Authentication with LDAP/Active Directory¶
Configuration¶
See also flask-ldap3-login
| ENV | default value | description |
|---|---|---|
JWT_SECRET_KEY |
******** |
secret key for JWT token (same for all services) |
LDAP_HOST |
localhost |
Hostname of your LDAP Server |
LDAP_PORT |
389 |
The port number of your LDAP server. |
LDAP_USE_SSL |
False |
Set to True if your server uses SSL |
LDAP_BASE_DN |
dc=example,dc=org |
Base DN of your directory |
LDAP_USER_DN |
ou=users |
Users DN to be prepended to the Base DN |
LDAP_GROUP_DN |
ou=groups |
Groups DN to be prepended to the Base DN |
LDAP_SEARCH_FOR_GROUPS |
False |
Search for groups |
LDAP_GROUP_SEARCH_SCOPE |
LEVEL |
Specifies what scope to search in when searching for a specific group |
LDAP_GROUP_OBJECT_FILTER |
(objectclass=group) |
Specifies what object filter to apply when searching for groups |
LDAP_GROUP_MEMBERS_ATTR |
uniqueMember |
Specifies the LDAP attribute where group members are declared |
LDAP_GROUP_NAME_ATTRIBUTE |
cn |
Group name attribute in LDAP group response |
LDAP_GET_GROUP_ATTRIBUTES |
* (ALL_ATTRIBUTES) |
Specifies which LDAP attributes to get when searching LDAP for a group/groups |
LDAP_USER_SEARCH_SCOPE |
LEVEL |
Specifies what scope to search in when searching for a specific user |
LDAP_USER_RDN_ATTR |
cn |
The RDN attribute for your user schema on LDAP |
LDAP_USER_LOGIN_ATTR |
cn |
The Attribute you want users to authenticate to LDAP with |
LDAP_BIND_USER_DN |
None |
The Username to bind to LDAP with |
LDAP_BIND_USER_PASSWORD |
None |
The Password to bind to LDAP with |
GROUP_MAPPINGS |
None |
Expressions for group name mapping |
Customization¶
You can add a custom logo and a custom background image by setting the following config options:
"config": {
"background_image_url": "<url>",
"logo_image_url": "<url>"
}
The specified URLs can be absolute or relative. For relative URLs, you can write i.e.
"config": {
"background_image_url": "/auth/static/background.jpg",
"logo_image_url": "/auth/static/logo.jpg"
}
where /auth is the service mountpoint and place your custom images inside the static subfolder of the auth-service, or, if using docker and docker-compose, mount them accordingly:
qwc-auth-service:
[...]
volumes:
- ./volumes/assets/Background.jpg:/srv/qwc_service/static/background.jpg
- ./volumes/assets/logo.png:/srv/qwc_service/static/logo.jpg
Usage¶
Run standalone application:
uv run src/server.py
Endpoints:
http://localhost:5017/login
http://localhost:5017/logout
http://localhost:5017/verify_login
Development¶
Install dependencies and run service:
echo FLASK_ENV=development >.flaskenv
Start local service:
uv run src/server.py
Testing with https://github.com/rroemhild/docker-test-openldap
docker run -d -p 10389:10389 -p 10636:10636 rroemhild/test-openldap:2.1
Start service:
LDAP_PORT=10389 LDAP_BIND_USER_DN="cn=admin,dc=planetexpress,dc=com" LDAP_BIND_USER_PASSWORD=GoodNewsEveryone LDAP_BASE_DN="dc=planetexpress,dc=com" LDAP_USER_DN="ou=people" LDAP_GROUP_DN="ou=people" LDAP_SEARCH_FOR_GROUPS=True LDAP_GROUP_MEMBERS_ATTR="member" uv run src/server.py
- User: Philip J. Fry
- Password: fry
Service login test:
curl http://localhost:5017/verify_login -d 'username=Philip J. Fry' -d 'password=fry'