormsManager", "CheckRefresh", "TagManager", "SafeUploader", "NodeExec", "UserManager", "Everybody"],
 "OPENSVC_RO": ["OPENSVC_RO", "Everybody"],
 "OPENSVC_DBA": ["OPENSVC_DBA", "Everybody"],
}

Logging

The login module logs in the web2py.log file.

Example:

2016-03-18 13:47:15,128 - web2py.auth.ldap_auth - DEBUG - Ldap bind connect...
2016-03-18 13:47:15,134 - web2py.auth.ldap_auth - DEBUG - User groups: ['OPENSVC_ADMIN']
2016-03-18 13:47:15,134 - web2py.auth.ldap_auth - INFO - [ad.my.corp.com] Initialize ldap connection
2016-03-18 13:47:15,148 - web2py.auth.ldap_auth - INFO - [Opensvc] Manage user data
2016-03-18 13:47:15,149 - web2py.auth.ldap_auth - INFO - [Opensvc] Manage user groups
2016-03-18 13:47:15,149 - web2py.auth.ldap_auth - INFO - [Opensvc] Get user groups from ldap
2016-03-18 13:47:15,149 - web2py.auth.ldap_auth - INFO - [ad.my.corp.com] Initialize ldap connection
2016-03-18 13:47:15,150 - web2py.auth.ldap_auth - DEBUG - Username init: [Opensvc]
2016-03-18 13:47:15,156 - web2py.auth.ldap_auth - DEBUG - Ldap bind connect...
2016-03-18 13:47:15,162 - web2py.auth.ldap_auth - DEBUG - User groups: ['OPENSVC_ADMIN']