Feature #9765

Add LDAP support

Added by Jesús García Crespo about 4 years ago. Updated almost 3 years ago.

Status:VerifiedStart date:05/01/2016
Priority:MediumDue date:
Assignee:-% Done:

0%

Category:Security
Target version:Release 2.4.0
Google Code Legacy ID: Tested version:
Sponsored:Yes Requires documentation:Yes

Related issues

Related to AtoM Wishlist - Feature #6915: Add Active Directory LDAP login support New 07/02/2014

History

#2 Updated by Jesús García Crespo about 4 years ago

  • Status changed from New to Feedback

Mike has started his work here: https://github.com/artefactual/atom/pull/328

#3 Updated by Mike Cantelon about 4 years ago

  • Status changed from Feedback to QA/Review
  • Assignee changed from Mike Cantelon to Dan Gillean

#5 Updated by Dan Gillean over 3 years ago

Notes for testing:

Enabling this requires a change to one of AtoM's configuration files. To enable, change "myUser" to "ldapUser" in config/factories.yml. Don't forget to restart services and clear the application cache afterwards.

I believe that after this is done, there should be a new section available on the Settings page, where you can configure an LDAP server, including the server Host, Port, and Base domain name. Now users registered on the LDAP server should be able to authenticate to log into AtoM.

When a user authenticates for the first time an AtoM user is created in the database. This user can then be given additional access after creation, via the existing permissions module.

#6 Updated by Dan Gillean about 3 years ago

  • Assignee deleted (Dan Gillean)

#7 Updated by Dan Gillean almost 3 years ago

If a developer tests this, please screenshot as you proceed, so I can use those for documentation?

#8 Updated by Nick Wilkinson almost 3 years ago

  • Assignee set to Steve Breker

Hi Steve, further to the email I sent out, assigning this to you.

#9 Updated by Steve Breker almost 3 years ago

I was able to get this working running against an Ubuntu 16 server with openLdap. It all looks good but I am wondering if we want to make the 'uid' attribute in the auth string configurable (currently hard coded in lib/ldapUser.class.php).

Tests passed:

user accounts present only on LDAP server were able to authenticate
AtoM users get created when LDAP auth is successful.
If LDAP server is down, user can log in with local credentials IF they were fully set up (with password, email) after first log in.

It should be noted that if this is being activated on a AtoM installation after it has been installed and used, you will have to substitute myUser with ldapUser in two places:
1) config/factories.yml
2) apps/qubit/config/factories.yml

Note on Base DN setting:
The Base DN setting in AtoM has to include any ou (organizational unit) that the users are contained in on the LDAP server. For instance, my users were located in an OU called 'MyUsers'. So the setting for Base DN needed to look like:
'ou=MyUsers,dc=example,dc=com'
...otherwise users will fail to authenticate.

Note on the construction of the auth string - possible change required / or future enhancement:

The authentication string that AtoM passes to the LDAP server looks like the following:

$dn = 'uid='. $username .','. $base_dn;

So in my case this was: uid=sbreker,ou=MyUsers,dc=example,dc=com <-- 'sbreker' is what is keyed on the login panel. ou, dc and dc fields came from the AtoM 'Base DN' setup field.

On my LDAP instance, 'uid' was NOT a default attribute on my openLdap generic user account template. Since 'UID' is the hard coded attribute we are looking up from AtoM in LDAP, LDAP user accounts must be able to be uniquely identified by their 'UID' attribute. If the LDAP account does not have a UID attribute, 'uid' will need to be added to the ldap schema and this will need to be populated.

A gotcha with this is that normally AtoM users authenticate with email address. It is possible to store a email address in LDAP - it would get it's own attribute tag, or could be used in UID as mentioned above. It might be worthwhile making the default configurable on the LDAP settings page - default is UID, but an admin MAY want to change this to match their LDAP user config - esp if they have a large LDAP directory already and email is NOT in uid. If the email address is not contained in the LDAP UID, a user would need to know TWO user accounts - one to use with LDAP and an email address to use with local auth in AtoM.

