docker

Authentication with LDAP/Active Directory

Configuration

See also flask-ldap3-login

ENV default value description
JWT_SECRET_KEY ******** secret key for JWT token (same for all services)
LDAP_HOST localhost Hostname of your LDAP Server
LDAP_PORT 389 The port number of your LDAP server.
LDAP_USE_SSL False Set to True if your server uses SSL
LDAP_BASE_DN dc=example,dc=org Base DN of your directory
LDAP_USER_DN ou=users Users DN to be prepended to the Base DN
LDAP_GROUP_DN ou=groups Groups DN to be prepended to the Base DN
LDAP_SEARCH_FOR_GROUPS False Search for groups
LDAP_GROUP_SEARCH_SCOPE LEVEL Specifies what scope to search in when searching for a specific group
LDAP_GROUP_OBJECT_FILTER (objectclass=group) Specifies what object filter to apply when searching for groups
LDAP_GROUP_MEMBERS_ATTR uniqueMember Specifies the LDAP attribute where group members are declared
LDAP_GROUP_NAME_ATTRIBUTE cn Group name attribute in LDAP group response
LDAP_GET_GROUP_ATTRIBUTES * (ALL_ATTRIBUTES) Specifies which LDAP attributes to get when searching LDAP for a group/groups
LDAP_USER_SEARCH_SCOPE LEVEL Specifies what scope to search in when searching for a specific user
LDAP_USER_RDN_ATTR cn The RDN attribute for your user schema on LDAP
LDAP_USER_LOGIN_ATTR cn The Attribute you want users to authenticate to LDAP with
LDAP_BIND_USER_DN None The Username to bind to LDAP with
LDAP_BIND_USER_PASSWORD None The Password to bind to LDAP with
GROUP_MAPPINGS None Expressions for group name mapping

Usage

Run standalone application:

python src/server.py

Endpoints:

http://localhost:5017/login

http://localhost:5017/logout

http://localhost:5017/verify_login

Development

Create a virtual environment:

python3 -m venv .venv

Activate virtual environment:

source .venv/bin/activate

Install requirements:

pip install -r requirements.txt

Configure environment:

echo FLASK_ENV=development >.flaskenv

Start local service:

python src/server.py

Testing with https://github.com/rroemhild/docker-test-openldap

docker run -d -p 10389:10389 -p 10636:10636 rroemhild/test-openldap:2.1

Start service:

LDAP_PORT=10389 LDAP_BIND_USER_DN="cn=admin,dc=planetexpress,dc=com" LDAP_BIND_USER_PASSWORD=GoodNewsEveryone LDAP_BASE_DN="dc=planetexpress,dc=com" LDAP_USER_DN="ou=people" LDAP_GROUP_DN="ou=people" LDAP_SEARCH_FOR_GROUPS=True LDAP_GROUP_MEMBERS_ATTR="member" python src/server.py
  • User: Philip J. Fry
  • Password: fry

Service login test:

curl http://localhost:5017/verify_login -d 'username=Philip J. Fry' -d 'password=fry'