docker

Authentication with LDAP/Active Directory

Configuration

See also flask-ldap3-login

ENV default value description
JWT_SECRET_KEY ******** secret key for JWT token (same for all services)
LDAP_HOST localhost Hostname of your LDAP Server
LDAP_PORT 389 The port number of your LDAP server.
LDAP_USE_SSL False Set to True if your server uses SSL
LDAP_BASE_DN dc=example,dc=org Base DN of your directory
LDAP_USER_DN ou=users Users DN to be prepended to the Base DN
LDAP_GROUP_DN ou=groups Groups DN to be prepended to the Base DN
LDAP_SEARCH_FOR_GROUPS False Search for groups
LDAP_GROUP_SEARCH_SCOPE LEVEL Specifies what scope to search in when searching for a specific group
LDAP_GROUP_OBJECT_FILTER (objectclass=group) Specifies what object filter to apply when searching for groups
LDAP_GROUP_MEMBERS_ATTR uniqueMember Specifies the LDAP attribute where group members are declared
LDAP_GROUP_NAME_ATTRIBUTE cn Group name attribute in LDAP group response
LDAP_GET_GROUP_ATTRIBUTES * (ALL_ATTRIBUTES) Specifies which LDAP attributes to get when searching LDAP for a group/groups
LDAP_USER_SEARCH_SCOPE LEVEL Specifies what scope to search in when searching for a specific user
LDAP_USER_RDN_ATTR cn The RDN attribute for your user schema on LDAP
LDAP_USER_LOGIN_ATTR cn The Attribute you want users to authenticate to LDAP with
LDAP_BIND_USER_DN None The Username to bind to LDAP with
LDAP_BIND_USER_PASSWORD None The Password to bind to LDAP with
GROUP_MAPPINGS None Expressions for group name mapping

Customization

You can add a custom logo and a custom background image by setting the following config options:

"config": {
  "background_image_url": "<url>",
  "logo_image_url": "<url>"
}

The specified URLs can be absolute or relative. For relative URLs, you can write i.e.

"config": {
  "background_image_url": "/auth/static/background.jpg",
  "logo_image_url": "/auth/static/logo.jpg"
}

where /auth is the service mountpoint and place your custom images inside the static subfolder of the auth-service, or, if using docker and docker-compose, mount them accordingly:

qwc-auth-service:
  [...]
  volumes:
    - ./volumes/assets/Background.jpg:/srv/qwc_service/static/background.jpg
    - ./volumes/assets/logo.png:/srv/qwc_service/static/logo.jpg

Usage

Run standalone application:

uv run src/server.py

Endpoints:

http://localhost:5017/login

http://localhost:5017/logout

http://localhost:5017/verify_login

Development

Install dependencies and run service:

echo FLASK_ENV=development >.flaskenv

Start local service:

uv run src/server.py

Testing with https://github.com/rroemhild/docker-test-openldap

docker run -d -p 10389:10389 -p 10636:10636 rroemhild/test-openldap:2.1

Start service:

LDAP_PORT=10389 LDAP_BIND_USER_DN="cn=admin,dc=planetexpress,dc=com" LDAP_BIND_USER_PASSWORD=GoodNewsEveryone LDAP_BASE_DN="dc=planetexpress,dc=com" LDAP_USER_DN="ou=people" LDAP_GROUP_DN="ou=people" LDAP_SEARCH_FOR_GROUPS=True LDAP_GROUP_MEMBERS_ATTR="member" uv run src/server.py
  • User: Philip J. Fry
  • Password: fry

Service login test:

curl http://localhost:5017/verify_login -d 'username=Philip J. Fry' -d 'password=fry'