#10 Updated by Steve Breker almost 3 years ago

  • Status changed from QA/Review to Feedback
  • Assignee changed from Steve Breker to Mike Cantelon

#11 Updated by Mike Cantelon almost 3 years ago

  • Assignee changed from Mike Cantelon to Steve Breker

Hi Steve. I've implemented this in dev branch dev/issue-9765-ldap-config (changes: https://github.com/artefactual/atom/compare/qa/2.4.x...dev/issue-9765-ldap-config).

Can you see if this will work with your OpenLDAP install? Otherwise, I can set OpenLDAP up and test.

#12 Updated by Steve Breker almost 3 years ago

  • Assignee changed from Steve Breker to Mike Cantelon

I have tested the new "Bind Lookup Attribute" and it works as expected. Thanks for adding this - made the LDAP setup easy. I like that the default is there too!

Only thing left to deal with is any blocks of code specifically comparing 'instanceOf myUser' which will break when user class is 'ldapUser'.

I did a quick (not very thorough!) grep and find refs to myUser in:
plugins/qbAclPlugin/lib/QubitAcl.class.php
lib/model/QubitJob.php

Should that be dealt with in this ticket, or a new one?

#13 Updated by Mike Cantelon almost 3 years ago

Hi Steve... awesome that it works!

I'll fix those myUser checks in this ticket.

#14 Updated by Mike Cantelon almost 3 years ago

  • Assignee changed from Mike Cantelon to Steve Breker

Hi Steve. I've corrected the references to myUser.

#15 Updated by Steve Breker almost 3 years ago

  • Assignee changed from Steve Breker to Mike Cantelon

I think there might be a problem with this technique:

https://github.com/artefactual/atom/commit/caa68e58a24aec59f61021f83227404c491b093d#diff-0344c9cf683aee30fb7f0bcc811e9f2cL197

The class definition from myUser.class.php is: "class myUser extends sfBasicSecurityUser implements Zend_Acl_Role_Interface"

I looked up 'class_implements()' and it returns only interfaces that have been implemented - not the class inherited from. So lines quoted above are going to return 'Zend_Acl_Role_Interface' I think.

I think the old code updated to compare against 'sfBasicSecurityUser' instead of 'myUser' might be the way to go.

I have attached a link to a gist - demo code that I was using to sort this out....

https://gist.github.com/sbreker/5674d336a84e24635a5540b9e16b8cf0

#16 Updated by Mike Cantelon almost 3 years ago

Thanks Steve... I'll fix.

#17 Updated by Mike Cantelon almost 3 years ago

  • Assignee changed from Mike Cantelon to Steve Breker

Hi Steve. I've made that change.

#18 Updated by Steve Breker almost 3 years ago

  • Assignee changed from Steve Breker to Mike Cantelon

Retested. ACL checks work for LDAP user. ACL checks also work for non-LDAP user.

QA passed. Thanks for the changes!

#19 Updated by Mike Cantelon almost 3 years ago

  • Status changed from Feedback to Code Review
  • Assignee changed from Mike Cantelon to Nick Wilkinson

#20 Updated by Nick Wilkinson almost 3 years ago

  • Assignee changed from Nick Wilkinson to Steve Breker

Hi Steve, assigning to you for CR.

#21 Updated by Steve Breker almost 3 years ago

  • Status changed from Code Review to Feedback
  • Assignee changed from Steve Breker to Mike Cantelon

Code review looks good!

#22 Updated by Mike Cantelon almost 3 years ago

  • Status changed from Feedback to QA/Review
  • Assignee changed from Mike Cantelon to Nick Wilkinson

Merged into qa/2.4.x.

#23 Updated by Nick Wilkinson almost 3 years ago

  • Assignee deleted (Nick Wilkinson)

#24 Updated by Dan Gillean almost 3 years ago

  • Status changed from QA/Review to Verified

#25 Updated by David Juhasz 2 months ago

  • Related to Feature #6915: Add Active Directory LDAP login support added

Also available in: Atom PDF